Steps to configure SSO for OBIEE

Writen by Chai Biscuit 8:38 PM - 0 Comments

SSO stands for “Single Sign On”. which is part of “Oracle Identity & Access Management” (IAM) product.
 We will be discussing on how to configure/enable SSO for OBIEE.

IAM is further divided into the following categories

1.Identity Governance

2.Access Control

3.Mobile Security

4.Directory Services

We will be working with “Access Control” to achieve Single Sign On.

Assumptions:

1.OBIEE is installed and ready for use.

2.Configured OHS for OBIEE

3.Configured External Authentication for OBIEE

4.Oracle Access Manager is installed and ready for use.

High Level Steps:

1.Configure OAM Identity Asserter for OBIEE

2.Create SSO Agent for OBIEE

3.Configure Webgate on OHS

4.Copy artifacts to OHS

5.Configure SSO for OBIEE components

6.Configure Identity Store for OAM

7.Create Custom Authentication Module

8.Create Custom Authentication Scheme

9.Modify Application Domain to user Custom Authentication Scheme

1.Configure OAM Identity Asserter for OBIEE

1.Login as weblogic

2.Click on "Lock & Edit"

3.Click on Security Realms

4.Click on "myrealm"

5.Click on Providers

6.Click on "New"

7.Provider Details and Click on Ok

8.Click on "AD-OAM"

9.Set Flag as Required and click on OK

10.Click on Reorder

11.Move AD-OAM to top

12.Click on Active Changes

Note: Restart OBIEE for the changes to get reflected

2.Create SSO Agent for OBIEE

Login to OAM server and run following steps

$ cd $ORACLE_HOME/oam/server/rreg/client

$ tar -xzvpf RREG.tar.gz

$ cd rreg/input

$ cp -pr OAM11GRequest_short.xml OBIEE.xml

Modified Content of OBIEE.xml as following

<?xml version=”1.0″ encoding=”UTF-8″?>

<!– 

Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.

NAME: OAM11GRequest_short.xml – Template for OAM 11G Agent Registration Request file

(Shorter version – Only mandatory values – Default values will be used for all other fields)

DESCRIPTION: Modify with specific values and pass file as input to the tool.

–>

<OAM11GRegRequest>

<serverAddress>http://oam:7111 </serverAddress>

<hostIdentifier>obiee</hostIdentifier>

<agentName>OBIEE_11G</agentName>

<protectedResourcesList>

<resource>/bicontent</resource>

<resource>/bioffice</resource>

<resource>/biofficeclient</resource>

<resource>/xmlpserver</resource>

<resource>/ui</resource>

<resource>/mapviewer</resource>

<resource>/bicomposer</resource>

<resource>/bisearch</resource>

<resource>/analytic*</resource>

<resource>/analytics/**</resource>

<resource>/analytics/saw.dll/wsdl/**</resource>

<resource>/analytics</resource>

<resource>/analytics/saw.dll/wsdl</resource>

</protectedResourcesList>

<publicResourcesList>

<resource>/bioffice/services/saw</resource>

<resource>/ui/do/logout</resource>

<resource>/xmlpserver/services</resource>

<resource>/xmlpserver/report_service</resource>

<resource>/xmlpserver/ReportTemplateService.xls</resource>

<resource>/xmlpserver/Guest</resource>

<resource>/biservices</resource>

<resource>/ui/images/*</resource>

<resource>/em</resource>

<resource>/em/…/*</resource>

<resource>/console</resource>

<resource>/console/…/*</resource>

<resource>/biacm</resource>

<resource>/biacm/…/*</resource>

<resource>/odiconsole</resource>

<resource>/odiconsole/…/*</resource>

<resource>/bicustom</resource>

<resource>/bicustom/**</resource>

</publicResourcesList>

<excludedResourcesList>

<resource>/rtis</resource>

<resource>/rtis/…/*</resource>

<resource>/schema</resource>

<resource>/schema/…/*</resource>

<resource>/ws</resource>

<resource>/ws/…/*</resource>

<resource>/wsm­pm</resource>

<resource>/wsm­pm/…/*</resource>

</excludedResourcesList>

</OAM11GRegRequest>

$ cd $ORACLE_HOME/oam/server/rreg/client

$ bin/oamreg.sh inband input/OBIEETST.xml

Note: This will create SSO Agent and all the resources.Artifacts will be created under output folder

