Unable to login to OBIEE /Analytics after OID integration : %user% was authenticated but could not be located within the identity store

OBIEE 11g integration with external LDAP servers like OID or AD is well documented here and here

After integration if you can’t login to Analytics ( http://obiee_server:9704/analytics ) with user in LDAP Server (AD or OID) then check following log file

1. Managed Server (bi_server1) Log files under  $DOMAIN_HOME/ servers/ <bi_server1>/ logs/ bi_server[1].out

2.  Presentation Server Log file under $ORACLE_INSTANCE/ diagnostics/ logs/ OracleBIPresentationServicesComponent/ coreapplication_obips[1]/ sawlog0.log

3. BI Server log file under $ORACLE_INSTANCE/ diagnostics/ logs/ OracleBIServerComponent/ coreapplication_obis[1]/ nqserver.log

.
In my case I was getting errors in bi_server[1].out and nqserver.log during authentication as shown below (checked and verified that user “biadminoid” was in OID and under group BIAdministartors which was mapped to application role BIAdministrator . )

Fix: Change control flag of default authentication provider (in weblogic domain) from REQUIRED to SUFFICIENT . More on control flag in WebLogic Authentication Provider here

.
____E_R_R_O_R__L_O_G____

SecurityService::authenticateUserWithLanguage – ‘biadminoid’ was authenticated but could not be located within the Identity Store.
        at java.security.AccessController.doPrivileged(Native Method)
        at oracle.bi.security.service.SecurityWebService.authenticateWithLanguage(SecurityWebService.java:186)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Caused by: oracle.bi.security.service.SecurityServiceException: SecurityService::authenticateUserWithLanguage

_________________

.

Q: Why am I hitting ‘%user%’ was authenticated but could not be located within the Identity Store. ?

A: User is authenticated via first Authentication Provider (in my case OID) but then oracle.bi.security is expecing user in default authenticator too (as control flag for this Authentication Provider is set to REQUIRED)

Note: For WebLogic application (like weblogic console), if user is Authenticated from first Authentication Provider (with flag SUFFICIENT) then it marks authentication as successful even if next authentication provider in REQUIRED (same is not valid for FMW 11gR1 applications like BAM, WebCenter or OBIEE)

About the Author Masroof Ahmad

Leave a Comment: