[OBIEE 11g] Enabling Oracle Single Sign On

 

Enabling Oracle Single Sign On (OSSO) with OBIEE

The following steps which are required to enable Oracle Single Sign On with OBIEE.

• Register Oracle BI as a partner application to the Oracle Single Sign On Server
• Configure Oracle BI for SSO
• Configure BI Presentation Services to Use the Impersonate User
• Configure BI Presentation Services to Operate in the SSO Environment

Register Oracle BI as a partner application to Oracle Single Sign On Server

Registering Oracle BI with OSSO is carried out via a command line entry. Before carrying out the command line, we need to set the ORACLE_HOME as follows:

export ORACLE_HOME=/app/oracle/oas

Following the Deployment Guide, the entry I carried out for my environment is as follows:

./ssoreg.sh -oracle_home_path /app/oracle/oas -config_mod_osso TRUE -site_name gelliohost.gelliodomain.com:7777 -remote_midtier -config_file /app/oracle/oas/Apache/Apache/conf/osso/biosso.conf -mod_osso_url http://gelliohost.gelliodomain.com:7777

After running the above entry, you should receive a successful return message as illustrated in Figure 1 below.

Figure 1

Configure Oracle BI for SSO

The deployment guide first asks us to copy the biosso.conf file to the directory Oracle_HOME/Apache/Apache/conf/osso. In our case this file already exists.

Our next step is to edit the file ‘mod_osso.conf’ in Oracle_HOME/Apache/Apache/conf. We added the following line to this file:

OssoConfigFile /app/oracle/oas/Apache/Apache/conf/osso/biosso.conf

This can be seen in Figure 2 below:

Figure 2

The next step is to add the the following lines into the file:

<Location /analytics>

Header unset Pragma

OssoSendCacheHeaders off

AuthType Basic

require valid-user

<Location>

This is illustrated in Figure 3 below.

Figure 3

The deployment guide then asks us to uncomment the line:

#include “Oracle_Home/Apache/Apache/conf/mod_osso.conf”

in the file httpd.conf. Upon inspection of this file it was found that the line was already commented out.

We then restart the Application Server.

Configuring BI Presentation Services to Use the Impersonator User

The first step is to create a new user in the RPD to be used as the Impersonator User. Go into the administration tool and then go into Security Manger. Create a new user and call the user ‘Impersonator’. Provide a password for the new user, in my case P4ssw0rd, and ensure that the new user is assigned to the Administrator group. See Figure 4 below.

Figure 4

We now need to make some changes using cryptotools. Before running cryptotools, there are a couple of things that we first need to carry out to avoid cryptotools returning an error. The first is to update the LD_LIBRARY_PATH to include the web/bin directory in OracleBI. To do this I used the following command:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/app/oracle/obi/OracleBI/web/bin

The next step is to provide security permissions to a file that is required by cryptotools. Without running the following command, you will receive a security error if running Oracle Enterprise Linux 5.

chcon -t textrel_shlib_t ‘/app/oracle/obi/OracleBI/web/bin/libsamemoryallocator8.so’

To run cryptotools, we run the command below from the /app/oracle/obi/OracleBI/web/bin

./crpytotools credstore -add -infile /app/oracle/obi/OracleBIData/web/config/credentialstore.xml

The following attributes were provided to this program:

Credential Alias: impersonation

Username: Impersonator

Password: P4ssw0rd

Do you want to encrpyt the password: y

Passphrase for encryption: P4ssw0rd

Do you want to write the passphrase to the xml: n

Figure 5

Configuring Oracle BI Presentation Services to Identify the Credential Store and Decryption Passphrase

Our next step is to modify the instanceconfig.xml file located in /app/oracle/obi/OracleBIData/web/config

Following the Deployment Guide, we made 2 new entries in the instanceconfig.xml. The first entry relates to the credential store:

<CredentialStore>

<CredentialStorage type=”file” path=”/app/oracle/obi/OracleBIData/web/config/credentialstore.xml” passphrase=”P4ssw0rd”/>

</CredentialStore>

The second entry relates to the Authorisation tag for Single Sign On. The entry for us was:

<Auth>

<SSO enabled=”true”>

<ParamList>

<Param name=”IMPERSONATE” source=”serverVariable” nameInSource=”REMOTE_USER”/>

</ParamList>

<LogoffUrl>

http://gelliohost.gelliodomain.com:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2Fgelliohost.gelliodomain.com:7777%2Fanalytics%2F

</LogoffUrl>

<LogonUrl>

http://gelliohost.gelliodomain.com:7777/pls/orasso/orasso.wwsso_app_admin.ls_login

</LogonUrl>

</SSO>

</Auth>

Figure 6

Now if we we go to our OBIEE url, in here http://gelliohost.gelliodomain.com:7777/analytics, we should be redirected to the single-sign on login screen as illustrated in Figure 7 below.

Figure 7

We should still be able to log in using our OID users, for example, user_1 in our case.

Figure 8

We can see in Figure 8 that we are now logged in as user_1. When we click on Log Out, we should see the single-sign on logout page.

Note:     As we now have our authentication and authorisation for security handled by both Oracle Internet Directory and Oracle Single Sign On, we will no longer be able to log into OBIEE with an existing user in the Repository. ie, We can not log into the Dashboards with the Administrator user through the Single Sign On login page. In order to maintain the Dashboards, there is a method of logging into the Dashboards using URL parameters. The following URL allows me to still log into the dashboards using the Administrator user.