This content has been marked as final. Show 14 replies
Your question doesn't make sense. An Application Server is always needed for OBIEE to work, otherwise your Web front end is not able to run. What do you mean by "link BIEE with SSO" or "BIEE connect to SSO"?
SSO is a way configuring OBIEE so that users that are already authenticated by another system or portal can login to OBIEE without having to be authenticated again or asked for their credentials. SSO is a way of passing "who the user is". I think your are confusing SSO with external authentication.
sorry if the question was confusing.
As per my understanding BIEE contains only an oc4j which acts as the web server , and BIEE does not contain an application server. While installing unless we choose an advanced security model only oc4j component will get installed with BIEE.
An application server is a bigger entity with lots of features for transaction processing, queue management, administration etc. (eg: weblogic, websphere ).
oc4j is only a component in the big oracle application server .
SSO usually works with application servesr, but I was just wondering is there any way to choose a basic BI installation and make it work with SSO.
OK, it's a bit more clear now. Your first confusion is that "OC4J is a web server" which is wrong. OC4J is a J2EE Web Application Server. You can argue that is not a fully featured App Server or that is not a Production grade App Server but at the end of the day it doesn't matter as it is still an Application Server running an EAR file. SSO per se does not require an Application Server to work, other than the one you will have to have for the OBIEE Presentation Services Plug-in (OC4J or any of the other supported J2EE App Servers). However given the nature of SSO you would normally use an App Server for SSO weather it's the same you use for OBIEE or another will highly depend on your setup. As explained in the OBIEE documentation you need to implement a way of passing the User ID to OBIEE. This is done in 3 possible ways: HTTP header, HTTP cookie or GetRemoteUser method. I don't recommend the first two as they can be easily spoofed since they are sent by the user's browser. However there are ways to do some sort of encryption to avoid that. In a normal SSO setup your will have another portal which normally runs of another App Server which will then pass the user ID that's logged to it to OBIEE so that users can seamlessly move between the two App Servers without having to authenticate again.
hmm.. I frequently make mistakes when I write long replies .. and unfortunately it creates more confusions than clarifications :)
ok. the question is this.
Does the OBIEE installation contains libraries/packages/files necessary for talking to an SSO server?
Or do we need to install application server also for making SSO to work with OBIEE?
(oracle app server is packaged with all libraries/files for connecting to SSO)
All links I went thru talk about configuring Apache and all (Re: BIEE sso questions. but I dont see such files in the BI home basic installation.
I am trying to make out http://sranka.wordpress.com/2008/06/06/enabling-sso-authentication-for-obiee/ but that again gives only vague info
Does the OBIEE installation contains libraries/packages/files necessary for talking to an SSO server?It depends for what you call an SSO server. If you mean that OBIEE has to obtain the User ID from an external server then no, you won't be able to do this out of the box.
Or do we need to install application server also for making SSO to work with OBIEE?It depends on how you implement SSO.
Oracle app server is packaged with all libraries/files for connecting to SSONot entirely correct. Oracle App Server implements an SSO solution for Web Applications running in OAS. This means that once you are authenticated to OAS (by whatever means you defined in OAS) you will then be allowed to use any other Web Applications in the same OAS installation in SSO mode. These Web Applications need to be configured in OAS for SSO and need to supported the GetRemote User method (which most J2EE Web Apps do). OBIEE supports the OAS SSO implementation so that you can login to OBIEE in SSO mode in an SSO enabled OAS. However if you are not using OAS then you can't really use OAS' SSO solution.
Your questions are going around the issue but don't really seem to understand the core requirements for an SSO solution to work. The first question you should ask yourself (and post here) is this: which is the system/portal/etc which your users will be authenticated against and which you want OBIEE to read the SSO credentials from? It sounds to me that you want to implement an SSO solution but you have no Portal or system where users are authenticated against.
Just to add to what has been already said - OBIEE can be configured to directly work with an LDAP like MS Active Directory. You would not need the SSO product in that case. If you would like to integrate OBIEE with a packaged application like EBS or Siebel an SSO is not always necessary. It will depend upon what your needs are and the overall architecture.
Sorry.. if my questions were not clear.
Let me ask it in another way.
I have a working Oracle SSO server
I want to setup a BI Dashboard and wants to use this SSO server for authentication
- I have downloaded OBIEE10.1.3.4
- unzipped the setup and clicked on "setup.exe"
Now the setup is asking for two options
- - - -
Select the Installation Type
*1) BASIC: Minimum Security. Installs oracle Containers for J2EE (Oc4j)*
*2) Advanced: Enhanced Security. Requires Oracle Application Server 10.1.3.1.0 or higher*
- - - -
My question is, can I choose the basic installtion and still connecto to an Oracle SSO?
Or do I need to select the advanced security model from above option which will require Oracle Apllication Server too ?
OK, now we are getting somewhere. You can chose Basic and always configure it later. It's my understanding that the Oracle SSO Server used to be deployed within an Oracle Application Server but they have changed that in the later releases an it's now part of the Oracle Identity Management. I am not sure how will a Web Application integrate with an Oracle SSO Server that doesn't have an Oracle Application Server, I guess you will need to check your Oracle SSO Server documentation or post a question on the relevant Oracle forum for the SSO Server. Given that it used to be integrated with Oracle Application Server it should be easy to get it to work in OAS.
here commes the dilemma. If the basic installation can connect to SSO server then I dont need to install an application server (and this will save me licensing fee for app server, server cost, maintenance overhead etc.).
My intention is to avoid application server.
another concern about using application server is about the future of Oracle App server.
I think weblogic will be the preferred one over Oracle App Server.
I think you should start by checking your Oracle SSO Server documentation or post a question on the relevant Oracle forum for the SSO Server. Basically you would want to know how to integrate Oracle SSO with a Web Application running in OC4J. As long as you can set the GetRemoteUser in your OC4J instance OBIEE will happily work in SSO mode (if configured correctly of course). Personally I wouldn't even use OC4J or Oracle SSO. We implemented our SSO solution using a custom Java SSO Web App deployed in JBOSS that reads the user credentials using the JCIFs library and re-validates them using NTLM. It then passes the user ID to OBIEE. It requires no SSO server, just a Windows Domain Controller.
I have some doubts can you please clear it.
We have EBS R12 installed and OBIEE standalone(basic mode) on same server(Linux).
Now we want to implement SSO between EBS R12 and OBIEE(basic mode).
First question it is mandatory to install OBIEE in advance mode to implement SSO? if no
then what will be the steps to implement the same?
We have tried to implement but when we click on Oracel Bi answers link in EBS R12 application we switched to OBIEE answers page but it always shows that "you are already logged in ........."
Your question is not 100% related to the original thread, please start a new thread.
This is exactly the question I am having at my current client..
Did you get your answer? Also, can you point me to the correct thread?