Integrate OBIEE 11g with OAM 11g for Single Sign-On in 13 steps

Hi Atul!

Can i use Microsoft Active directory instead of OID for user repository?

Regards, Jani

@Jani

Yes Active Directory can be used as User store for OBIEE11g integartion with OAM 11g.

You need to select and configure “ActiveDirectoryAuthenticator” in WLS and Configure AD as User store in OAM.

Thanks
Neha

Hi Atul,

I have done the integration of OAM 11g and OBIEE 11g following the steps u mentioned and the online document provided in oracle website .

But when I restart OBIEE Admin Server I am getting below error .Did you came up with issue .Please help .

<The realm “myrealm” failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: java.lang.RuntimeException.
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: java.lang.RuntimeException
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1785)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: java.lang.RuntimeException
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
Truncated. see log file for complete stacktrace
Caused By: java.lang.RuntimeException
at oracle.security.wls.oam.util.OAMUtil.(OAMUtil.java:172)
at oracle.security.wls.oam.providers.asserter.OAMIdentityAssertionProviderImpl.initialize(OAMIdentityAssertionProviderImpl.java:403)
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:60)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
Truncated. see log file for complete stacktrace
Caused By: java.lang.ArrayIndexOutOfBoundsException: 1
at oracle.security.wls.oam.util.OAMUtil.createServerEntry(OAMUtil.java:367)
at oracle.security.wls.oam.util.OAMUtil.createAAAClient(OAMUtil.java:252)
at oracle.security.wls.oam.util.OAMUtil.(OAMUtil.java:168)
at oracle.security.wls.oam.providers.asserter.OAMIdentityAssertionProviderImpl.initialize(OAMIdentityAssertionProviderImpl.java:403)
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:60)
Truncated. see log file for complete stacktrace
>

Babji

@ babji_007,
You said you used “online document provided in oracle website”

Which document you used ? Most of document as of today in OBIEE are for 10g OAM integration. Share Oracle Document you used so that I can verify.

Hi Atul,

Forgot to mention in my previous post .

Your post on OAM and OBIEE integration is really nice .

Thanks ,

Babji

Hi Atul,

Thank you .What I meant was in the post you have provided for OBIEE – OAM integration there are links to oracle website to configure authentication providers and OHS .For that I have used .

Remaining I have followed your post and bit of below url

http://docs.oracle.com/cd/E17904_01/core.1111/e10043/osso_b_oam11g.htm#BABBEBIH

Regards,
Babji .

@ Babji_007,
What is control flag JAAS flag ( More here http://onlineappsdba.com/index.php/2010/02/04/how-to-integrate-weblogic-with-oracle-internet-directory-for-login-authentication/ ) for OAM Identity Asserter Provider in myrealm security realm.

Do not set it to REQUIRED.

Hi Atul,

Thanks for that ,currently I have set it as “REQUIRED” ,I will make it “SUFFICIENT” or “OPTIONAL” ,but why in oracle website they have mentioned in that way any excerpts if you can ?.

Regards,
Babji

Hi Atul,

I have tried putting Authentication Providers in following order and flag .

OAM – SUFFICIENT
OID – SUFFICIENT
Default – SUFFICIENT .

But same error is being thrown .

Regards,
Babji

Hi Atul,

After setting the Provider order as mentioned in my previous post and updating the config file I was able to restart successfully .

But after restart ,post-authentication its going to OBIEE logout page .Seems there is issue with the header set .

Is the header that needs to be set for OID $user.uid or $user.userid and
is the logon url mandatory because we have configured our own login page which is deployed on OAM .

Regards,
Babji

@ Babji_007,
Did you run oamcfgtool.jar by any chance as shown in below doc

http://docs.oracle.com/cd/E21764_01/doc.1111/e15722/oid.htm#CIHGHBFA

Hi Atul,

Thanks ,initially I tried running oamcfgtool.jar but it was unable to connect to access server ,so have created all the oam configurations manually ,seems it doesnot work in oam 11g as the configuration are mentioned for oam 10g .

Regards,
Babji

@ Babji_007,
Yes oamcfgtool.jar is only for OAM 10g and should not be used with OAM 11g

Hi Atul!

There is the first step in the config of the OHS, where I can choose this:”Associate Selected component with weblogic domain”. Should I check this check-box? Or the OHS can work stand alone?

Regards, Jani

Hi Atul,

In which of these can I install OBIEE 11.1.1.5 (complete i mean server, database ….)

