Enabling SSO Authentication for OBIEE
Posted by sranka on June 6, 2008
Hi All
Today I would like to write about how to enable the SSO (Single Sign On) for OBIEE. To start with what is SSO following is the technocal definition of SSO :– Single sign-on (SSO)is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. For details please google and you will find lot many details. The above definition has been picked from TechTarget.
How User gets interpreted in SSO environment ::
In an environment where SSO has been implemented, when Oracle BI Presentation Services receives
an incoming web request, it assumes that the user who issued the request has already been
authenticated by the SSO system. Oracle BI Presentation Services uses its own credentials to
establish a connection with the Oracle BI Server on behalf of the end user. User personalization and
access controls such as data-level security are maintained in this environment. Oracle BI
Presentation Services then uses the Oracle BI Server Impersonation feature to create a connection
to the Oracle BI Server on behalf of the authenticated end user.
1. To implement following changes needs to be done in instanceConfig.xml file :
<!– other settings … –>
<Auth>
<SSO enabled=”true”>
<ParamList>
<!–IMPERSONATE param is used to get the authenticated user’s username and is required –>
<Param name=”IMPERSONATE” source=”serverVariable”nameInSource=”REMOTE_USER”/>
</ParamList>
</SSO>
<!– other settings … –>
2. Along with this a user with name IMPERSONATE needs to be created in the repository.
3. Impersonator User Credentials needs to be added to Oracle BI Presentation Services Credential Store
The default location of the credentialstore.xml file is OracleBIData_HOME\web\config on Windows and OracleBIData_HOME/web/config on Linux or UNIX.
4. To Add impersonator user credentials to Oracle BI Presentation Services Credential Store.
Navigate to the directory OracleBI_HOME\web\bin on Windows or OracleBI_HOME/web/bin on
Linux or UNIX. This is the location for the CryptoTools utility.
Execute the CryptoTools utility to add the impersonator user credentials to the Oracle BI
Presentation Services Credential Store:
cryptotools credstore -add -infile <OracleBIData>/web/config/credentialstore.xml
Following is the example for cryptotool utility
cryptotools credstore -add -infile <OracleBIData>/web/config/credentialstore.xml
>Credential Alias: impersonation
>Username: Impersonator
>Password: secret
>Do you want to encrypt the password? y/n (y):
>Passphrase for encryption: another_secret
>Do you want to write the passphrase to the xml? y/n (n):
>File “<OracleBIData>/web/config/credentialstore.xml” exists. Do you want to
overwrite it? y/n (y):
Passphrase for encryption : Whatever value you pass for this argument, do remember it as this needs to be used in the instanceConfig.xml
5. configure Oracle BI Presentation Services to identify the Credential Store and decryption passphrase
1 Open the instanceconfig.xml file for editing.
2 Locate the <CredentialStore> node within this file.
Specify attribute values as shown below. If the <CredentialStore> node does not exist, create
this element with sub-elements and attributes with attribute values as shown in the following
example.
<WebConfig>
<ServerInstance>
<!– other settings … –>
<CredentialStore>
<CredentialStorage type=”file” path=”<path to credentialstore.xml>” passphrase=”<passphrase>”/>
<!– other settings … –>
</CredentialStore>
<!– other settings … –>
</ServerInstance>
</WebConfig>
6. Configure optional Logoff/Logon URLs.
In environments where Single Sign-On (SSO) is enabled, you can configure log out and log on
links to appear on Oracle BI Presentation Services screens (Login and logout screens). To do so, you add the elements shown in the following table as children of the SSO element in the instanceconfig.xml file.
<!– other settings … –>
<Auth>
<SSO enabled=”true”>
<LogoffUrl>http://hostname:port/the_url_to_logoff_sso</LogoffUrl>
<LogonUrl>http://hostname:port/the_url_to_logon_sso</LogonUrl>
<ParamList>
<!–IMPERSONATE param is used to get the authenticated user’s username and is required –>
<Param name=”IMPERSONATE” source=”serverVariable”nameInSource=”REMOTE_USER”/>
</ParamList>
</SSO>
<!– other settings … –>
Hope this helps
Sunil S Ranka
PS ::For more details please refer to the online oracle documentation.
Sunil S. Ranka's Weblog 
Shivaji said
Hi Sunil,
Thanks for this article. I could able to configure SSO with OBIEE successfully.But I hv following problems to resolve.Could please let me know how to resolve the following ?
Thanks and appreciate .
