9 Replies Latest reply on Dec 18, 2019 1:15 AM by Adam Wickes

    OBIEE 12C SSO

    Adam Wickes

      Hi all,

       

      Trying to set up SSO in our environment.
      Our Kerberos expert has informed me that the users are being authenticated at the front end and we shouldn't need to do anything in the app for users to gain access to OBIEE as they have already been auth'd.
      I'm looking at this document and wondering if I need to do all of this or if I just need to tick on "Enable SSO" in Enterprise Manager?

       

      https://blogs.oracle.com/cealteam/obiee-12c%3a-configuring-kerberos-sso-for-obiee-12c

       

      Has anyone set up SSO in their environments before that could possibly help me out?

       

      Thanks,
      Adam

        • 1. Re: OBIEE 12C SSO
          Adam Wickes

          Additional Info:

           

          In our existing 11g installation, it looks to use the following: https://redelsilenziotech.wordpress.com/2012/02/08/how-to-integrate-obiee-11-1-1-5-with-ibm-tivoli-and-tam-for-ebusiness…


          It also has SSO provider in EM set to "generic SSO".
          There seems to be a bug in 12c where you can't access the SSO provider drop down so i'm not sure how you're supposed to set which one you want to use.... (??).

          • 2. Re: OBIEE 12C SSO
            Joel Acha

            That is the correct documentation. Follow all the steps and you should be fine. I’ve used it several times for SSO configuration.

            1 person found this helpful
            • 3. Re: OBIEE 12C SSO
              aspardhya

              Hi Adam,

               

              Thanks for your providing all relevant information at first hand only.

              Here are my points for your query.

               

              1. Even with OBIEE 11g also it's integrated with TAM through configuration. There is not just select SSO provider and you are done.

              2. So, As per your analysis, I would be recommend to do the complete steps as suggested by blog in Dev environment and Validate your logins.

               

              https://blogs.oracle.com/cealteam/obiee-12c%3a-configuring-kerberos-sso-for-obiee-12c

               

              3. OBIEE integration with Kerberos based authentication is required. So, Kerberos expert point is fine if OBIEE is fully configured to accept kerberos authentication mechanism. So, You can to configure OBIEE accordingly.

               

              Thanks,

              Abhishek Kumar

              1 person found this helpful
              • 4. Re: OBIEE 12C SSO
                Adam Wickes

                Thanks Joel.

                Appreciate that.

                • 5. Re: OBIEE 12C SSO
                  Adam Wickes

                  Thanks for your response Abhishek.
                  I will read over the documentation more and give it a try in our development server tomorrow.

                  • 6. Re: OBIEE 12C SSO
                    Adam Wickes

                    Sorry for replying again to this post.
                    I just wanted to confirm a couple of things.

                     

                    The architecture that we are using is the following:

                     

                    Front end = ISAM -> OHS -> OBIEE App Server

                     

                    Our Identity Management specialist has said that he's already "configured authentication at the front end" and is passing through a user via the http header that I should be able to use for SSO.
                    Is there another way of applying SSO in this scenario or are the aforementioned instructions still applicable.

                     

                    Thanks so much,
                    Adam

                    • 7. Re: OBIEE 12C SSO
                      aspardhya

                      Hi Adam,

                       

                      As per my understanding, You need to perform the complete action plan as per documented the blog https://blogs.oracle.com/cealteam/obiee-12c%3a-configuring-kerberos-sso-for-obiee-12c

                       

                      through http header (as per Identity Administrator specialist) only authentication will happen. That's right, but OBIEE url should be receptive to those parameters, I believe and for that you need to perform the action.

                       

                      If you face any challenge in following the action plan then you can share your output and see How we can help here.

                       

                      Thanks,

                      Abhishek Kumar

                      1 person found this helpful
                      • 8. Re: OBIEE 12C SSO
                        Adam Wickes

                        Hi all,

                         

                        Sorry to bump this thread again but I have some extra information.
                        Unfortunately, I can't use the link provided above (kerberos etc) because then I won't be able to use the ISAM front end which has already been set up and is our organisations standard approach.
                        I did however find some instructions on how SSO was set up in our 11g environment (see below).
                        ISAM was not supported in 11g either but we (the people before me) managed to get it to work so i'm hoping I can get 12c to do the same.
                        Unfortunately, asking Oracle support was a dead end as ISAM is not supported.

                         

                        Has anyone here used the ISAM headers iv-user/iv-groups to get SSO working by modifying the authenticationschemas.xml file (see below)?
                        One of the steps suggests to set SSO to "Generic SSO" but this options doesn't seem to exist in 12c.

