Sunil S. Ranka's Weblog

Superior Data Analytics is the antidote to Business Failure

Enabling SSO Authentication for OBIEE

Posted by sranka on June 6, 2008

Hi All

Today I would like to write about how to enable the SSO (Single Sign On) for OBIEE.  To start with what is SSO following is the technocal definition of SSO :– Single sign-on (SSO)is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session.  For details please google and you will find lot many details. The above definition has been picked from TechTarget.

How User gets interpreted in SSO environment ::

In an environment where SSO has been implemented, when Oracle BI Presentation Services receives
an incoming web request, it assumes that the user who issued the request has already been
authenticated by the SSO system. Oracle BI Presentation Services uses its own credentials to
establish a connection with the Oracle BI Server on behalf of the end user. User personalization and
access controls such as data-level security are maintained in this environment. Oracle BI
Presentation Services then uses the Oracle BI Server Impersonation feature to create a connection
to the Oracle BI Server on behalf of the authenticated end user. 

1. To implement following changes needs to be done in instanceConfig.xml file :

<!– other settings … –>
<SSO enabled=”true”>
<!–IMPERSONATE param is used to get the authenticated user’s username and is required –>
<Param name=”IMPERSONATE” source=”serverVariable”nameInSource=”REMOTE_USER”/>
<!– other settings … –>

2. Along with this a user with name  IMPERSONATE needs to be created in the repository.

3. Impersonator User Credentials needs to be added to Oracle BI Presentation Services Credential Store

The default location of the credentialstore.xml file is OracleBIData_HOME\web\config on Windows and OracleBIData_HOME/web/config on Linux or UNIX.

4. To Add impersonator user credentials to Oracle BI Presentation Services Credential Store.

Navigate to the directory OracleBI_HOME\web\bin on Windows or OracleBI_HOME/web/bin on
Linux or UNIX. This is the location for the CryptoTools utility.

Execute the CryptoTools utility to add the impersonator user credentials to the Oracle BI
Presentation Services Credential Store:
cryptotools credstore -add -infile <OracleBIData>/web/config/credentialstore.xml

Following is the example for cryptotool utility

cryptotools credstore -add -infile <OracleBIData>/web/config/credentialstore.xml
>Credential Alias: impersonation
>Username: Impersonator
>Password: secret
>Do you want to encrypt the password? y/n (y):
>Passphrase for encryption: another_secret
>Do you want to write the passphrase to the xml? y/n (n):
>File “<OracleBIData>/web/config/credentialstore.xml” exists. Do you want to
overwrite it? y/n (y): 

Passphrase for encryption : Whatever value you pass for this argument, do remember it as this needs to be used in the instanceConfig.xml

5. configure Oracle BI Presentation Services to identify the Credential Store and decryption passphrase

1 Open the instanceconfig.xml file for editing.
2 Locate the <CredentialStore> node within this file.
Specify attribute values as shown below. If the <CredentialStore> node does not exist, create
this element with sub-elements and attributes with attribute values as shown in the following
<!– other settings … –>
     <CredentialStorage type=”file” path=”<path to credentialstore.xml>” passphrase=”<passphrase>”/>
<!– other settings … –>
<!– other settings … –>

6. Configure optional Logoff/Logon URLs.

In environments where Single Sign-On (SSO) is enabled, you can configure log out and log on
links to appear on Oracle BI Presentation Services screens (Login and logout screens). To do so, you add the elements shown in the following table as children of the SSO element in the instanceconfig.xml file.

<!– other settings … –>
<SSO enabled=”true”>
<!–IMPERSONATE param is used to get the authenticated user’s username and is required –>
<Param name=”IMPERSONATE” source=”serverVariable”nameInSource=”REMOTE_USER”/>
<!– other settings … –>

Hope this helps

Sunil S Ranka

PS ::For more details please refer to the online oracle documentation.


16 Responses to “Enabling SSO Authentication for OBIEE”

  1. Shivaji said

    Hi Sunil,
    Thanks for this article. I could able to configure SSO with OBIEE successfully.But I hv following problems to resolve.Could please let me know how to resolve the following ?
    Thanks and appreciate .
    571 344 3479

    The following things we are trying to resolve.