3.Configure Webgate on OHS

Wegbate comes preinstalled with OHS 12c, if you are using OHS 11g, then install webgate (11.1.2.3 -or- 12c) on top of OHS 11g (11.1.1.9)

POST WEGATE STEPS

OHS 11g:

1.$ cd ${WEBGATE_HOME}/webgate/ohs/tools/deployWebGate

2.$ ./deployWebGateInstance.sh -w ${ORACLE_INSTANCE}/config/OHS/ohs1/ -oh {WEBGATE_HOME}

3.$ export LD_LIBRARY_PATH=${OHS_HOME}/lib:${LD_LIBRARY_PATH}

4.$ cd ${WEBGATE_HOME}/webgate/ohs/tools/setup/InstallTools/

5.$ ./EditHttpConf -w ${ORACLE_INSTANCE}/config/OHS/ohs1/ -oh {WEBGATE_HOME} -o Edithttpconf.log

OHS 12c:

1$ cd {OHS_HOME}/webgate/ohs/tools/deployWebGate

2./deployWebGateInstance.sh -w ${OHS_DOMAIN_HOME}/config/fmwconfig/components/OHS/ohs1 -o ${OHS_HOME}

3export LD_LIBRARY_PATH=${OHS_HOME}/lib:${LD_LIBRARY_PATH}

4cd ${OHS_HOME}/webgate/ohs/tools/setup/InstallTools/

5./EditHttpConf  -w ${OHS_DOMAIN_HOME}/config/fmwconfig/components/OHS/ohs1 -o ${OHS_HOME}

4.Copy artifacts to OHS

Login to OAM Server and move artifacts to OHS server

 

$ cd $ORACLE_HOME/oam/server/rreg/client/rreg/output

$ tar -czvpf  OBIEE_11G.tgz OBIEE_11G

 

SCP “OBIEE_11G.tgz” to OHS Server “/tmp”

 

Login to OHS Server and copy artifacts to webgate conf folder

$ cd /tmp/

$ tar -xzvpf OBIEE_11G.tgz

OHS 11g:

$ cd ${ORACLE_INSTANCE}/conf/OHS/ohs1/webgate/conf

$ cp -pr /tmp/cwallet.sso /tmp/ObAccessClient.xml .

OHS 12c:

$cd${OHS_DOMAIN_HOME}/config/fmwconfig/components/OHS/ohs1/webgate/conf

$ cp -pr /tmp/cwallet.sso /tmp/ObAccessClient.xml .

 

Note: Bounce OHS component for the changes to get reflected.

5.Configure SSO for OBIEE components

1.Login As Weblogic

2.Click on bi instance

3.Click on Security

4.Click on Lock & edit'

5. Check "Enable SSO" and provide SSO logout URL

6.Click on Active changes

Note:

1.Incase of OBIEE 11g, need to provide following

Enable SSO:

The SSO Provider  Logon URL: http://obiee:7777/analytics

The SSO Provider Logoff URL: http://oam:14100/oam/server/logout

2.Bounce biinstance for the changes to get reflected.

6.Configure Identity Store for OAM

1.Login to OAM console as weblogic user

2. Click on "Configuration"

3.Click on "User Identity Stores"

4.Click on Create

5.Provide AD details and click on "Test Connection"and Apply

7.Create Custom Authentication Module

1. Login to OAM console as weblogic user

2.Click on "Application Module" under plugins

3.Click on "create LDAP Authentication Module"

4.Create custom Authentication Module and Click on "Apply"

8.Create Custom Authentication Scheme

1. Login to OAM console as weblogic user

2.Click on "Authentication Schemes" Under access Manager

3.Click on create

4.Provide details and click on Apply

9.Modify Application Domain to user Custom Authentication Scheme

1. Login to OAM console as weblogic user

2.Click on "application domains" under Access  Manager

3.Click on Search

4.Select SSO Agent "OBIEE_11G"

5.Click on "Authentication Policies"

6.Select Protected Resource Policy"

7.Modify Authentication Scheme to Custom Authentication Scheme and Apply Changes

Note: Now OBIEE is SSO enabled. Try to access analytics page and you should get Oracle Access Manager Page instead of default analytics page.

Ø

• Facebook
• Tweeter
• Google+
• Whatsapp Pinterest