Integrate OBIEE 11g with OAM 11g for Single Sign-On in 13 steps

OBIEE 11g by default uses its own authentication engine against users stored in WebLogic’s Embedded LDAP Server.
Oracle Access Manager (OAM) is Single Sign-On (SSO) solution from Oracle and there are two versions of OAM i.e. 10g and 11g. More here on differences between OAM 10g and 11g .

 

OBIEE can be configured for Single Sign-On (OAM) with user repository is LDAP Server (OID or AD). This post assumes that User Repository for OBIEE is OID. If you wish to use AD as user repository then replace OID with AD while using this post. To know more about Oracle Access Manager 11g, check my book at amazon

 

High Level Steps to integrate OBIEE with OAM (for Single Sign-On)

1. Install OBIEE 11g (11.1.1.5)

2. Install OHS 11g (install 11.1.1.2 and then apply patch 11.1.1.5)

3. Configure access to OBIEE via OHS (mod_wl_ohs)

4. Install OID 11g (install 11.1.1.2 and then apply patch 11.1.1.5)

5. Integrate OBIEE 11g with OID for user repository

6. Install OAM 11g (11.1.1.3 or 11.1.1.5)

7. Integrate OAM 11g with OID for user repository

8. Create Instance of WebGate in OAM 11g

9. Install WebGate with OHS 11g (installed in step 2)

10. Configure OAM Identity asserter as authentication provider in Weblogic Domain hosting OBIEE

11. Configure Response (header variable OAM_REMOTE_USER) in protected authenticated and authorisation policy

12. Enable SSO in OBIEE (including logon URL, Logoff URL) using FMW Enterprise Manager Control

13. Test OBIEE Single Sign-On configuration

 

 

Steps

1. Install OBIEE 11g  – Follow OBIEE installation steps here, here and here.
This step will create middleware home (MW_HOME), OBIEE Oracle Home (ORACLE_HOME) and OBIEE Oracle Instance (ORACLE_INSTANCE)

2. Install OHS 11g – You can access OBIEE directly by using managed server port. In SSO environment, request to OBIEE managed servers should come via this HTTP Server. A Policy Enforcement Point (PEP) which is WebGate in this case is configured that will communicate to Oracle Access Manager (SSO server).

This step will create OHS Oracle Home (ORACLE_HOME) and OHS Oracle Instance (ORACLE_INSTANCE)

Note: ORACLE_HOME of OBIEE and OHS must be installed in different directory, similarly ORACLE_INSTANCE of OBIEE and OHS must be installed in different directory.

 

  • Follow OHS Installation guide here   (Do not select WebCache during configuration)

3. Configure access to OBIEE via OHS (mod_wl_ohs)

Configure mod_wl_ohs in OHS to forward request to OBIEE Managed Server (bi_server1) and restart OHS. Test if you can access OBIEE via OHS Server . More on mod_wl_ohs here and here

http://http_server:http_listen_port/analytics

4. Install OID 11g – Enterprise Users that are going to access OBIEE via SSO (OAM in this case) will be stored in OID. Follow OID installation steps here, here, here, and here (DIP, OVD and OIF are optional components and are not required for this integration).

This step will create middleware home for OID, OID Oracle Home (ORACLE_HOME) and OID Oracle Instance (ORACLE_INSTANCE).

Note: You can install OBIEE and OID in same Middleware Home but this is not recommended.

ORACLE_HOME for OID, OBIEE, and OHS must be in different directory.
ORACLE_INSTANCE for OID, OBIEE, and OHS must be in different directory.

5. Integrate OBIEE 11g with OID for user repository. – By default OBIEE 11g authenticates against WebLogic’s embedded LDAP server using Default Authentication Provider. You must add additional Authentication Provider of type OID in WebLogic Security Realm (steps here and here  ) so that OBIEE/WebLogic can authenticate users against OID.

6. Install OAM 11g – If you are installing same version of OID and OAM i.e. 11.1.1.1.5 then these two (OID and OAM) can be installed in same Middleware Home (MW). This step will create OAM Oracle Home (ORACLE_HOME).

Note: You can install OID and OAM in different Middleware Home then this step will also create Middleware Home (MW_HOME) for OAM.

Note: ORACLE_HOME for OAM, OID, OBIEE, and OHS must be in different directory.

Note: OAM comes with additional components like OIM, OAAM, OIN and these components are optional.