    1.) Once I enable the SSO for OBIEE all OBIEE local accounts are disabled including Administrator account. All our Dashboards/reports are developed in OBIEE with local OBIEE administrator account. How do we enable in OBIEE all OID users and OBIEE local users to login into OBIEE Dashboards/reports?

    2.) How do we bring OID Groups and OID Users in OBIEE RPD FILE ( I can bring either one but not both) ? I found a PL/SQL script in some of the discussion boards and I tried to implement that but not much luck.

    3.) How do I undo SSO configuration(Incase If I screwup the config) !!

  2. surya said

    Hi Sunil,
    Is there any way we can import EBS users into OBIEE repsitory. I have a requirement where in we are using single sign on integration from EBS to OBIEE dashboards and we have to implement data level security for huge amount of EBS users(20,000). Is there any other way rather than creating all these users in repository and assigning them to groups…

    Thanks and Cheers

  3. sranka said

    Hi Surya

    Yes there is a way to import users into the repository. Few days back I came across a script, the script does nothing but reads all the username from a file and creates them into the reository. I don’t remeber on top of my head but try to search metalink3.


    Sunil S Ranka

  4. bain said

    Param name=”IMPERSONATE” source=”serverVariable”nameInSource=”REMOTE_USER”/>

    what is the value of ‘serverVariable’ while integrating oracle sso

  5. Hi,

    Surya mentioned in prior comment they have integrated EBS with OBIEE … can Surya elaborate how that was done please? I have a couple of issues with it OBIA/OBIEE, email if possible ggr88 [AT] gmail [D0T] com.


  6. Sorry… that email address should have been ggr888 [AT] gmail [D0T] com!

  7. Allwin said

    Great blog Sunil!

    I tried the same in UNIX box, the command is not working
    This is what bash is returning:

    /u001/oracle/product/OracleBI/web/bin/cryptotools credstore -add -infile /u001/oracle/product/OracleBIData/web/config/credentialstore.xml cryptotools: fatal: open failed: No such file or directory

  8. bala said

    Hi Sunil,

    After configuring SSO. we face following issues..Please let us know how to resolve the same.

    1.) couldnt use OBIEE local accounts including Administrator (login fails).
    how to administer the BI Server & other tools ?

    2.) is it possible to
    a.create user group (using admin tool) & map them to OID users ?
    b.define admin,edit privileges etc to user groups defined above?

    3.) How to undo SSO configuration?


  9. Vikram said

    Remove the below from instanceconfig to undo SSO configuration

    Vikram H

  10. The topic is quite trendy on the Internet at the moment. What do you pay attention to while choosing what to write about?

  11. Richard Chan said


    This is only used if OBIEE is using IIS what if it is using a Java based app server such as Oracle Application server, I believe that there is an HTTP or cookie based option for these ?

  12. Andras Gabor said


    We are trying to integrate OBIEE with JAAS sso running on a remote server.
    The SSO login/logoff urls have a request parameter (in the URL) called appurl which specifies a redirect upon successful logon/logoff.
    so logonurl right now is like this:

    This way users get to their Dashbord upon succesful login.
    The problem is when someone bookmarks the Answers page and needs logon forst they still end up on the Dashboard.

    I would like to specify a logon url containing this information as well, ideally:

    Is there such a web variable ready to be used or at least a variable containing the module name?

    The deployment guide tells us, we can use such expressions (, like @{}
    But I need the url, or part of it, so that I can make the proper redirect back to obiee from the SSO server.

    Thank you,

  13. Andras Gabor said

    In my previous question the urls got messed up.
    Try reading them like this:


    Thank you,

  14. Notify the appropriate law enforcement agency. ,

  15. по моему мнению: бесподобно.

  16. dinesh said

    i have an adf application..i want when they sign into this application..using the single sign on concept…be signed into OBIEE as well..can that happen and if so what are the chances of this happening when the adf application is on one server and the OBIEE is on another? thanks in advance

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: