Document 1353527.

Page 1 of 9

OBIEE11g - Oracle SSO (OSSO) configuration (Doc ID 1353527.1)

Modified 22-NOV-2011 Type BULLETIN Status PUBLISHED(EXTERNAL)

In this Document

Purpose Scope and Application OBIEE11g - Oracle SSO (OSSO) configuration

Applies to:
Business Intelligence Reporting and Publishing Option - Version: 11.1.1.3.0 [1905] to 11.1.1.5.0 [1308] - Release: 11g to 11g Information in this document applies to any platform.

Purpose
The document provides step by step instructions how to configure SSO for OBIEE using Oracle SSO (OSSO).

Scope and Application

# This document is informational and intended for Administrators and Advanced users. # Before reading this document, the user must have a good understanding of OBIEE and SSO features.

OBIEE11g - Oracle SSO (OSSO) configuration

Enabling SSO for OBIEE 11g using Oracle Single Sign On (OSSO)
I. Install and Configure OHS to redirect request to Weblogic for analytics application. II. Create and configure OSSO asserter and OID authenticator in Weblogic Security Realm. III. Register partner application in OSSO and protect the analytics resource in OHS. IV. Enable SSO for OBIEE in EM and update the configuration for SSO. I. Install and Configure OHS to redirect request to Weblogic for analytics application:
1. Install supported Oracle HTTP Server (OHS). Refer the System Requirements and Supported Platforms documentation for supported OHS vesion for OBIEE 11g. http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html System Requirements and Supported Platforms for Oracle Business Intelligence Suite Enterprise Edition 11gR1 ( xls) 2. Update the mod_wl_ohs.conf file in ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME} folder either through EM or manually.

1/4/2012

Document 1353527.1

Page 2 of 9

<IfModule weblogic_module> WebLogicHost testserver WebLogicPort 9704 </IfModule> <Location /analytics> SetHandler weblogic-handler </Location> 3. Restart OHS Test the configuration by accessing analytics application through OHS. http://<OHS URL>/analytics

II. Create and configure OSSO asserter and OID authenticator in Weblogic Security Realm.
1. 2. 2. 4. Login to weblogic console. Click Lock and Edit to make changes. Navigate to Security Realms > my realm >Providers Click New to create a new asserter by selecting type as OSSO Identity Asserter. Click OK. Click the new asserter created for OSSO and set the control flag to "Sufficient". Click Save.

1/4/2012

Document 1353527.1

Page 3 of 9

5. Click New again in providers list to create a new authenticator for OID. Click the new provider created for OID and set the control flag to "Sufficient". Click Save.

1/4/2012

Document 1353527.1

Page 4 of 9

6. Click Reorder in the provider list to keep the new asserter and new authenticator to the top. Click OK.

1/4/2012

Document 1353527.1

Page 5 of 9

7. Click new LDAP/ADSI authentication provider and select Provider specific to enter the configuration for OID server. Note:

Refer the document Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1) for more information on configuring Authenti for Authentication. Here are the parameters need to be updated for Authentication provider. Please update the below parameters or any other parameters required, with respect to the OID server.

Hostname Port Principal Credential/Confirm Credential User Base DN User Attribute User Object Class User Filter User From Name filter Use Retrieved user name as Principal Group Base DN Group Filter All Groups Filter Group from Name filter Static Group Name attribute GUID attribute

Hostname of the OID server Port of the OID server The LDAP DN of the user to connect to OID server for retrieving the users Password for the Principal LDAP query used to find users in OID OID Attribute to specify username OID user object class OID filter to retrieve users OID filter to retrieve users Checked OID query to find groups in OID OID filter to retrieve groups OID filter to retrieve groups OID filter to retrieve groups OID attribute for group OID attribute for GUID (default is orclguid)

8. Activate Changes and Restart the services. 9. Configure OID user account as BISystemUser.

OBIEE requires a OID user account to be defined as BISystemUser. You can either create an account BISystemUser in OID server or create/use any other account to be used as BISys Update the Credentials in EM with OID user account which is used as BISystemUser.