7. Integrate OAM 11g with OID for user repository – By default OAM 11g uses WebLogic’s embedded LDAP server as its Identity/User Store. You must add additional identity store in OAM to point to same OID which is configured with OBIEE.  Screen to configure Identity Store in OAM 11.1.1.3 and 1.1.1.5 are slightly different. For 11.1.1.3 click here  and for OAM 11.1.1.5 click here

More on OAM integration with OID in my book here

8. Create Instance of WebGate in OAM 11g – WebGate is web server plug-in which intercepts user request and communicates to OAM Server. Both 10g WebGate and 11g WebGate can be used with OAM 11g . (If you are using Webgate 11g then all requests are protected by default and you should un-protect any public page.). To create WebGate11g  instance you can use RREG

Note: Ensure that /analytics , /analytics/…/* ,  /xmlpserver , and  /xmlpserver/…/* are protected resource in OAM

9. Install WebGate with OHS 11g (installed in step 2)

10. Configure OAM Identity asserter as provider in Weblogic Domain hosting OBIEE – Configure Identity Asserter for OAM as explained here

11. Configure Response (to return OAM_REMOTE_USER as header variable $user.userid ) in protected authenticated and authorisation policy in OAM.

12. Enable SSO in OBIEE (including logon URL, Logoff URL pointing to OAM server) using FMW Enterprise Manager Control as shown here

13. Test OBIEE Single Sign-On (SSO) integration using OAM – Access OBIEE url via HTTP Server, that should redirect user to OAM login page. After username/password it should take user straight to OBIEE URL.

 

Note: Steps mentioned in 9.2 of OBIEE Enterprise Deployment Guide are for OAM 10g and should not be used with 11g OAM.

Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

65 comments
Jani says January 18, 2012

Hi Atul!

Can i use Microsoft Active directory instead of OID for user repository?

Regards, Jani

Reply
Neha Mittal says January 18, 2012

@Jani

Yes Active Directory can be used as User store for OBIEE11g integartion with OAM 11g.

You need to select and configure “ActiveDirectoryAuthenticator” in WLS and Configure AD as User store in OAM.

Thanks
Neha

Reply
Babji_007 says January 24, 2012

Hi Atul,

I have done the integration of OAM 11g and OBIEE 11g following the steps u mentioned and the online document provided in oracle website .

But when I restart OBIEE Admin Server I am getting below error .Did you came up with issue .Please help .

<The realm “myrealm” failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: java.lang.RuntimeException.
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: java.lang.RuntimeException
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1785)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
Truncated. see log file for complete stacktrace
Caused By: com.bea.common.engine.ServiceInitializationException: java.lang.RuntimeException
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
Truncated. see log file for complete stacktrace
Caused By: java.lang.RuntimeException
at oracle.security.wls.oam.util.OAMUtil.(OAMUtil.java:172)
at oracle.security.wls.oam.providers.asserter.OAMIdentityAssertionProviderImpl.initialize(OAMIdentityAssertionProviderImpl.java:403)
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:60)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
Truncated. see log file for complete stacktrace
Caused By: java.lang.ArrayIndexOutOfBoundsException: 1
at oracle.security.wls.oam.util.OAMUtil.createServerEntry(OAMUtil.java:367)
at oracle.security.wls.oam.util.OAMUtil.createAAAClient(OAMUtil.java:252)
at oracle.security.wls.oam.util.OAMUtil.(OAMUtil.java:168)
at oracle.security.wls.oam.providers.asserter.OAMIdentityAssertionProviderImpl.initialize(OAMIdentityAssertionProviderImpl.java:403)
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:60)
Truncated. see log file for complete stacktrace
>

Regards,

Babji

Reply
Atul Kumar says January 24, 2012

@ babji_007,
You said you used “online document provided in oracle website”

Which document you used ? Most of document as of today in OBIEE are for 10g OAM integration. Share Oracle Document you used so that I can verify.

Reply
Babji_007 says January 24, 2012

Hi Atul,

Forgot to mention in my previous post .

Your post on OAM and OBIEE integration is really nice .

Thanks ,

Babji

Reply
Babji_007 says January 24, 2012

Hi Atul,

Thank you .What I meant was in the post you have provided for OBIEE – OAM integration there are links to oracle website to configure authentication providers and OHS .For that I have used .

Remaining I have followed your post and bit of below url

http://docs.oracle.com/cd/E17904_01/core.1111/e10043/osso_b_oam11g.htm#BABBEBIH

Regards,
Babji .

Reply
Atul Kumar says January 24, 2012

@ Babji_007,
What is control flag JAAS flag ( More here http://onlineappsdba.com/index.php/2010/02/04/how-to-integrate-weblogic-with-oracle-internet-directory-for-login-authentication/ ) for OAM Identity Asserter Provider in myrealm security realm.

Do not set it to REQUIRED.

Reply
Babji_007 says January 25, 2012

Hi Atul,

Thanks for that ,currently I have set it as “REQUIRED” ,I will make it “SUFFICIENT” or “OPTIONAL” ,but why in oracle website they have mentioned in that way any excerpts if you can ?.

Regards,
Babji

Reply
Babji_007 says January 25, 2012

Hi Atul,

I have tried putting Authentication Providers in following order and flag .

OAM – SUFFICIENT
OID – SUFFICIENT
Default – SUFFICIENT .

But same error is being thrown .

Regards,
Babji

Reply
Babji_007 says January 25, 2012

Hi Atul,

After setting the Provider order as mentioned in my previous post and updating the config file I was able to restart successfully .

But after restart ,post-authentication its going to OBIEE logout page .Seems there is issue with the header set .

Is the header that needs to be set for OID $user.uid or $user.userid and
is the logon url mandatory because we have configured our own login page which is deployed on OAM .

Regards,
Babji

Reply
Atul Kumar says January 25, 2012

@ Babji_007,
Did you run oamcfgtool.jar by any chance as shown in below doc

http://docs.oracle.com/cd/E21764_01/doc.1111/e15722/oid.htm#CIHGHBFA

Reply
Babji_007 says January 26, 2012

Hi Atul,

Thanks ,initially I tried running oamcfgtool.jar but it was unable to connect to access server ,so have created all the oam configurations manually ,seems it doesnot work in oam 11g as the configuration are mentioned for oam 10g .

Regards,
Babji

Reply
Atul Kumar says January 26, 2012

@ Babji_007,
Yes oamcfgtool.jar is only for OAM 10g and should not be used with OAM 11g

Reply
Jani says March 28, 2012

Hi Atul!

There is the first step in the config of the OHS, where I can choose this:”Associate Selected component with weblogic domain”. Should I check this check-box? Or the OHS can work stand alone?

Regards, Jani

Reply
Prema says March 31, 2012

Hi Atul,

In which of these can I install OBIEE 11.1.1.5 (complete i mean server, database ….)

Windows 7 Home Premium
Windows 7 Professional
Windows 7 Ultimate

Regards
Prema

Reply
knpn says June 7, 2012

Hi ,

I am able to implement OBIEE-SSO-OAM using HTTP,webgate with OID credentials.
that means
http://webhost:7777/xmlpserver works fine with OAM authentication using OID uses.

But is there a way to make http://obieehost:9704/xmlpserver also to get authenticated from OAM-SSO using OID credentials?

Reply
knpn says June 7, 2012

Atul,

Great! Since am using FMW with OID, only users coming via OAM can enter into obiee.

but if for any reason those who hitting obieehost:9704/xmlpserver should get redirected to oam login page. and gets login via that page .can we configure in that way?
thanks

Reply
Atul Kumar says June 7, 2012

@ knpn,
what happens when you access direct obieehost:9704/xmlpserver ?

Is this not redirecting to OAM login page ?

If not then confirm that you configured all integration steps including for BI Publisher

Reply
knpn says June 8, 2012

@Atul,

obieehost:9704/xmlpserver or obieehost:9704/analytics not hitting OAm page.they will promt only normal login page . ( but wont allow to get )

only ohshost:7777/xmlpserver and ohshost:7777/analytics hitting oam and entreing in.

please give more hit ,where configuration step to be done for hitting my 9704 also on oam sso login page.

Thanks

Reply
Damon says June 12, 2012

hi,Atul Kumar, i use oam integrate biee 11g and oam 11g, my user store in MSAD, Unfortunately, just some users can login on biee use ohs port, do you have any suggestions?

Reply
Damon says June 14, 2012

Thanks for you apply! my login oam and BIEE username attribute is mailNickname(or sAMAccountName),I failed login on BIEE use SSO, while i change username attribute to displayName,i success login on biee.it seems weird.

Reply
Atul Kumar says June 14, 2012

@ Damon,

After changing login attribute in OAM from uid/cn to mailNickName (or sAMAccountName) can you login to OAM (non obiee URLs).

This is to find out if issue is at OBIEE level or OAM level.

