Single Sign On in OBIEE
Hi Gurus,
I have 2 Enterprise Manager (one for BI Applications, one for web portal).
I want the user&group listed in Enterprise Manager for web portal, can be used for login in Enterprise Manager & Analytics of BI.
I have moved some WLS*.jar from EM web portal to BI.It was worked for Enterprise Manager of BI.
I can login in Enterprise Manager BI using username of Enterprise Manager of web portal.
But, it failed when login to Analytics BI. I guess it related to BI roles(BIAdministrator, BIAuthor, etc) which can't be recognized.
Do anybody know how to build single sign on here?
PS:
I use OBIEE 11.1.1.6
Any help would be appreciated
Regards
JOE
Edited by: JoeSSI on Nov 7, 2012 10:47 PM
Edited by: JoeSSI on Nov 13, 2012 3:35 AM
Hi Alastair,
Thank you so much for this really very very helpful document but still I am facing some issues:
1. The pdf file is specific to Linux environment while I have windows environment for:
Oracle Application Server 10.1.3.x
OBIEE Server 10.1.3.4
2. We are using MS Active Directory for the domain login authentication process. I have configured the OBIEE with that Active directory to allow users to use their domain credentials to login to OBIEE. I need to provide the SSO in this environment. But the document provides very good and elaborated information about SSO using OID. Is there any way we can do SSO using MS AD or we have to import the users in OID?
3. We are using a db table for the authorization process for users after authentication is passed in which we are storing the USER NAME and GROUP information. The Authorization block of rpd select the corresponding GROUP from this table using SQL query and authorizes the users for their access scope. I was trying to execute the function AD_Authorization using the sql supplied after creating it in db but it is showing the below error: (Oracle11gR2 DB Server)
SELECT getldapgroups('domainname\username') FROM dual;
ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid DN syntax. 0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0, vece
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
ORA-06512: at "SYS.DBMS_LDAP", line 1487
ORA-06512: at "SYS.DBMS_LDAP", line 234
ORA-06512: at "SCHEMA.GETLDAPGROUPS", line 45
4. Can we install OIM on Windows machine having the Oracle DB server installed already on it?
Your valuable response will be much awaited.
Thanks,
Similar Messages
-
OBIEE 11G with Single Sign-On and Active Directory
Hi guys,
Release Version: Oracle Business Intelligence 11.1.1.5.0
Patch applied: 11.1.1.5.0 BP3 (Patch 13832750)
OBIEE Server operating system: Windows Server 2008 SP2 (32-bits Operating System).
We are trying to configure Single Sign-On according to TechNote_WNA_SSO_AD_V4.0.doc.
Our krb5login.conf:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="[email protected]"
keyTab=cgdkobi2.keytab
useKeyTab=true
storeKey=true
debug=true
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="[email protected]"
keyTab=cgdkobi2.keytab
useKeyTab=true
storeKey=true
debug=true
We generate de keytab file:
C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.24\bin\ktab.exe -k cgdkobi2.keytab -a [email protected]
Password for [email protected]:XXXXXXX
Done!
Service key for [email protected] is saved in cgdkobi2.keytab
C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\kinit -k -t cgdkobi2.keytab cgdkobi2
New ticket is stored in cache file C:\Users\cgdkobi2\krb5cc_cgdkobi2
C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\klist -k -t cgdkobi2.keytab
Key tab: cgdkobi2.keytab, 1 entry found.
[1] Service principal: [email protected]
KVNO: 1
Time stamp: Mar 15, 2013 10:34
C:\OracleBI11g\user_projects\domains\bifoundation_domain>klist
Current LogonId is 0:0x406163f5
Cached Tickets: (0)
We re-start the services and logon into analytics web and SSO doesn't work but there's not an error. It runs successfully with and Active Directoy user and password. Seems like SSO wasn't enabled, but I checked is enabled.
Any suggestion?
Thanks in advancedFollow the posts : OBI 11.1.1.6.SSO and You are not currently signed in to Oracle BI Server" for OBIEE 11.1.1.6 SSO do the troubleshooting mentioned there.
Also check your logs for error like the one below:
[2012-03-09T16:42:36.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 6c98b5cce1f24814:2a613331:135f95fbdff:-8000-0000000000005b7a,0:1:1] [tid: 5932] Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43113] Message returned from OBIS.
