This post covers the integration aspects of BI Dashboards (analytics) with Oracle Access Manager. With this integration, we are achieving the Single Sign-on between BI Dashboards and other applications protected by Oracle Access Manager.
Environment Details:
Oracle Access Manager 10.1.4.3
Oracle BI Dashboards 10.1.3.4.1
OHS 1.x WebGate 10.1.4.3
Oracle WebLogic Server 10.3.1 (where BI application is deployed)
Pre-requisites:
The SSO system should be able to send the userid in a header variable or a cookie. If not, the SSO system should be able to integrate with J2EE environment and set up the framework such that the getRemoteUser method returns username of the end user. Since, we are using Oracle Access Manager as SSO system, it provides header facility out of the box and thus eases the integration.
Architecture:
Integration Details:
Integration will be explained with the steps executed in both OAM and OBIEE front.
OAM Front:
Create the OBIEE user and groups in OAM user repository.
1. Create a policy domain for OBIEE.
2. Add the resource /analytics to be protected.
3. Create Authorization Rule to allow the users and add authorization actions to return the username in header variable say SSO_UID and corresponding user groups.
4. Specify the Form based authentication (which is used in our case) and assign the Authorization Rule.
5. Install the WebGate on the proxy server and configure the reverse proxy for Dashboards URL as shown below.
ProxyPass /analytics/ http://bi_host:port/analytics/
ProxyPassReverse /analytics/ http://bi_host:port/analytics/
6. Restart the proxy web server.
OBIEE Front:
1. OBIEE – LDAP Authentication:
Create a new LDAP Server entry in the repository (rpd) for LDAP directory to be used where OAM users are stored. The various inputs parameters required are shown in the screenshot below.
Enter the OAM user store (LDAP) hostname, port number, Base DN, Bind DN and password details and test the connection.
2.Configuring the Initialization block for user authentication.
Create new init block and name it as Authentication. Select the Edit Data Source and select the LDAP repository created in the above step.
3. Select the Edit Data Target, click New and enter the USER in the name field. Set the LDAP variable uid for the USER variable.
4. Test the authentication by clicking the Test button the Session Variable Initialization block window.
5. Create another Session variable Initialization block to execute a database function when the User logs in and returns the User’s associated Group Names. In other words the function call will dynamically assign the User to the Group Names.
6. Assign the first initialization block as higher execution precedence as shown below.
Here, we are sending the attribute Location from OAM along with username.
7. Create an Impersonator user in the RPD file which will be used by the Oracle BI Presentation services to establish a connection to the Oracle BI Server on behalf of the authenticated end user.
8. Add the Impersonator user credentials to the Oracle BI Presentation Services credential store by executing the Crypto Tool Utility available.
9.Configure Oracle BI Presentation Services to identify the credential store and decryption passphrase by adding <CredentialStore> element in the instanceconfig.xml file
<CredentialStore>
<CredentialStorage type=”file” path=”./credentialstore.xml” passphrase=”password123″/>
</CredentialStore>
10. Configure the Oracle BI Presentation Service to operate as SSO enabled by adding the <Auth> element in instanceconfi.xml file.
<Auth>
<SSO enabled=”true”>
<ParamList>
<Param name=”IMPERSONATE” source=”httpHeader” nameInSource=”SSO_UID”/>
<ParamList>
<LogoffUrl>
</LogoffUrl>
</SSO>
</Auth>
User Flow:
1. User access the OBIEE Dashboards application using the URL http://proxy_host:port/analytics/
2. The WebGate deployed on the proxy server intercepts the request and checks with Access Server whether the resource is protected or not.
3. Access Server checks in Policy store for the policy details of /analytics and responds that it is protected. It also prompts the user with the Authentication scheme configured for this resource. (Note: We have configured Form Based authentication in our case) .
4. User enters login details and WebGate will forward it to Access Server for authentication purpose.
5. Upon successful authentication, Access Server generated a secured cookie called ObSSOCookie.
6. Access Server then checks whether the user is authorized to access the resource or not.
7. If the user is authorized, WebGate will execute the Authorization Actions.
8. WebGate will forward the request to the OBIEE application whether the user is authorized to access or not. This check will be performed against the LDAP repository configured in the OBIEE. (Note: We have used OID in our case).
9. BI Presentation Services will fetch the username variable (configured in instanceconfig.xml) and impersonates the user to establish the connection with BI Server on behalf of the authenticated user.
10. User will be shown the requested application.
Points to remember:
Access the analytics URL ending with / as shown below.
http://proxy_host:port/analytics/
You will end up with 404 Not found error (control stops at OAM Action URL) if you don’t specify ‘/’ character in the end of the URL.
References:
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com