Windows 7 Home Premium
Windows 7 Professional
Windows 7 Ultimate

Regards
Prema

Hi ,

I am able to implement OBIEE-SSO-OAM using HTTP,webgate with OID credentials.
that means
http://webhost:7777/xmlpserver works fine with OAM authentication using OID uses.

But is there a way to make http://obieehost:9704/xmlpserver also to get authenticated from OAM-SSO using OID credentials?

Atul,

Great! Since am using FMW with OID, only users coming via OAM can enter into obiee.

but if for any reason those who hitting obieehost:9704/xmlpserver should get redirected to oam login page. and gets login via that page .can we configure in that way?
thanks

@ knpn,
what happens when you access direct obieehost:9704/xmlpserver ?

Is this not redirecting to OAM login page ?

If not then confirm that you configured all integration steps including for BI Publisher

@Atul,

obieehost:9704/xmlpserver or obieehost:9704/analytics not hitting OAm page.they will promt only normal login page . ( but wont allow to get )

only ohshost:7777/xmlpserver and ohshost:7777/analytics hitting oam and entreing in.

please give more hit ,where configuration step to be done for hitting my 9704 also on oam sso login page.

Thanks

hi,Atul Kumar, i use oam integrate biee 11g and oam 11g, my user store in MSAD, Unfortunately, just some users can login on biee use ohs port, do you have any suggestions?

Thanks for you apply! my login oam and BIEE username attribute is mailNickname(or sAMAccountName),I failed login on BIEE use SSO, while i change username attribute to displayName,i success login on biee.it seems weird.

@ Damon,

After changing login attribute in OAM from uid/cn to mailNickName (or sAMAccountName) can you login to OAM (non obiee URLs).

This is to find out if issue is at OBIEE level or OAM level.

Thank you,Atul Kumar!I can login on EPM workspace use login attribute cn/sAMAccountName/mailNickName, i can also login on BIEE use login attribute cn(AD cn is different from mailNickName),but fail of using mailNickName.i think the issue is at OAM, which can not send the right session to OBIEE. but i do not know how to set the OAM_REMOTE_USER value(default is $user.userid).do you have any suggestions? thanks for your kindly help!

Hi Atul,

We have integrated EBS R12 with OAM 11.1.1.5 & OID 11.1.1.6 using accessgate 1.1.1. Now we want to use the same IDM infrastructure to hook up OBIEE 11.1.1.6 for SSO. Can we leverage the same stack or do we need separate OID/OAM for OBIEE.

Pl suggest the method and steps.

Regards

HI Atul
I have tried to create a response header in the Authentication and Authorization policy: OAM_REMOTE_USER/Header/$user.attr.cn.
my BIEE and OAM login attribute is cn, Then i can login on BIEE through OAM, but failed of using login attribute mailNickname(BIEE & OAM) and OAM_REMOTE_USER/Header/$user.attr.mailNickname
Do you have any suggestions?

Hi Atul,

Thank you for your clarification. One additional point, in case of EBS we use Access gate, do we need this with OBIEE or simply follow the steps that you explained in this blog.

Regards

Hi Atul,

I tried to integrate OBIEE11g with OAM 11g,in this process when i integrate OBIEE with OID11g,all users are showing at weblogic console but groups are not and am unable to login into the /analytics with weblogic user even i setted the flag of DefaultAuthenticator to SUFFICIENT.In the Adminlog it showing the below error when i logged into the /analytics:

java.security.PrivilegedActionException: oracle.bi.security.service.SecurityServiceException: SecurityService::authenticateUserWithLanguage – ‘weblogic’ was authenticated but could not be located within the Identity Store.
at java.security.AccessController.doPrivileged(Native Method)
at oracle.bi.security.service.SecurityWebService.authenticateWithLanguage(SecurityWebService.java:186)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:92)
at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:74)
at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:151)
at com.sun.xml.ws.server.sei.EndpointMethodHandlerImpl.invoke(EndpointMethodHandlerImpl.java:268)
at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:100)
at weblogic.wsee.jaxws.security.AuthorizationTube$RunAsWrapperTube$1.run(AuthorizationTube.java:291)
at weblogic.wsee.jaxws.security.AuthorizationTube$RunAsWrapperTube$1.run(AuthorizationTube.java:289)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at weblogic.wsee.jaxws.security.AuthorizationTube$RunAsWrapperTube.processRequest(AuthorizationTube.java:288)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:403)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:532)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:253)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:140)
at weblogic.wsee.jaxws.WLSServletAdapter.handle(WLSServletAdapter.java:171)
at weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke.run(HttpServletAdapter.java:708)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.wsee.util.ServerSecurityHelper.authenticatedInvoke(ServerSecurityHelper.java:103)
at weblogic.wsee.jaxws.HttpServletAdapter$3.run(HttpServletAdapter.java:311)
at weblogic.wsee.jaxws.HttpServletAdapter.post(HttpServletAdapter.java:336)
at weblogic.wsee.jaxws.JAXWSServlet.doRequest(JAXWSServlet.java:95)
————————–