[nQSError: 13039] The impersonator does not exist in the BI Security Service. (08004)[[
If you are getting this when you login to OBIEE : You are not currently signed in to Oracle BI Server"
then you need to apply this patch : 13553428 QA:BLK:DELIVER TO CORP. OID LDAP USERS FAILED WITH IMPERSONATOR DOES'NT EXIST. 11.1.1.6.0 Generic Platform (American English) General Oracle BI Suite EE Apr 5, 2012 799.4 KB
Let us know the updates. Hope this helps. Mark if it does.!
Thanks,
SVS -
Hi All,
Based on the article on http://www.oracle.com/technology/oramag/oracle/08-jan/o18identity.html, I tried to implement the Single Sign on, as it was mentioned in the article.
I installed the Oracle Application Server 10.1.3.1 and Obiee 10.1.3.4 and the Identity management 10.1.4.0.1.
I setup the single sign on server as mentioned in the article.
But when I login to the analytics server it first routes me to the Single sign on server, I enter the user name/password (I use orcladmin/passwd) to login. It then takes the browser to the analytics screen where it shows "Logging in" (for some time) and after that it takes me directly to the "Not Logged In" saying "If you have already logged in, your connection might have timed out, or a communications or server error may have occurred."
Can anyone please suggest me what possibly I am doing wrong.
ThanksHi...
See this, hope this what you want...??
If not .. ignore...
Thanks & Regards
Kishore Guggilla -
Oracle identity federation 10g--error while login with single sign
Hi...
I installed oif10g using microsoft ad2003.now i am integrating with salesforce.com to provide single sign on...but while signing authentication is failed...so for that we need to search for assertion which will be under federation-mssg.log..
but no error messg is under it...so can any one help to enable all debug settings in oif..Hello,
I think its not possible to mix and match authentication once you have set OBIEE to use EBS ICX cookie based authentication, you would not able to use the DefaultAuthenticator Provider.
Let me know the updates.
Thanks,
SVS. -
" Path not found() "error when implementing single sign on
Hi,
We are implementing single sign on so that when users click on the "Reports Login" he is navigated to the obiee presentation services screen. For the reports login we have a .asp page which directs to the presentation services.
I have done the necessary changes in the instanceconfig and credentialstore xml files.
I have been receiving a strange error when I click on the reports login. I get the error
Path not found ()
Error Details
Error Codes: U9KP7Q94
I have checked the presentation server log file and I see the below error
Type: Error
Severity: 45
Time: Tue Mar 09 09:18:44 2010
File: project/websubsystems/ssportal.cpp Line: 1907
Properties: ThreadID-2672;HttpCommand-Dashboard;Proxy-;RemoteIP-127.0.0.1;User-;Impersonator-
Location:
saw.subsystem.portal
saw.httpserver.request
saw.rpc.server.responder
saw.rpc.server
saw.rpc.server.handleConnection
saw.rpc.server.dispatch
saw.threadPool
saw.threads
Path not found ()
Can anyone provide me an input how to resolve this issue?
This is bit urgent for me.
ThanksHi,
Please ensure that the navigational attribute is checked at the attribute level and also at the Infocube level and also check that correct mapping of this navigational attribute is done at the Multiprovider level.
Thanks,
Venkat -
Can single sign-on be use for Oracle BIEE and another portal application? What is needed to configure the two application? Does Oracle BIEE 10.1.3.2 come with OAS?
SSO integration is covered in the OBIEE deployment guide. It currently supports two kings of SSO environments:
1. Oracle SSO (OSSO)
2. Anything else
The second option must be able to call the remote user interface but I have not implemented this so can not comment further.
OSSO refers to use of Oracle Infrastructure with OID and the implementation is quite simple but only follow the chapter on integrating to OSSO and not Oracle Application Server. This is some this else entirely. -
Partner application single sign-on and Oc4j
hello,
I'm trying to test portal's partner application single sign-on, following the examples inside the "Oracle9 iAS Single Sign-On Application Developers Guide":
With Tomcat as jsp engine everything works fine, but with Oc4j when I try to enter the protected jsp page i have this exception:
oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved
at SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java:153)
at SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java:57)
at /protetta.jsp._jspService(/protetta.jsp.java:37) (JSP page line 4)
Any suggestion?