Reply
Damon says June 14, 2012

Thank you,Atul Kumar!I can login on EPM workspace use login attribute cn/sAMAccountName/mailNickName, i can also login on BIEE use login attribute cn(AD cn is different from mailNickName),but fail of using mailNickName.i think the issue is at OAM, which can not send the right session to OBIEE. but i do not know how to set the OAM_REMOTE_USER value(default is $user.userid).do you have any suggestions? thanks for your kindly help!

Reply
Vara says July 5, 2012

Hi Atul,

We have integrated EBS R12 with OAM 11.1.1.5 & OID 11.1.1.6 using accessgate 1.1.1. Now we want to use the same IDM infrastructure to hook up OBIEE 11.1.1.6 for SSO. Can we leverage the same stack or do we need separate OID/OAM for OBIEE.

Pl suggest the method and steps.

Regards

Reply
    Atul Kumar says July 5, 2012

    @ Vara,
    You should use IDM infrastructure for OBIEE, only extra thing you can do is install different OHS with webgate for OBIEE (but use same OAM & OID server)

    Reply
Damon says July 5, 2012

HI Atul
I have tried to create a response header in the Authentication and Authorization policy: OAM_REMOTE_USER/Header/$user.attr.cn.
my BIEE and OAM login attribute is cn, Then i can login on BIEE through OAM, but failed of using login attribute mailNickname(BIEE & OAM) and OAM_REMOTE_USER/Header/$user.attr.mailNickname
Do you have any suggestions?

Reply
Vara says July 5, 2012

Hi Atul,

Thank you for your clarification. One additional point, in case of EBS we use Access gate, do we need this with OBIEE or simply follow the steps that you explained in this blog.

Regards

Reply
Narasimharao says July 13, 2012

Hi Atul,

I tried to integrate OBIEE11g with OAM 11g,in this process when i integrate OBIEE with OID11g,all users are showing at weblogic console but groups are not and am unable to login into the /analytics with weblogic user even i setted the flag of DefaultAuthenticator to SUFFICIENT.In the Adminlog it showing the below error when i logged into the /analytics:

java.security.PrivilegedActionException: oracle.bi.security.service.SecurityServiceException: SecurityService::authenticateUserWithLanguage – ‘weblogic’ was authenticated but could not be located within the Identity Store.
at java.security.AccessController.doPrivileged(Native Method)
at oracle.bi.security.service.SecurityWebService.authenticateWithLanguage(SecurityWebService.java:186)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:92)
at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:74)
at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:151)
at com.sun.xml.ws.server.sei.EndpointMethodHandlerImpl.invoke(EndpointMethodHandlerImpl.java:268)
at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:100)
at weblogic.wsee.jaxws.security.AuthorizationTube$RunAsWrapperTube$1.run(AuthorizationTube.java:291)
at weblogic.wsee.jaxws.security.AuthorizationTube$RunAsWrapperTube$1.run(AuthorizationTube.java:289)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at weblogic.wsee.jaxws.security.AuthorizationTube$RunAsWrapperTube.processRequest(AuthorizationTube.java:288)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:403)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:532)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:253)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:140)
at weblogic.wsee.jaxws.WLSServletAdapter.handle(WLSServletAdapter.java:171)
at weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke.run(HttpServletAdapter.java:708)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.wsee.util.ServerSecurityHelper.authenticatedInvoke(ServerSecurityHelper.java:103)
at weblogic.wsee.jaxws.HttpServletAdapter$3.run(HttpServletAdapter.java:311)
at weblogic.wsee.jaxws.HttpServletAdapter.post(HttpServletAdapter.java:336)
at weblogic.wsee.jaxws.JAXWSServlet.doRequest(JAXWSServlet.java:95)
————————–

I create a new trusted user,that user able to login into the weblogic console.

Any suggestion please,
Thanks in advance,

Reply
Atul Kumar says July 13, 2012

@ Narasimharao,
To find out why groups are not visible from OID in weblogic, enable debug for ATN & ATZ in weblogic for admin server. (Check this for steps http://onlineappsdba.com/index.php/2010/02/04/how-to-integrate-weblogic-with-oracle-internet-directory-for-login-authentication/ )

For issue : “‘weblogic’ was authenticated but could not be located within the Identity Store” OID authenticator is in which order (this should be first provider) ? Is there any other authentication provider whose flag is set to REQUIRED (apart from OID provider)

Do you have user weblogic in OID ? If not then create one if you wish to login to OBIEE as user weblogic

Reply
Narasimharao says July 13, 2012

Hi Atul,

Thanks for reply,

we have only two authentiactors,one is OID authenticator flag is setted t SUFFICIENT and another one DefaultAuthenticator flag setted to REQUIRED.