I create a new trusted user,that user able to login into the weblogic console.

Any suggestion please,
Thanks in advance,

@ Narasimharao,
To find out why groups are not visible from OID in weblogic, enable debug for ATN & ATZ in weblogic for admin server. (Check this for steps http://onlineappsdba.com/index.php/2010/02/04/how-to-integrate-weblogic-with-oracle-internet-directory-for-login-authentication/ )

For issue : “‘weblogic’ was authenticated but could not be located within the Identity Store” OID authenticator is in which order (this should be first provider) ? Is there any other authentication provider whose flag is set to REQUIRED (apart from OID provider)

Do you have user weblogic in OID ? If not then create one if you wish to login to OBIEE as user weblogic

Hi Atul,

Thanks for reply,

we have only two authentiactors,one is OID authenticator flag is setted t SUFFICIENT and another one DefaultAuthenticator flag setted to REQUIRED.

I Created new trused user and assigned to Application Policies to trused user able to login into the weblogic console and remaining users are not able to login into weblogic console who are there in OID, when OID users are login into /analytics,it showing the below error on the screen,

Error retrieving user/group data from Oracle BI Server’s User Population API.
Error Details
Error Codes: GDU6UYHS:OPR4ONWY:U9IM8TAC:OI2DL65P:SDKE4UTF
Odbc driver returned an error (SQLExecDirectW).
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. [nQSError: 13049] User ‘obiee_testing’ with ‘oracle.as.scheduler.security.MetadataPermission;oracle.bi.publisher.scheduleReport;AtAGlance;oracle.bi.publisher.accessReportOutput;_all_;oracle.bi.publisher.accessExcelReportAnalyzer;_all_;oracle.epm.financialreporting.accessReporting;Explore;oracle.bi.publisher.accessOnlineReportAnalyzer;EPM_Essbase_Filter;oracle.bi.publisher.runReportOnline’ permission can not query user population.Please have your System Administrator look at the log for more details on this error. (HY000)
Please have your System Administrator look at the log for more details on this error.

Expression: privileges[‘Admin: Catalog’][‘Change Permissions’].

Atul please justify one thing should users exist in OID and OBIEE for suceess login ?,
I created weblogic user in OID,after that weblogic user not able to login into the weblogic console.

Please suggest me,

Thanks in advance,

Sorry Atul,

DefaultAuthenticator also setted to SUFFICIENT.

Hi Atul,

Now am able to login into the /analytics with OID users,the issue is due to naming convention of trusted user.Earlier it was ‘obiee_testing’.
But the OID groups are reflected into /console.
In OID i created just groups in simple way by using ‘groupOfNames’ here am not providing the roles or policies to groups.Is there any work around to reflect the OID groups otherwise need to attach the reflected users to any existing OBI groups.
After user login into the /analytics,when we click on Dashboards dropdown list it showing the below error :