1/4/2012

Document 1353527.1

Page 6 of 9

10. Restart the services.

III. Register partner application in OSSO and protect the analytics resource in OHS.
Refer the System Requirements and Supported Platforms documentation for supported OSSO vesion for OBIEE 11g. http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html System Requirements and Supported Platforms for Oracle Business Intelligence Suite Enterprise Edition 11gR1 ( xls) 1. Ensure that OSSO is up and running. 2. On the machine that hosts the Oracle Single Sign-On server, set the ORACLE_HOME environment variable to point to the directory where Oracle Single Sign-On server is installed. 3. To Register the partner application in OSSO run the following command ssoreg.sh or ssoreg.bat -oracle_home_path orcl_home_path -site_name <site_name> -config_mod_osso TRUE -mod_osso_url <mod_osso_url> [-virtualhost] [-update_mode CREATE | DELETE | MODIFY] [-remote_midtier] [-config_file config_file_path] For example: ./ssoreg.sh -oracle_home_path <ORACLE_HOME> -site_name testserver -config_mod_osso TRUE -mod_osso_url http://testserver:7777 -update_mode CREATE -remote_midtier <ORACLE_HOME>\sso\conf\osso.conf ssoreg.bat -oracle_home_path <ORACLE_HOME> -site_name testserver -config_mod_osso TRUE -mod_osso_url http://testserver:7777 -update_mode CREATE -remote_midtier <ORACLE_HOME>\sso\conf\osso.conf

4.Copy the sso configuration file (for ex: osso.conf) to the directory ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}.

5. Copy the sample mod_osso.conf file from ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/disabled folder to ${ORACLE_INSTANCE}/config/${COMPO ${COMPONENT_NAME}/moduleconf folder. Update the mod_osso.conf file manually or through EM.

1/4/2012

Document 1353527.1

Page 7 of 9

<IfModule osso_module> OssoIpCheck off OssoIdleTimeout off OssoSecureCookies off OssoSendCacheHeaders off OssoConfigFile "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/osso.conf" <Location /analytics> require valid-user AuthType Osso </Location> </IfModule>

1/4/2012

Document 1353527.1

Page 8 of 9

6. Restart OHS to apply the changes.

V. Enable SSO for OBIEE in EM and update the configuration for SSO.
1. Login to EM 2. Click Lock and Edit to make changes. 3. Navigate to Business Intelligence > coreapplication >Security Check Enable SSO. Select SSO Provider as "Oracle SSO" Update SSO Provider Logon URL and SSO Provider Logout URL

Note: For OBIEE 11.1.1.5 version, Logon and Logout URL can be updated through EM. But for OBIEE 11.1.1.3 version, update instanceconfig.xml with Logon and Logout <SchemaExtensions> <Schema name="SSO" logonURL="{your SSO logon URL}" logoffURL="{your logoff URL}/> </SchemaExtensions>

4. Click Apply. Activate Changes and restart the services. Test the SSO configuration by accessing analytics application.(http://<OHS URL>/analytics)

1/4/2012

Document 1353527.1

Page 9 of 9

Note: Please refer the Oracle Fusion Middleware Administrator's Guide for Oracle Business Intelligence Publisher for configuring SSO for BI Publisher.It is recommended to configure SS Publisher, if BI Publisher is integrated with OBIEE configured with SSO.

Related
Products

Middleware > Business Intelligence > Business Intelligence Suite Enterprise Edition > Business Intelligence Reporting and Publishing Option > Analytics > Security/Access Control
Knowledge Categories

Siebel > Business Intelligence > Security and Access Control (Primary)
Document Attributes Author Owner Alias Visibility Created By Modified By Reviewer Source Comments
Edit Comment <Authentication> clarification BI Publisher Integration Type Status Priority From 2 To Modified By Created Date Modified Date

mitra.veluri@oracle.com mitra.veluri@oracle.com EXTERNAL mitra.veluri@oracle.com mitra.veluri@oracle.com mitra.veluri@oracle.com AWIZ

Status Publisher Content Type Priority Created Date Modified Review Date Exception

PUBLISHED(EXTERNAL) mitra.veluri@oracle.com TEXT/X-HTML 3 30-AUG-2011 22-NOV-2011 26-FEB-2012 No

Internal Feedback NEW

christopher.rogers@oracle.com OWNER christopher.rogers@oracle.com 06-Dec-2011 06-Dec-2011 diego.olivares@oracle.com robert.mulhern@oracle.com OWNER mitra.veluri@oracle.com OWNER mitra.veluri@oracle.com 16-Nov-2011 22-Nov-2011 23-Sep-2011 11-Oct-2011 Return To Top

Internal Feedback IMPLEMENTED 3

SR Questions because of this Note Internal Feedback IMPLEMENTED 2

1/4/2012