This content has been marked as final. Show 7 replies
It should not require any additional softwares.1 person found this helpful
You can use Kerberos for Single Sign On
Follow the link below for the steps
If u want ur Domain (AD) Users to log in to application, widout passing the credentials,u will have to configure ur AD with WLS.
U can use the WLS Script below to configure Active Directory with WLS
Hope this helps.
If u have further queries, let me knw.
This covers WebLogic configuration.
Do you know what actions are then required for OBIEE to provide seamless SSO logging?
was the reply above helpful?
For a different issue, kindly ask a new question.
The web is full of OBIEE-IIS configuration HOWTOs but no information regarding WebLogic/OC4J
Will try with WebLogic next week.
I Presume all the OBIEE necessary steps are documented in:
§8. Implementing Single Sign-On Products With Oracle Business Intelligence of Oracle® Business Intelligence Enterprise Edition Deployment Guide Version 10.1.3.2 document available: http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/b40058.pdf
There's no word about OBIEE in those links.
I just need to set up SSO for OBIEE that is hosted on WebLogic - do I need to go through both links/steps or only the second one?
I had a quick look at the documentation1 person found this helpful
SSO can be achieved in one of the two ways described below.
■ Through an HTTP header or HTTP cookie containing the username of the end user. The header
can be any valid HTTP header or cookie name.
■ Or, by using one of the following server-side options:
■ When using a J2EE Application Server and the BI Presentation Services Plug-In (Java
Servlet), from the getRemoteUser method of the
In this case, the SSO system must be able to integrate with the J2EE environment of choice
and set up the framework such that the getRemoteUser method returns the username of the
■ When using Internet Information Server (IIS) and the BI Presentation Services Plug-In
(ISAPI Plug-in), from the REMOTE_USER server variable that is populated with the username
of the end user.
REMOTE_USER is a server variable queried through the use of the ISAPI Extension API
If u consider the option of passing the users's information in an HTTP Header, then u need to develop a custom identity asserter for Weblogic, that would process those tokens. Also u wud require a user store.
If u choose the option of passing the user information, then u will ahve to do the authentication programtically or chose a weblogic classes shown below.
CallbackHandler callback = new CallbackHandler(userName,password);
javax.security.auth.Subject subject = weblogic.security.services.Authentication.login(callback);
Found similar info but no practical guidelines on how to implement it.
The IIS variant is relatively simple, basically it requires to turn one option on (as described: http://www.clearpeaks.com/blog/oracle-bi-ee/configuring-obiee-to-work-in-single-sign-on-sso-environment-on-iis)
So it looks like apart from using IIS and ISAPI BI Presentation Services Plug-In we have three options:
- HTTP header
- getRemoteUser method
The hints you sent before:
which option are they related to and how?
you mentioned custom identity asserter – what is this?
is this asserter only for HTTP header option or for the cookie as well?
what would such development involve?
user store – what do you mean here - would I need to store each user login/passwords on the WebLogic separately? or this only affects impersonator user?
how can I leverage the Active Directory LDAP to do the SSO in a similar way like it’s done for IIS – no user credentials needs to be stored on the Web App Server?
could you throw some more light on this callbacks code – how this could be used? or again, what would such development involve?
Thank you very much for your feedback. Those hints could be probably enough for someone with practical web development knowledge however since my area of expertise is different I would really appreciate some step-by-step instructions.
So far I reckon the Active Directory LDAP based SSO for OBIEE on WebLogic is probably possible without the extra products like OID/OAM but it’s not as simple as the IIS variant and do require some additional programming (not sure about cookie scenario…)
Another info around the matter I found is:
but unfortunately it hasn’t been followed and still would require OID
is it possible to link BIEE with SSO without an application sever ?
where Turribeach says:
“you would want to know how to integrate Oracle SSO with a Web Application running in OC4J. As long as you can set the GetRemoteUser in your OC4J instance OBIEE will happily work in SSO mode (if configured correctly of course). Personally I wouldn't even use OC4J or Oracle SSO. We implemented our SSO solution using a custom Java SSO Web App deployed in JBOSS that reads the user credentials using the JCIFs library and re-validates them using NTLM. It then passes the user ID to OBIEE. It requires no SSO server, just a Windows Domain Controller.”
Looks everything I need - I guess such Java SSO Web App could be deployed onto WebLogic but really no idea on how to do such development.