Error
View Display Error
Error getting drill information: SELECT “DEPARTMENT_DIM”.”DEPT_DESC” saw_0, COUNT(DISTINCT “EMP_FACT”.”ASSIGNMENT_ID”) saw_1, sum(“EMP_FACT”.”PAY_ELEMENT_VALUE”)/count(“EMP_FACT”.”PAY_ELEMENT_VALUE”) saw_2, “COMPANY_DIM”.”BUSINESS_GROUP_DESCRIPTION” saw_3 FROM “Republic” WHERE (“PEO_DIM”.”ENTERPRISE_DESCRIPTION” = ‘REPUBLIC PEO SERVICES INC.’) AND (“PERIOD_DIMNEW”.”QUARTER” = ‘Q1’) AND (“PERIOD_DIMNEW”.”YEAR” = ‘2012’)
Error Details
Error Codes: YQCO4T56:OPR4ONWY:U9IM8TAC:OI2DL65P
Odbc driver returned an error (SQLExecDirectW).
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. [nQSError: 27005] Unresolved column: “PEO_DIM”.”ENTERPRISE_DESCRIPTION”.Please have your System Administrator look at the log for more details on this error. (HY000)
SQL Issued: {call NQSGetLevelDrillability(‘SELECT “DEPARTMENT_DIM”.”DEPT_DESC” saw_0, COUNT(DISTINCT “EMP_FACT”.”ASSIGNMENT_ID”) saw_1, sum(“EMP_FACT”.”PAY_ELEMENT_VALUE”)/count(“EMP_FACT”.”PAY_ELEMENT_VALUE”) saw_2, “COMPANY_DIM”.”BUSINESS_GROUP_DESCRIPTION” saw_3 FROM “Republic” WHERE (“PEO_DIM”.”ENTERPRISE_DESCRIPTION” = ”REPUBLIC PEO SERVICES INC.”) AND (“PERIOD_DIMNEW”.”QUARTER” = ”Q1”) AND (“PERIOD_DIMNEW”.”YEAR” = ”2012”)’)}

Any suggestion please,
Thanks inadvance,

Hi Atul,

Your Documentaion is very good.
Finally i done the integration successfully.
Thanks a lot.

Regards,
Narasimha

Hi Atul,

I have followed the same steps, my integration is not successful. I am getting double authentication first from OAM and second native authentication page. I am using AD authenicator. Please help me in fixing the issue

Regards
A Abhinay

Hi Atul,

I have one question:

I am following this link to configure the SSO with OBIEE using OAM with OVD

http://docs.oracle.com/cd/E21764_01/bi.1111/e10543/sso.htm#autoId0

In this post, its mentioned that there are steps mentioned which are not there in your post like

1. Configure the new trusted system user to replace the default BISystemUser.
2. Refresh the user and group GUIDs.

So, wanted to know if they are required or not?

Hi Atul,

I have one question.

Before Crop SSO we have OBIEE 11g,Oracle 10gAS with Local OID.

After that we installed OHS 11g
We are implemented the Oracle Crop OSSO in OBIEE 11g and we removed the Local OID.
login and Log of urls

Trying to login analytics URL after enter the SSO login Username and password getting the

error “Not Signed In” page.

OBIEE 11.1.1.6.0 and with weblogic
OHS 11.1.1.6.
Oracle 10g AS
DB 11g 11.2.0.2.
is it required to install web gate and all
please help me

error .

OracleBIServerComponent:

nqserver.log

Data Source Name: TANAS1
Data Source Type: Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64b
]]
[2013-01-28T13:47:05.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004p5uADq3fAPPAZv_aAV10005j8000000] [tid: 47279720] [85003] MDX Member Name Cache subsystem started successfully.
[2013-01-28T13:47:05.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004p5uADq3fAPPAZv_aAV10005j8000000] [tid: 47279720] [85004] MDX Member Name Cache subsystem recovered entries: 0, size: 0 bytes.
[2013-01-28T13:47:05.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 004p5uADq3fAPPAZv_aAV10005j8000000] [tid: 47279720] [13026] Error in getting roles from BI Security Service: ‘Error Message From BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserSystem user could not be authenticated’
[2013-01-28T13:47:05.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004p5uADq3fAPPAZv_aAV10005j8000000] [tid: 47279720] nqsserver: Clustered Oracle BI Server (64-bit) started. Version: 11.1.1.6.0.120104.1053.000.
[2013-01-28T13:47:26.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004p5uADq3fAPPAZv_aAV10005j8000000] [tid: 4db35940] [43071] A connection with Cluster Controller nacisnscl203.us.oracle.com:9706 was established.
[2013-01-28T13:50:21.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 004p5uMOSL5APPAZv_aAV10004Fv0002MY] [tid: 4e842940] Error Message From BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserSystem user could not be authenticated
[2013-01-28T13:50:21.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 004p5uMOSL5APPAZv_aAV10004Fv0002MY] [tid: 4e842940] [nQSError: 43126] Authentication failed: invalid user/password.