Shivaji
571 344 3479
The following things we are trying to resolve.
1.) Once I enable the SSO for OBIEE all OBIEE local accounts are disabled including Administrator account. All our Dashboards/reports are developed in OBIEE with local OBIEE administrator account. How do we enable in OBIEE all OID users and OBIEE local users to login into OBIEE Dashboards/reports?
2.) How do we bring OID Groups and OID Users in OBIEE RPD FILE ( I can bring either one but not both) ? I found a PL/SQL script in some of the discussion boards and I tried to implement that but not much luck.
3.) How do I undo SSO configuration(Incase If I screwup the config) !!
surya said
Hi Sunil,
Is there any way we can import EBS users into OBIEE repsitory. I have a requirement where in we are using single sign on integration from EBS to OBIEE dashboards and we have to implement data level security for huge amount of EBS users(20,000). Is there any other way rather than creating all these users in repository and assigning them to groups…
Thanks and Cheers
surya
sranka said
Hi Surya
Yes there is a way to import users into the repository. Few days back I came across a script, the script does nothing but reads all the username from a file and creates them into the reository. I don’t remeber on top of my head but try to search metalink3.
Thanks
Sunil S Ranka
bain said
Param name=”IMPERSONATE” source=”serverVariable”nameInSource=”REMOTE_USER”/>
what is the value of ‘serverVariable’ while integrating oracle sso
Gareth Roberts said
Hi,
Surya mentioned in prior comment they have integrated EBS with OBIEE … can Surya elaborate how that was done please? I have a couple of issues with it OBIA/OBIEE, email if possible ggr88 [AT] gmail [D0T] com.
Thanks,
Gareth
Gareth Roberts said
Sorry… that email address should have been ggr888 [AT] gmail [D0T] com!
Allwin said
Great blog Sunil!
I tried the same in UNIX box, the command is not working
This is what bash is returning:
/u001/oracle/product/OracleBI/web/bin/cryptotools credstore -add -infile /u001/oracle/product/OracleBIData/web/config/credentialstore.xml
ld.so.1: cryptotools: fatal: libtestframework3r.so: open failed: No such file or directory
Killed
bala said
Hi Sunil,
After configuring SSO. we face following issues..Please let us know how to resolve the same.
1.) couldnt use OBIEE local accounts including Administrator (login fails).
how to administer the BI Server & other tools ?
2.) is it possible to
a.create user group (using admin tool) & map them to OID users ?
b.define admin,edit privileges etc to user groups defined above?
3.) How to undo SSO configuration?
thanks,
bala
Vikram said
Remove the below from instanceconfig to undo SSO configuration
Thanks,
Vikram H
How to Get Six Pack Fast said
The topic is quite trendy on the Internet at the moment. What do you pay attention to while choosing what to write about?
Richard Chan said
source=”serverVariable”nameInSource=”REMOTE_USER”/>
This is only used if OBIEE is using IIS what if it is using a Java based app server such as Oracle Application server, I believe that there is an HTTP or cookie based option for these ?
Andras Gabor said
Hi,
We are trying to integrate OBIEE with JAAS sso running on a remote server.
The SSO login/logoff urls have a request parameter (in the URL) called appurl which specifies a redirect upon successful logon/logoff.
so logonurl right now is like this:
http:///sso?appurl=http:///analytics/
This way users get to their Dashbord upon succesful login.
The problem is when someone bookmarks the Answers page and needs logon forst they still end up on the Dashboard.
I would like to specify a logon url containing this information as well, ideally:
http:///sso?appurl=@currenturl
Is there such a web variable ready to be used or at least a variable containing the module name?
The deployment guide tells us, we can use such expressions (http://download.oracle.com/docs/cd/E12096_01/books/AnyDeploy/AnyDeploySSO7.html), like @{user.id}
But I need the url, or part of it, so that I can make the proper redirect back to obiee from the SSO server.
Thank you,
Andras
Andras Gabor said
In my previous question the urls got messed up.
Try reading them like this:
http://ssoserver/sso?appurl=http://obiee-server/analytics/
http://ssoserver/sso?appurl=@currenturl
Thank you,
Andras
Mr.Carrot10 said
Notify the appropriate law enforcement agency. ,
гей вич знакомства said
по моему мнению: бесподобно.
dinesh said
i have an adf application..i want when they sign into this application..using the single sign on concept…be signed into OBIEE as well..can that happen and if so what are the chances of this happening when the adf application is on one server and the OBIEE is on another? thanks in advance