Friday, January 25, 2013

[OBIEE 11g] Enabling Oracle Single Sign On


 

Enabling Oracle Single Sign On (OSSO) with OBIEE


The following steps which are required to enable Oracle Single Sign On with OBIEE.

  • Register Oracle BI as a partner application to the Oracle Single Sign On Server
  • Configure Oracle BI for SSO
  • Configure BI Presentation Services to Use the Impersonate User
  • Configure BI Presentation Services to Operate in the SSO Environment


Register Oracle BI as a partner application to Oracle Single Sign On Server


Registering Oracle BI with OSSO is carried out via a command line entry. Before carrying out the command line, we need to set the ORACLE_HOME as follows:

export ORACLE_HOME=/app/oracle/oas


Following the Deployment Guide, the entry I carried out for my environment is as follows:


./ssoreg.sh -oracle_home_path /app/oracle/oas -config_mod_osso TRUE -site_name gelliohost.gelliodomain.com:7777 -remote_midtier -config_file /app/oracle/oas/Apache/Apache/conf/osso/biosso.conf -mod_osso_url http://gelliohost.gelliodomain.com:7777


After running the above entry, you should receive a successful return message as illustrated in Figure 1 below.






Figure 1

Configure Oracle BI for SSO


The deployment guide first asks us to copy the biosso.conf file to the directory Oracle_HOME/Apache/Apache/conf/osso. In our case this file already exists.


Our next step is to edit the file ‘mod_osso.conf’ in Oracle_HOME/Apache/Apache/conf. We added the following line to this file:


OssoConfigFile /app/oracle/oas/Apache/Apache/conf/osso/biosso.conf

This can be seen in Figure 2 below:







Figure 2

The next step is to add the the following lines into the file:

<Location /analytics>

Header unset Pragma

OssoSendCacheHeaders off

AuthType Basic

require valid-user

<Location>

This is illustrated in Figure 3 below.






Figure 3

The deployment guide then asks us to uncomment the line:

#include “Oracle_Home/Apache/Apache/conf/mod_osso.conf”


in the file httpd.conf. Upon inspection of this file it was found that the line was already commented out.


We then restart the Application Server.



Configuring BI Presentation Services to Use the Impersonator User


The first step is to create a new user in the RPD to be used as the Impersonator User. Go into the administration tool and then go into Security Manger. Create a new user and call the user ‘Impersonator’. Provide a password for the new user, in my case P4ssw0rd, and ensure that the new user is assigned to the Administrator group. See Figure 4 below.








Figure 4

We now need to make some changes using cryptotools. Before running cryptotools, there are a couple of things that we first need to carry out to avoid cryptotools returning an error. The first is to update the LD_LIBRARY_PATH to include the web/bin directory in OracleBI. To do this I used the following command:


export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/app/oracle/obi/OracleBI/web/bin


The next step is to provide security permissions to a file that is required by cryptotools. Without running the following command, you will receive a security error if running Oracle Enterprise Linux 5.


chcon -t textrel_shlib_t ‘/app/oracle/obi/OracleBI/web/bin/libsamemoryallocator8.so’


To run cryptotools, we run the command below from the /app/oracle/obi/OracleBI/web/bin


./crpytotools credstore -add -infile /app/oracle/obi/OracleBIData/web/config/credentialstore.xml


The following attributes were provided to this program:


Credential Alias: impersonation

Username: Impersonator

Password: P4ssw0rd

Do you want to encrpyt the password: y

Passphrase for encryption: P4ssw0rd


Do you want to write the passphrase to the xml: n







Figure 5

Configuring Oracle BI Presentation Services to Identify the Credential Store and Decryption Passphrase


Our next step is to modify the instanceconfig.xml file located in /app/oracle/obi/OracleBIData/web/config


Following the Deployment Guide, we made 2 new entries in the instanceconfig.xml. The first entry relates to the credential store:


<CredentialStore>

<CredentialStorage type=”file” path=”/app/oracle/obi/OracleBIData/web/config/credentialstore.xml” passphrase=”P4ssw0rd”/>

</CredentialStore>


The second entry relates to the Authorisation tag for Single Sign On. The entry for us was:


<Auth>

<SSO enabled=”true”>

<ParamList>

<Param name=”IMPERSONATE” source=”serverVariable” nameInSource=”REMOTE_USER”/>

</ParamList>

<LogoffUrl>




</LogoffUrl>

<LogonUrl>




</LogonUrl>

</SSO>

</Auth>







Figure 6

Now if we we go to our OBIEE url, in here http://gelliohost.gelliodomain.com:7777/analytics, we should be redirected to the single-sign on login screen as illustrated in Figure 7 below.





Figure 7

We should still be able to log in using our OID users, for example, user_1 in our case.






Figure 8
We can see in Figure 8 that we are now logged in as user_1. When we click on Log Out, we should see the single-sign on logout page.


Note:     As we now have our authentication and authorisation for security handled by both Oracle Internet Directory and Oracle Single Sign On, we will no longer be able to log into OBIEE with an existing user in the Repository. ie, We can not log into the Dashboards with the Administrator user through the Single Sign On login page. In order to maintain the Dashboards, there is a method of logging into the Dashboards using URL parameters. The following URL allows me to still log into the dashboards using the Administrator user.




6 comments:

  1. Is the set up same for 11g? can you please provide the steps for 11g

    ReplyDelete
  2. Not to discourage you, but you have very hard combination of colors - making it difficult to read.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. please change your background....A reporting/visualization choosing not so user friendly background doesn't make much sense..

    ReplyDelete
  5. Have you done the same for OBIEE 12c along with OID ?

    ReplyDelete
  6. Can you please share the same for OBIEE 12c.

    ReplyDelete