=====================================
OracleBIPresentationServicesComponent

sawlog6.log

[2013-01-28T13:53:56.000-06:00] [OBIPS] [ERROR:1] [] [saw.security.odbcuserpopulationimpl.getbisystemconnection] [ecid: 004p5uB1m8nAPPAZv_aAV10005r2000000,0:118] [tid: 1092766016] Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43113] Message returned from OBIS.
[nQSError: 43126] Authentication failed: invalid user/password. (08004)[[
File:odbcuserpoploaderimpl.cpp
Line:995
Location:
saw.security.odbcuserpopulationimpl.getbisystemconnection
saw.security.odbcuserpopulationimpl.searchidentities
saw.security.userpopulationmanagerimpl.getaccountdetailsbyid
saw.CatalogAttributes.cache.cleanup
saw.taskScheduler.processJob
taskscheduler
saw.threads
ecid: 004p5uB1m8nAPPAZv_aAV10005r2000000,0:118
ThreadID: 1092766016
task: Cache/CatalogAttributes
]]
[2013-01-28T13:54:01.000-06:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 004p5uZR7eiAPPAZv_aAV10004Fv0002Pv,0:1:1:1] [tid: 1080142144] Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43113] Message returned from OBIS.
[nQSError: 43126] Authentication failed: invalid user/password. (08004)[[
File:checkauthentication.cpp
Line:1293
Location:
saw.securitysubsystem.checkauthentication.runimpl
saw.threadpool.asynclogon
saw.threads
ecid: 004p5uZR7eiAPPAZv_aAV10004Fv0002Pv,0:1:1:1
ThreadID: 1080142144

==========================================

@ Narasimharao,
Which SSO you are using 10g OSSO or 11g OAM ?

If this is 11g OAM then WebGate is required and also OID is mandatory .

@ sunyajmera

1. Configure the new trusted system user to replace the default BISystemUser.

This is required only if you want to use BISystemUser from OID, If not you can leave it as it is and then BISystemUser will be from weblogic embedded LDAP server

2. Refresh the user and group GUIDs.

This is only required if there is any user with same name in both OID and embedded weblogic ldap server

Hi Atul,

we are using OSSO 11g.

we already have OBIEE 11g + OID.
and we want to get rid of OID

we want OBIEE 11g_OHS 11g + OSSO is it possible .

with out OID

@ Narasimharao,
No, you can’t get rid of OID. This is where users and groups are stored against which OSSO authenticates/validates .

I am surprised that you are using 11g OSSO , any reason for not picking OAM 11g ?

Hi Atul,

i was following the OBIEE11g – Oracle SSO (OSSO) configuration (Doc ID 1353527.1) and i configured

OBIEE 11g and OHS 11g with OID .

we are able login the OSSO using Our Usname/pass.

hear with out OSSO we have to do our work .

What is the Use of OSSO please clear me and help me.

How to setup authentication using init blocks in OBIEE 11.1.1.6.0 ?

Nice Notes Atul. Very Helpful.

In my case,

have configured SSO for my OBIEE server.

While trying to login to my Home url page (https://xyz.idc.oracle.com/analytics) its pointing to SSO Login page successfully.

But after providing username and password its not redirecting to my OBIEE Home page URL. I am getting the below error message.

——
Oracle SSO Failure – Unable to process request
Either the requested URL was not specified in terms of a fully-qualified host name or OHS single sign-on is incorrectly configured.
Please notify your administrator.

—————-
Could you please provide some inputs to fix this issue.

1. I have configured httpd.conf and instanceconfig.xml correctly as per the Oracle documentation.
2. I have provided below URLs for Partner Application request. Please correct me if I havent provided the correct one.

Application Home URL: https://xyz.idc.oracle.com/analytics

Application Success URL: https://xyz.idc.oracle.com/osso_login_success

Application Logout URL: https://xyz.idc.oracle.com/osso_logout_success

Both the Application and Server and OBI resides on same server (10g version).

Hi Atul,
I did the OBIEE and OAM SSO integration. When i try to access /analytics from ohs server, its taking me to oam login page,
I entered OVD userId/pwd and authenticated successfully
its going to obiee page and showing the below error.

You are not currently signed in to the Oracle BI Server.
If you have already signed in, your connection might have timed out, or a communications or server error may have occurred.
To sign in again, click here. If the problem persists, please contact the site’s administrator.

OAMIdentityAsserter: REQUIRED
OVDAuthenticator: SUFFICIENT
DefaultAuthenticator: SUFFICIENT

enabled sso on obiee and provided logon url and logoff url in /em
also added the below to security provider configuration from /em
user.login.attr=uid
username.attr=uid

Can you guide me what else need to be done.