                         

                        Instructions

                         

                         

                        To enable SSO, OBIEE presentation services must be configured to accept IV-USER header from the SSO product’s web server. In this case, WebSeal would authenticate the user and pass on the credentials to Presentation Services. To do this, edit the authenticationschemas.xml located in

                        <MIDDLEWARE_HOME>\Oracle_BI1\bifoundation\web\display

                        Edit the file to resemble the following

                        BEFORE

                        <!–<SchemaKeyVariable source=”serverVariable” nameInSource=”REMOTE_USER” forceValue=”SSO”/>–>

                        AFTER

                          <SchemaKeyVariable source=”httpHeader” nameInSource=”iv-user” forceValue=”SSO”/>

                        BEFORE

                              <AuthenticationSchema name=”SSO” displayName=”Single Sign On” userID=”IMPERSONATE” proxyUserID=”NQ_SESSION.RUNAS” options=”noLogoffUI noLogonUI”>

                        <!–<RequestVariable source=”serverVariable” type=”auth” nameInSource=”REMOTE_USER” biVariableName=”IMPERSONATE” options=”stripWindowsDomain required”/>–>

                                </AuthenticationSchema>

                        AFTER

                              <AuthenticationSchema name=”SSO” displayName=”Single Sign On” userID=”IMPERSONATE” proxyUserID=”NQ_SESSION.RUNAS” options=”noLogoffUI noLogonUI”>

                         

                        <RequestVariable source=”httpHeader” type=”auth” nameInSource=”iv-user” biVariableName=”IMPERSONATE” options=”required”/>

                                </AuthenticationSchema>

                        1. Save the file and open the file in Internet Explorer to ensure that there are no syntactical errors.
                        2. Next, navigate to EM, select Business Intelligence and go to the Security tab
                        3. Lock and Edit and in the SSO drop down, Select Generic SSO.
                        4. Click Apply and Activate changes.
                        5. Restart BI presentation services and navigate to the Webseal Junction. http://<junctionurl>/analytics
                        • 9. Re: OBIEE 12C SSO
                          Adam Wickes

                          Hi all,

                           

                          Just an update on this one for all the people in the future who may wish to do the same thing.
                          I was able to get obiee 12c (12.4) working with authentication happening at the ISAM front end and then having iv-user header passed through.

                           

                          Important Note: This is not supported by Oracle so user beware. In our case it wasn't feasible to NOT do it but we're happy to take the risk.

                          Less Important Note: From version 11.9 onwards, when SSO is applied, you can no longer log in to Analytics via the server:port or IP user address. You can only go through the front end's URL. Apparently the ability to do this in 11.7 and prior was a bug. See here.

                           

                          Steps to apply SSO (Note: This is all AFTER you've applied your auth provider stuff in console. In our case, we used LDAP provider).

                          1. Navigate to "%ORACLE_HOME%\bi\bifoundation\web\display" and take a backup of "authenticationschemas.xml".

                          2. Edit "authenticationschemas.xml" and change the following:

                           

                          Before

                           

                          <SchemaKeyVariable source="serverVariable" nameInSource="REMOTE_USER" forceValue="SSO"/>

                           

                          After


                          <SchemaKeyVariable source="httpHeader" nameInSource="iv-user" forceValue="SSO"/>

                           

                          Note: iv-user may change depending on your front end's settings.

                           

                          AND

                           

                          Before

                           

                          <AuthenticationSchema name="SSO" displayName="Single Sign On" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI webSSO">

                                   <RequestVariable source="serverVariable" type="auth" nameInSource="REMOTE_USER" biVariableName="IMPERSONATE" options="stripWindowsDomain required"/>

                          </AuthenticationSchema>

                           

                          After

                           

                          <AuthenticationSchema name="SSO" displayName="Single Sign On" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">

                                   <RequestVariable source="httpHeader" type="auth" nameInSource="iv-user" biVariableName="IMPERSONATE" options="required"/>

                          </AuthenticationSchema>

                           

                          Note: Again, iv-user may change depending on your front end's settings.

                           

                           

                          3. Save "authenticationschemas.xml".

                          4. Navigate to "%DOMAIN_HOME%\config\fmwconfig\biconfig\OBIPS" and take a backup of "instanceconfig.xml".
                          5. Edit "instanceconfig.xml" and change the following:

                           

                           

                          Before

                           

                          <Authentication>

                                      <EnabledSchemas>UidPwd,Impersonate,UidPwd-soap,Impersonate-soap</EnabledSchemas>

                          </Authentication>

                           

                          After

                           

                          <Authentication>

                                      <EnabledSchemas>UidPwd,Impersonate,UidPwd-soap,Impersonate-soap,SSO</EnabledSchemas>

                                      <SchemaExtensions>

                                          <Schema name="SSO" logonURL="http://yourURL/analytics/saw.dll?Dashboard" logoffURL="http://yourLogoutURL"/>

                                      </SchemaExtensions>

                          </Authentication>

                           

                           

                          6. Save "instanceconfig.xml".
                          7. Restart Admin/biserver.
                          8. Navigate to the logonURL you specified in step 5 and you should be good to go.

                           


                          Hope this helps someone out in the future.

                           

                          Cheers,
                          Adam

                          1 person found this helpful