I Created new trused user and assigned to Application Policies to trused user able to login into the weblogic console and remaining users are not able to login into weblogic console who are there in OID, when OID users are login into /analytics,it showing the below error on the screen,

Error retrieving user/group data from Oracle BI Server’s User Population API.
Error Details
Error Codes: GDU6UYHS:OPR4ONWY:U9IM8TAC:OI2DL65P:SDKE4UTF
Odbc driver returned an error (SQLExecDirectW).
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. [nQSError: 13049] User ‘obiee_testing’ with ‘oracle.as.scheduler.security.MetadataPermission;oracle.bi.publisher.scheduleReport;AtAGlance;oracle.bi.publisher.accessReportOutput;_all_;oracle.bi.publisher.accessExcelReportAnalyzer;_all_;oracle.epm.financialreporting.accessReporting;Explore;oracle.bi.publisher.accessOnlineReportAnalyzer;EPM_Essbase_Filter;oracle.bi.publisher.runReportOnline’ permission can not query user population.Please have your System Administrator look at the log for more details on this error. (HY000)
Please have your System Administrator look at the log for more details on this error.

Expression: privileges[‘Admin: Catalog’][‘Change Permissions’].

Atul please justify one thing should users exist in OID and OBIEE for suceess login ?,
I created weblogic user in OID,after that weblogic user not able to login into the weblogic console.

Please suggest me,

Thanks in advance,

Reply
Narasimharao says July 13, 2012

Sorry Atul,

DefaultAuthenticator also setted to SUFFICIENT.

Reply
Narasimharao says July 13, 2012

Hi Atul,

Now am able to login into the /analytics with OID users,the issue is due to naming convention of trusted user.Earlier it was ‘obiee_testing’.
But the OID groups are reflected into /console.
In OID i created just groups in simple way by using ‘groupOfNames’ here am not providing the roles or policies to groups.Is there any work around to reflect the OID groups otherwise need to attach the reflected users to any existing OBI groups.
After user login into the /analytics,when we click on Dashboards dropdown list it showing the below error :

Error
View Display Error
Error getting drill information: SELECT “DEPARTMENT_DIM”.”DEPT_DESC” saw_0, COUNT(DISTINCT “EMP_FACT”.”ASSIGNMENT_ID”) saw_1, sum(“EMP_FACT”.”PAY_ELEMENT_VALUE”)/count(“EMP_FACT”.”PAY_ELEMENT_VALUE”) saw_2, “COMPANY_DIM”.”BUSINESS_GROUP_DESCRIPTION” saw_3 FROM “Republic” WHERE (“PEO_DIM”.”ENTERPRISE_DESCRIPTION” = ‘REPUBLIC PEO SERVICES INC.’) AND (“PERIOD_DIMNEW”.”QUARTER” = ‘Q1’) AND (“PERIOD_DIMNEW”.”YEAR” = ‘2012’)
Error Details
Error Codes: YQCO4T56:OPR4ONWY:U9IM8TAC:OI2DL65P
Odbc driver returned an error (SQLExecDirectW).
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. [nQSError: 27005] Unresolved column: “PEO_DIM”.”ENTERPRISE_DESCRIPTION”.Please have your System Administrator look at the log for more details on this error. (HY000)
SQL Issued: {call NQSGetLevelDrillability(‘SELECT “DEPARTMENT_DIM”.”DEPT_DESC” saw_0, COUNT(DISTINCT “EMP_FACT”.”ASSIGNMENT_ID”) saw_1, sum(“EMP_FACT”.”PAY_ELEMENT_VALUE”)/count(“EMP_FACT”.”PAY_ELEMENT_VALUE”) saw_2, “COMPANY_DIM”.”BUSINESS_GROUP_DESCRIPTION” saw_3 FROM “Republic” WHERE (“PEO_DIM”.”ENTERPRISE_DESCRIPTION” = ”REPUBLIC PEO SERVICES INC.”) AND (“PERIOD_DIMNEW”.”QUARTER” = ”Q1”) AND (“PERIOD_DIMNEW”.”YEAR” = ”2012”)’)}

Any suggestion please,
Thanks inadvance,

Reply
Narasimharao says July 21, 2012

Hi Atul,

Your Documentaion is very good.
Finally i done the integration successfully.
Thanks a lot.