Thanks
Sriakr

I also see the ovd users in weblogic.. so connector is working

but i cant use those users to directly login into obiee url [noth through oam]

@ vankasrikar ,
There must be error in obiee serevr logs (I think log file name is nqserver.log) paste the error from OBIEE server logs

Hi Atul,
I’m getting the below error.

[2013-08-02T18:25:37.000-04:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: f14db3b1a2833926:56e528f:140410838d0:-8000-00000000000002a8] [tid: 76bd2700] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed – the system user profile could not be found in the identity store.
[2013-08-02T18:25:37.000-04:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: f14db3b1a2833926:56e528f:140410838d0:-8000-00000000000002a8] [tid: 76bd2700] [nQSError: 43126] Authentication failed: invalid user/password.

@ vankasrikar,
Ensure that OID is first authentication provider (above the default authentication provider) and JAAS flag for both default authenticator and OID authenticator is set to be SUFFICIENT .

Restart WebLogic Domain and OBIEE sercvices after making any changes .

Hi Atul,
I integrated OBIEE with OAM 11gR2 and SSO working fine. Now I need to pass the user attribute values[ex: mail] to OBIEE. I can pass it from OAM using response headers, but not sure how to retrieve them in OBIEE side. Can you suggest how can I retrieve these values?

Thanks
Srikar

@ vankasrikar ,
Please contact java developer on how to get value of HTTP Header in a variable .

Hi Atul,

Nice Post!

I have integrated OBIEEE 11g with OAM 11g using these steps and user SSO is working fine.

But when i click on logout link on BI publisher, i does not redirect to OAM login page even when i have configured log off URL in EM Console of BI.

Also, signout.jsp of BI is also not triggered rather homepage of BI is opening again and again.

Can you please suggest.

Thanks & Regards,
Priya Kesar

Hi Atul,

Everything is ok for me til step 5, but i cannot install OAM, each time installer offers me to selct for Oracle Home Directory Oracle_IDM1 (which already exists, i cannot choose another Oracle Home Directory specified for OAM.
I read on http://docs.oracle.com/cd/E23943_01/install.1111/e12002/install.htm#CIHGGFBI
Note:
The name that you provide for the Oracle Home for installing the Oracle Identity and Access Management suite should not be same as the Oracle Home name given for the Oracle Identity Management suite.
By default the installer chooses an alternate name Oracle_IDM2 if Oracle_IDM1 oracle home exists and has Oracle Identity Management components installed. This should not be changed to Oracle_IDM1.
For me installer does not chooses an alternate Oracle home directory.
Why ?
Thank you for your help.
Regards.
Fabrice

Dear Atul

Can I use same document to integrate OBIA 11.1.1.7.1 with OAM 11.1.2 to implement SSO?

Regards
Ashraf TP

can you please provide detail instruction on STEP 11 “Configure Response (to return OAM_REMOTE_USER as header variable $user.userid ) in protected authenticated and authorisation policy in OAM.”

I am not able to get the out of box OAM 11g login page when I try accessing OBIEE 11g

Hi,
Can anyone tell me what all things need to be configured on the OAM side?

I have OAM configured with LDAP. I have set the response header (OAM_REMOTE_USER) too in the authorization policy for the application domain.

On the OBIEE side, it’s configured with OAMIdentityAsserter.

Thanks
Tanmoy

Hi everyone,

Can u explain more about step 11?
I dont know how to configure repsonse?
Which component do I have to config? OHS or Webgate or others?

Thanks,
Quanns

I am getting double authentication first from OAM and second native authentication page. I am using OID authenicator. Please help me in fixing the issue

Dear Atul,

I have one question, i would like to know if following setup will work:
1) OAM configured with Custom Authentication Module (OID-for identification and AD-kerberos)
2) BI configured for SSO with OAM using just OAM Asserter(Required) and Default Authenticator(Sufficient) — there will be no OID Authenticator
3) OAM will pass the required login attribute from OID to BI
4) BI will search the user in its Internal LDAP(Default Authenticator) for the attribute value sent in Step 3 above
5) User lands on homepage if above is successful

Basic purpose above is that, we dont want to migrate the User Store / Groups to OID or any other LDAP store.
While, all the required data (like userlogin attribute used in BI) is available separately in OID which could be sent by OAM to BI

Please let me know if above is fine. Or, if OID will be mandatory for BI User Store / Groups

Regards,
Arvind

Hi Atul,

Hope you are doing great !

Can i use OUD insted of OID or AD ( My environment is OBIEE 11.1.1.9 and OUD 11.1.2.3)

Please advice