Oracle Access Manager integration with BI Dashboards

This post covers the integration aspects of BI Dashboards (analytics) with Oracle Access Manager. With this integration, we are achieving the Single Sign-on between BI Dashboards and other applications protected by Oracle  Access Manager.

Environment Details:

Oracle Access Manager 10.1.4.3

Oracle BI Dashboards 10.1.3.4.1

OHS 1.x WebGate 10.1.4.3

Oracle WebLogic Server 10.3.1 (where BI application is deployed)

Pre-requisites:

The SSO system  should be able to send the userid in a header variable or a cookie. If not, the SSO system should be able to integrate with J2EE environment and set up the framework such that the getRemoteUser method returns username of the end user. Since, we are using Oracle Access Manager as SSO system, it provides header facility out of the box and thus eases the integration.

Architecture:

OBIEE Architecture D

Integration Details:

Integration will be explained with the steps executed in both OAM and OBIEE front.

OAM Front:

Create the OBIEE user and groups in OAM user repository.

1. Create a policy domain for OBIEE.

2. Add the resource /analytics to be protected.

3. Create Authorization Rule to allow the users and add authorization actions to return the username in header variable say SSO_UID and corresponding user groups.

4. Specify the Form based authentication (which is used in our case)  and assign the Authorization Rule.

5. Install the WebGate on the proxy server and configure the reverse proxy for Dashboards URL as shown below.

ProxyPass /analytics/  http://bi_host:port/analytics/

ProxyPassReverse  /analytics/  http://bi_host:port/analytics/

6. Restart the proxy web server.

OBIEE Front:

1. OBIEE – LDAP Authentication:

Create a new LDAP Server entry in the repository (rpd) for LDAP directory to be used where OAM users are stored. The various inputs parameters required are shown in the screenshot below.

Enter the OAM user store (LDAP)  hostname, port number, Base DN, Bind DN and password details and test the connection.

2.Configuring the Initialization block for user authentication.

Create new init block  and name it as Authentication. Select the Edit Data Source and select the LDAP repository created in the above step.

3.  Select the Edit Data Target, click New and enter the USER in the name field. Set the LDAP variable uid for the USER variable.

4. Test the authentication by clicking the Test button the Session Variable Initialization block window.

5. Create another Session variable Initialization block to execute a database function when the User logs in and returns the User’s associated Group Names. In other words the function call will dynamically assign the User to the Group Names.

6. Assign the first initialization block as higher execution precedence as shown below.

Here, we are sending the attribute Location from OAM along with username.

7. Create an Impersonator user in the RPD file which will be used by the Oracle BI Presentation services to establish a connection to the Oracle BI Server on behalf of the authenticated end user.

8. Add the Impersonator user credentials to the Oracle BI Presentation Services credential store by executing the Crypto Tool Utility available.

9.Configure Oracle BI Presentation Services to identify the credential store and decryption passphrase by adding <CredentialStore> element in the instanceconfig.xml file

<CredentialStore>
<CredentialStorage type=”file” path=”./credentialstore.xml” passphrase=”password123″/>
</CredentialStore>
10. Configure the Oracle BI Presentation Service to operate as SSO enabled by adding the <Auth> element in instanceconfi.xml file.

<Auth>
<SSO enabled=”true”>
<ParamList>
<Param name=”IMPERSONATE” source=”httpHeader” nameInSource=”SSO_UID”/>
<ParamList>
<LogoffUrl>
</LogoffUrl>
</SSO>
</Auth>
User Flow:

1. User access the OBIEE Dashboards application using the URL http://proxy_host:port/analytics/

2. The WebGate deployed on the proxy server intercepts the request and checks with Access Server whether the resource is protected or not.

3. Access Server checks in Policy store for the policy details of /analytics  and responds that it is protected. It also prompts the user with the Authentication scheme configured for this resource. (Note: We have configured Form Based authentication in our case) .

4. User enters login details and WebGate will forward it to Access Server for authentication purpose.

5. Upon successful authentication, Access Server generated a secured cookie called ObSSOCookie.

6. Access Server then checks whether the user is authorized to access the resource or not.

7. If the user is authorized, WebGate will execute the Authorization Actions.

8. WebGate will forward the request to the OBIEE application whether the user is authorized to access or not. This check will be performed against the LDAP repository configured in the OBIEE. (Note: We have used OID in our case).

9. BI Presentation Services will fetch the username variable (configured in instanceconfig.xml)  and impersonates the user to establish the connection with BI Server on behalf of the authenticated user.

10. User will be shown the requested application.

Points to remember:

Access the analytics URL ending with / as shown below.

http://proxy_host:port/analytics/

You will end up with 404 Not found error (control stops at OAM Action URL) if you don’t specify ‘/’ character in the end of the URL.

References:

Oracle Documentation

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

5 comments
» Oracle Access Manager integration with BI Publisher Online Apps DBA: One Stop Shop for Apps DBA’s says October 27, 2010

[…] like to cover OAM integration with BI Publisher (xmlpserver) in this post. A day before, I wrote a post on OAM integration with BI Dashboards and same steps hold good here but with few […]

Reply
apkumar says October 27, 2010

Atul
I installed 11.5.10 on oel4.8. Want to access sql*plus from client machine with xp/windows 7 os. Afterrunning autoconfig, got a message that no listener is available.Can u tell me how to update port numbers? And also let me know the complete steps to access sql*plus from client machine?What are the server side/client side configurations?

Reply
Atul Kumar says October 27, 2010

@ Apkumar,
There are two listeners in apps, one in application tier (used by CM log/out) and another at database tier. I am suspecting its later .

DB Listener should be up and running while running autoconfig on application tier.

To access database server from client PC there are no special configuration at server side .

On cliet PC install database client and then configure tnsnames.ora (you can use netca) to connect to database server of apps 11.5.10

Reply
jollygud says February 23, 2012

Hi,

We have done OBIEE 10g SSO integration with OAM 10g.
In this, OAM is using OID as authentication repository. Once the user is authenticated by OAM, the authenticated user’s UID is sent to OBIEE presentation server in http header. It creates a connection with OBI server using impersonation feature of OBI and gives OBI resource access to OID user.

My question here is- to have this SSO integration work, do we need to create a user with the same UID (as OID uid) in the OBIEE “rpd” repository ?
OR we only need to create the user in OID and not in OBIEE rpd ?
OR is there some auto-provisioning option in OBIEE (like EBS) in which the user is automatically created from OID to OBI repository when the user first time logs in using his SSO (OID) ID.

My question is – is there a way that this integration can be achieved without creating the user in OBI rpd ?

Thanks

Reply
Jmc says May 10, 2012

Now how about for OBIEE 11g? I am in the process of configuring this now. We now have an identity asserter for OAM introduced at the weblogic console in security providers section.

There is also a SSO configuration done in the Fusion Middleware control for SSO – which I assume just modifies the Instance Config file for you…

Hopefully will have this working soon

Reply
Add Your Reply

Not found