Regards,
Narasimha

Reply
A Abhinay says August 5, 2012

Hi Atul,

I have followed the same steps, my integration is not successful. I am getting double authentication first from OAM and second native authentication page. I am using AD authenicator. Please help me in fixing the issue

Regards
A Abhinay

Reply
sunnyajmera says September 8, 2012

Hi Atul,

I have one question:

I am following this link to configure the SSO with OBIEE using OAM with OVD

http://docs.oracle.com/cd/E21764_01/bi.1111/e10543/sso.htm#autoId0

In this post, its mentioned that there are steps mentioned which are not there in your post like

1. Configure the new trusted system user to replace the default BISystemUser.
2. Refresh the user and group GUIDs.

So, wanted to know if they are required or not?

Reply
Narasimharao says January 29, 2013

Hi Atul,

I have one question.

Before Crop SSO we have OBIEE 11g,Oracle 10gAS with Local OID.

After that we installed OHS 11g
We are implemented the Oracle Crop OSSO in OBIEE 11g and we removed the Local OID.
login and Log of urls

Trying to login analytics URL after enter the SSO login Username and password getting the

error “Not Signed In” page.

OBIEE 11.1.1.6.0 and with weblogic
OHS 11.1.1.6.
Oracle 10g AS
DB 11g 11.2.0.2.
is it required to install web gate and all
please help me

error .

OracleBIServerComponent:

nqserver.log

Data Source Name: TANAS1
Data Source Type: Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64b
]]
[2013-01-28T13:47:05.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004p5uADq3fAPPAZv_aAV10005j8000000] [tid: 47279720] [85003] MDX Member Name Cache subsystem started successfully.
[2013-01-28T13:47:05.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004p5uADq3fAPPAZv_aAV10005j8000000] [tid: 47279720] [85004] MDX Member Name Cache subsystem recovered entries: 0, size: 0 bytes.
[2013-01-28T13:47:05.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 004p5uADq3fAPPAZv_aAV10005j8000000] [tid: 47279720] [13026] Error in getting roles from BI Security Service: ‘Error Message From BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserSystem user could not be authenticated’
[2013-01-28T13:47:05.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004p5uADq3fAPPAZv_aAV10005j8000000] [tid: 47279720] nqsserver: Clustered Oracle BI Server (64-bit) started. Version: 11.1.1.6.0.120104.1053.000.
[2013-01-28T13:47:26.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004p5uADq3fAPPAZv_aAV10005j8000000] [tid: 4db35940] [43071] A connection with Cluster Controller nacisnscl203.us.oracle.com:9706 was established.
[2013-01-28T13:50:21.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 004p5uMOSL5APPAZv_aAV10004Fv0002MY] [tid: 4e842940] Error Message From BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserSystem user could not be authenticated
[2013-01-28T13:50:21.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 004p5uMOSL5APPAZv_aAV10004Fv0002MY] [tid: 4e842940] [nQSError: 43126] Authentication failed: invalid user/password.

=====================================
OracleBIPresentationServicesComponent

sawlog6.log

[2013-01-28T13:53:56.000-06:00] [OBIPS] [ERROR:1] [] [saw.security.odbcuserpopulationimpl.getbisystemconnection] [ecid: 004p5uB1m8nAPPAZv_aAV10005r2000000,0:118] [tid: 1092766016] Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43113] Message returned from OBIS.
[nQSError: 43126] Authentication failed: invalid user/password. (08004)[[
File:odbcuserpoploaderimpl.cpp
Line:995
Location:
saw.security.odbcuserpopulationimpl.getbisystemconnection
saw.security.odbcuserpopulationimpl.searchidentities
saw.security.userpopulationmanagerimpl.getaccountdetailsbyid
saw.CatalogAttributes.cache.cleanup
saw.taskScheduler.processJob
taskscheduler
saw.threads
ecid: 004p5uB1m8nAPPAZv_aAV10005r2000000,0:118
ThreadID: 1092766016
task: Cache/CatalogAttributes
]]
[2013-01-28T13:54:01.000-06:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 004p5uZR7eiAPPAZv_aAV10004Fv0002Pv,0:1:1:1] [tid: 1080142144] Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43113] Message returned from OBIS.
[nQSError: 43126] Authentication failed: invalid user/password. (08004)[[
File:checkauthentication.cpp
Line:1293
Location:
saw.securitysubsystem.checkauthentication.runimpl
saw.threadpool.asynclogon
saw.threads
ecid: 004p5uZR7eiAPPAZv_aAV10004Fv0002Pv,0:1:1:1
ThreadID: 1080142144

==========================================

Reply
Atul Kumar says January 29, 2013

@ Narasimharao,
Which SSO you are using 10g OSSO or 11g OAM ?

