6 Replies Latest reply on Nov 6, 2017 3:32 PM by Raveendra Boyapati

    Siteminder SSO using httpheader in OBIEE 12c is not working

    Raveendra Boyapati

      Hi,

       

      We recently upgraded OBIEE from 11.1.1.7.150120 (Build 150113.1200 64-bit) to Oracle Business Intelligence Product Version 12.2.1.3.0 (Build BIPS-20170820114118 64-bit).

       

      Post upgrade Siteminder SSO using httpheader is not working.

       

      Please find the attached document for steps we followed to implement it our 11g and 12c environments.

       

      Could you please help if there are any additional steps to be followed in 12c Environment.

      -----------------------------------------------------------------------------------------------------------------------

      Steps (also in attached document with screenshots)

       

      We implemented SSO using httpheader info as below in OBIEE 11g

      Changes in instanceconfig.xml

      Added CustomSSO  in EnabledSchemas section.

       

       

       

       

      Changes in  authenticationschemas.xml

       

      Added the below text  to the file authenticationschemas.xml

       

      <SchemaKeyVariable source="httpHeader" nameInSource="SM_USER" forceValue="CustomSSO"/>

       

      Add the below text  to the file

       

      <AuthenticationSchema name="CustomSSO" displayName="Custom SSO Schema" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">

      <RequestVariable source="credStoreUser" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="UID"/>

      <RequestVariable source="credStorePwd" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="PWD" options="secure"/>

      <RequestVariable source="httpHeader" type="auth" nameInSource="SM_USER" biVariableName="IMPERSONATE" options="required" />

      </AuthenticationSchema>

       

         Changes in em:

       

      Lock & Edit Configuration

      Clicked the Checkbox to Enable SSO .

      Change the SSO Provider to Custom

      Restarted the services

       

      We are trying to implement the same SSO using httpheader in our new OBIEE 12c environment .

       

      Changes done:

       

      Added the below tags to authenticationschemas.xml in location

      home\bi\bifoundation\web\display

      as we have in our old 11g environment.

       

       

      <SchemaKeyVariable source="httpHeader" nameInSource="SM_USER" forceValue="CustomSSO"/>

       

      <AuthenticationSchema name="CustomSSO" displayName="Custom SSO Schema" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">

      <RequestVariable source="credStoreUser" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="UID"/>

      <RequestVariable source="credStorePwd" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="PWD" options="secure"/>

      <RequestVariable source="httpHeader" type="auth" nameInSource="SM_USER" biVariableName="IMPERSONATE" options="required" />

      </AuthenticationSchema>

       

       

      Changes done to InstanceConfig.xml at location

      D:\Apps\OBIEE\user_projects\domains\bi\config\fmwconfig\biconfig\OBIPS

       

      <Authentication>

      <EnabledSchemas>UidPwd,Impersonate,UidPwd-soap,Impersonate-soap,CustomSSO</EnabledSchemas>

      <SchemaExtensions>

      <Schema name="CustomSSO" logonURL="http://c-qa.company.com/analytics" logoffURL=" http://c-qa.company.com/analytics/saw.dll?logoff"/>

      </SchemaExtensions>

      </Authentication>

       

      After restarting , we are unable to logon to Analytics.

      --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

      Thanks,

      Raveendra

        • 1. Re: Siteminder SSO using httpheader in OBIEE 12c is not working
          mac2

          I'm not familiar with your specific SSO approach (Siteminder), but I do have SAML2.0 SSO working in our 12c environment. I have a few suggestions for you to explore:

           

          1) Oracle Support specifically instructed me *not* to tick the "Enable SSO" box in EM, even though we are clearly doing SSO. I am not sure if this was unique to our situation or not, but you could see if unchecking it makes any difference for you.

          2) FYI, our <Authentication> tag in instanceconfig looks like this:

           

          <Authentication>
              <EnabledSchemas>UidPwd,Impersonate,UidPwd-soap,Impersonate-soap,SSO</EnabledSchemas>
              <SchemaExtensions>
                  <Schema logoffURL="xxxxxxxx" logonURL="xxxxxxxxx" name="SSO" />
              </SchemaExtensions>
          </Authentication>
          

           

          3) I'd suggest you turn on debugging and see what's happening in your bi_server1 log files upon login failure. That could definitely get you on the right path to solving the problem. To do this, go into the console -> Environment -> Servers -> bi_server1 -> Debug. From there, Lock and Edit first and then enable debugging on weblogic -> security. Restart everything, reproduce the issue, and then go check your bi_server1.log and see what's happening.

           

          4) What's the web traffic doing (F12 in Chrome, Preserve Log, and pay attention to what's happening)

           

          EDIT: Oops, I thought our <Authentication> tag had different syntax than yours, but yours looks okay to me.

          • 2. Re: Siteminder SSO using httpheader in OBIEE 12c is not working
            handat

            The Oracle documentation states that you should check MOSC notes 1274953.1 and 1287479.1 (reference: https://docs.oracle.com/middleware/1221/biee/BIESC/sso.htm#BIESC6044)

            • 3. Re: Siteminder SSO using httpheader in OBIEE 12c is not working
              Raveendra Boyapati

              Hi,

               

              Thank you for respective details. I see this error message in the sawlog0.log.

               

              Service instance session variable(s) not set for user XXXxx, causing authentication failure.[[

               

               

              One more error in bi-server1-diagnostic.log

               

              [Security:090938]Authentication failure: The specified user failed to log in. javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User specified user denied

               

              • 4. Re: Siteminder SSO using httpheader in OBIEE 12c is not working
                handat

                Does the user actually exist in LDAP that weblogic is configured with?

                • 5. Re: Siteminder SSO using httpheader in OBIEE 12c is not working
                  Madasamy-Oracle

                  Along with the other suggestions, can you also make sure that you configure the LDAP on your RPD instead of doing that on Security Realm.

                   

                  Refer the section "Configuring RPD file" on SiteMinder SSO technote.

                  • 6. Re: Siteminder SSO using httpheader in OBIEE 12c is not working
                    Raveendra Boyapati

                     

                    Hi ,

                     

                    We have added one more tag in authentication schema CustomSSO schema and the Siteminder sso is working fine now. Looks like this is the new change for 12c.

                     

                    Not working tags:

                     

                    <AuthenticationSchema name="CustomSSO" displayName="Custom SSO Schema" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">
                    <RequestVariable source="credStoreUser" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="UID"/>
                    <RequestVariable source="credStorePwd" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="PWD" options="secure"/>
                    <RequestVariable source="httpHeader" type="auth" nameInSource="SM_USER" biVariableName="IMPERSONATE" options="required" />
                    </AuthenticationSchema>

                     

                    Working tags:

                     

                    <AuthenticationSchema name="CustomSSO" displayName="Custom SSO Schema" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">
                    <RequestVariable source="credStoreUser" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="UID"/>
                    <RequestVariable source="credStorePwd" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="PWD" options="secure"/>
                    <RequestVariable source="httpHeader" type="auth" nameInSource="SM_USER" biVariableName="IMPERSONATE" options="required" />
                    <RequestVariable source="constant" type="auth" nameInSource="ssi" biVariableName="NQ_SESSION.SERVICEINSTANCEKEY" />
                    </AuthenticationSchema>

                     

                    Change is in the last part. Added the following tag at the end.

                     

                    <RequestVariable source="constant" type="auth" nameInSource="ssi" biVariableName="NQ_SESSION.SERVICEINSTANCEKEY" />

                     

                    Thanks,
                    Raveendra