If this is 11g OAM then WebGate is required and also OID is mandatory .

Reply
Atul Kumar says January 29, 2013

@ sunyajmera

1. Configure the new trusted system user to replace the default BISystemUser.

This is required only if you want to use BISystemUser from OID, If not you can leave it as it is and then BISystemUser will be from weblogic embedded LDAP server

2. Refresh the user and group GUIDs.

This is only required if there is any user with same name in both OID and embedded weblogic ldap server

Reply
Narasimharao says January 31, 2013

Hi Atul,

we are using OSSO 11g.

we already have OBIEE 11g + OID.
and we want to get rid of OID

we want OBIEE 11g_OHS 11g + OSSO is it possible .

with out OID

Reply
Atul Kumar says January 31, 2013

@ Narasimharao,
No, you can’t get rid of OID. This is where users and groups are stored against which OSSO authenticates/validates .

I am surprised that you are using 11g OSSO , any reason for not picking OAM 11g ?

Reply
Narasimharao says January 31, 2013

Hi Atul,

i was following the OBIEE11g – Oracle SSO (OSSO) configuration (Doc ID 1353527.1) and i configured

OBIEE 11g and OHS 11g with OID .

we are able login the OSSO using Our Usname/pass.

hear with out OSSO we have to do our work .

What is the Use of OSSO please clear me and help me.

Reply
    Atul Kumar says January 31, 2013

    @ Narasimharao – OSSO is Single Sign-On Server so that you login once and can access all applications (protected by this SSO server) without authentication again .

    Reply
Narasimharao says February 4, 2013

How to setup authentication using init blocks in OBIEE 11.1.1.6.0 ?

Reply
Vel says June 12, 2013

Nice Notes Atul. Very Helpful.

In my case,

have configured SSO for my OBIEE server.

While trying to login to my Home url page (https://xyz.idc.oracle.com/analytics) its pointing to SSO Login page successfully.

But after providing username and password its not redirecting to my OBIEE Home page URL. I am getting the below error message.

——
Oracle SSO Failure – Unable to process request
Either the requested URL was not specified in terms of a fully-qualified host name or OHS single sign-on is incorrectly configured.
Please notify your administrator.

—————-
Could you please provide some inputs to fix this issue.

1. I have configured httpd.conf and instanceconfig.xml correctly as per the Oracle documentation.
2. I have provided below URLs for Partner Application request. Please correct me if I havent provided the correct one.

Application Home URL: https://xyz.idc.oracle.com/analytics

Application Success URL: https://xyz.idc.oracle.com/osso_login_success

Application Logout URL: https://xyz.idc.oracle.com/osso_logout_success

Both the Application and Server and OBI resides on same server (10g version).

Reply
    Atul Kumar says June 12, 2013

    @Vel,
    Which SSO server you are using ? OAM or OSSO ? Which document have you used to configure SSO with OBIEE ?

    Reply
vankasrikar says August 2, 2013

Hi Atul,
I did the OBIEE and OAM SSO integration. When i try to access /analytics from ohs server, its taking me to oam login page,
I entered OVD userId/pwd and authenticated successfully
its going to obiee page and showing the below error.

You are not currently signed in to the Oracle BI Server.
If you have already signed in, your connection might have timed out, or a communications or server error may have occurred.
To sign in again, click here. If the problem persists, please contact the site’s administrator.

OAMIdentityAsserter: REQUIRED
OVDAuthenticator: SUFFICIENT
DefaultAuthenticator: SUFFICIENT

enabled sso on obiee and provided logon url and logoff url in /em
also added the below to security provider configuration from /em
user.login.attr=uid
username.attr=uid

Can you guide me what else need to be done.

Thanks
Sriakr

Reply
vankasrikar says August 2, 2013

I also see the ovd users in weblogic.. so connector is working

but i cant use those users to directly login into obiee url [noth through oam]

Reply
Atul Kumar says August 2, 2013

@ vankasrikar ,
There must be error in obiee serevr logs (I think log file name is nqserver.log) paste the error from OBIEE server logs

Reply
vankasrikar says August 2, 2013

Hi Atul,
I’m getting the below error.

[2013-08-02T18:25:37.000-04:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: f14db3b1a2833926:56e528f:140410838d0:-8000-00000000000002a8] [tid: 76bd2700] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed – the system user profile could not be found in the identity store.
[2013-08-02T18:25:37.000-04:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: f14db3b1a2833926:56e528f:140410838d0:-8000-00000000000002a8] [tid: 76bd2700] [nQSError: 43126] Authentication failed: invalid user/password.

Reply
Atul Kumar says August 3, 2013

@ vankasrikar,
Ensure that OID is first authentication provider (above the default authentication provider) and JAAS flag for both default authenticator and OID authenticator is set to be SUFFICIENT .

Restart WebLogic Domain and OBIEE sercvices after making any changes .

Reply
vankasrikar says August 23, 2013

Hi Atul,
I integrated OBIEE with OAM 11gR2 and SSO working fine. Now I need to pass the user attribute values[ex: mail] to OBIEE. I can pass it from OAM using response headers, but not sure how to retrieve them in OBIEE side. Can you suggest how can I retrieve these values?

Thanks
Srikar

Reply
Atul Kumar says August 24, 2013

@ vankasrikar ,
Please contact java developer on how to get value of HTTP Header in a variable .

Reply
Priya Kesar says November 22, 2013

Hi Atul,

Nice Post!

I have integrated OBIEEE 11g with OAM 11g using these steps and user SSO is working fine.

But when i click on logout link on BI publisher, i does not redirect to OAM login page even when i have configured log off URL in EM Console of BI.

Also, signout.jsp of BI is also not triggered rather homepage of BI is opening again and again.

Can you please suggest.

Thanks & Regards,
Priya Kesar

Reply
fbilliotel says March 19, 2014

Hi Atul,

Everything is ok for me til step 5, but i cannot install OAM, each time installer offers me to selct for Oracle Home Directory Oracle_IDM1 (which already exists, i cannot choose another Oracle Home Directory specified for OAM.
I read on http://docs.oracle.com/cd/E23943_01/install.1111/e12002/install.htm#CIHGGFBI
Note:
The name that you provide for the Oracle Home for installing the Oracle Identity and Access Management suite should not be same as the Oracle Home name given for the Oracle Identity Management suite.
By default the installer chooses an alternate name Oracle_IDM2 if Oracle_IDM1 oracle home exists and has Oracle Identity Management components installed. This should not be changed to Oracle_IDM1.
For me installer does not chooses an alternate Oracle home directory.
Why ?
Thank you for your help.
Regards.
Fabrice

Reply
ashrafias says June 26, 2014

Dear Atul

Can I use same document to integrate OBIA 11.1.1.7.1 with OAM 11.1.2 to implement SSO?

Regards
Ashraf TP

Reply
nrohatgi says December 1, 2014

can you please provide detail instruction on STEP 11 “Configure Response (to return OAM_REMOTE_USER as header variable $user.userid ) in protected authenticated and authorisation policy in OAM.”

I am not able to get the out of box OAM 11g login page when I try accessing OBIEE 11g

Reply
TanmoyP says February 27, 2015

Hi,
Can anyone tell me what all things need to be configured on the OAM side?

I have OAM configured with LDAP. I have set the response header (OAM_REMOTE_USER) too in the authorization policy for the application domain.

On the OBIEE side, it’s configured with OAMIdentityAsserter.

Thanks
Tanmoy

Reply
quanns says January 8, 2016

Hi everyone,

Can u explain more about step 11?
I dont know how to configure repsonse?
Which component do I have to config? OHS or Webgate or others?

Thanks,
Quanns

Reply
Sridhar says July 7, 2016

I am getting double authentication first from OAM and second native authentication page. I am using OID authenicator. Please help me in fixing the issue

Reply
Arvind says October 31, 2016

Dear Atul,

I have one question, i would like to know if following setup will work:
1) OAM configured with Custom Authentication Module (OID-for identification and AD-kerberos)
2) BI configured for SSO with OAM using just OAM Asserter(Required) and Default Authenticator(Sufficient) — there will be no OID Authenticator
3) OAM will pass the required login attribute from OID to BI
4) BI will search the user in its Internal LDAP(Default Authenticator) for the attribute value sent in Step 3 above
5) User lands on homepage if above is successful

Basic purpose above is that, we dont want to migrate the User Store / Groups to OID or any other LDAP store.
While, all the required data (like userlogin attribute used in BI) is available separately in OID which could be sent by OAM to BI

Please let me know if above is fine. Or, if OID will be mandatory for BI User Store / Groups

Regards,
Arvind

Reply
Venkata Ramana Dyava says March 29, 2017

Hi Atul,

Hope you are doing great !

Can i use OUD insted of OID or AD ( My environment is OBIEE 11.1.1.9 and OUD 11.1.2.3)

Please advice

Reply
Add Your Reply