Thanks in advance.I get the same problem with my partner application. It runs fine on JServer but I get the following problem on oc4j:
oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved
at oracle.br.aerochain.sso.SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java, Compiled Code)
at oracle.br.aerochain.sso.SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java, Compiled Code)
at /jsp/papp.jsp._jspService(/jsp/papp.jsp.java, Compiled Code)
at com.orionserver[Oracle9iAS (9.0.2.0.0) Containers for J2EE].http.OrionHttpJspPage.service(OrionHttpJspPage.java, Compiled Code)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpApplication.serviceJSP(HttpApplication.java, Compiled Code)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.JSPServlet.service(JSPServlet.java, Compiled Code)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java, Compiled Code)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java, Compiled Code)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java, Compiled Code) at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.run(HttpRequestHandler.java, Compiled Code)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java, Compiled Code)
Did anyone get a solution for this?
TIA -
Configuring JCo3 Connection Pool with single sign on on non SAP Java server
Hi Everyone,
i have configured a connection pool on JBoss as per JCo3 Documentation and is working great.
Now I need help to configure this connection pool with single sign on so that RFc on SAP ECC systems are executed using end users credential rather than using single user name password used to configure JCo connection pool.
On SAP Java stack I am sure its possible within Java WebDynpro and i assume using JCA resource adapter. But what if we don't want to use SAP Java App server.
Any help will be appreciated.
Thanks,
Divyakumar JainEason, 你好!
I have exactly the same problem. Did you find a solution to this problem? If so, please let me know! -
How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication
Identity provider here is Oracle identity provider
harika kakkireniHi,
The following materials for your reference:
Consuming List.asmx on a claims based sharepoint site
http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
Sharepoint Claims based authentication and Single Sign on
http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
Best Regards
Dennis Guo
TechNet Community Support -
ApEx 2.1.0.00.39 as Partner Application in Oracle AS Single Sign-On
Hi,
I've installed the last Application Express 2.1.0.00.39 (oracle-xe-10.2.0.1-1.0.i386.rpm and oracle-xe-univ-10.2.0.1-1.0.i386.rpm) but, when I try to "create an authentication scheme" for configure an ApEx application to use SSO under
Home>Application Builder>Application xxx>Shared Components>Authentication Schemes>Create Authentication Scheme
in the second step of the procedure I don't find the choice "Oracle Application Server Single Sign-On (Application Express engine as Partner App)".
I found only these:
- Show Built-In Login Page and Use Open Door Credentials
- Show Login Page and Use Application Express Account Credentials
- Show Login Page and Use Database Account Credentials
- Show Login Page and Use LDAP Directory Credentials
- No Authentication (using DAD)
even if under the help voice "V Information" the others two are describes:
Oracle Application Server Single Sign-On (Application Express engine as Partner App) delegates authentication to the Oracle Application Server Single Sign-On (SSO) Server. This Application Express site must have already been registered as a partner application with the SSO server. For more information, contact your administrator.
Oracle Application Server Single Sign-On (My application as Partner App) delegates authentication to the SSO server. In this case, you must register an application with SSO as a partner application. See the next page for more details.
Does Someone know how to resolve it?
Thanks
EmanueleThanks for all your help Scott
I've added the -PORTAL_SSO- .....
After this I've had a new problem same to this: Re: SSO Authentication Not Working
"get the error below and it then directs me to http://hostx/htmldb/f? and the "p=" is missing"
But after a lot of tests I discovered where was the problem: "The apache configuration for the proxy!!"
This an extract from the installation doc :
SetEnv force-proxy-request-1.0 1
ProxyPass /htmldb http://127.0.0.1:8080/htmldb
ProxyPassReverse /htmldb http://127.0.0.1:8080/htmldb
ProxyPass /i http://127.0.0.1:8080/i
ProxyPassReverse /i http://127.0.0.1:8080/i
ProxyPass /sys http://127.0.0.1:8080/sys
ProxyPassReverse /sys http://127.0.0.1:8080/sys
where you replace 127.0.0.1 with the name OR ip address of your XE installation. 8080 is the default http port of your XE installation. "
Well, I used the IP ADDRESS and in the @regapp > listener_token the NAME!!! (HTML_DB:servername.domain:80)
I changed the IP ADDRESS with the NAME, restarted the httpd service and now all works fine.
Emanuele -
Single Sign on using SAML between JWS application and Web Application
Hi,
We have two applications one is swing based Java Web Start application and other is a normal web application. We are trying to enable single sign on between both the applications. Can SAML be used to enable single sign on? If yes, can some one let us know how to do this?
Thanks,
RamaThanks. But it is based on two WEB applications deployed on two different weblogic domains. What I am looking for is one application which is launched using Java Web Start(JNLP) and other a web application. The Java Web Start application uses its proprietary authentication implementation and the web application used DefaultAuthenticator of weblogic. Hope this detail will help you to answer my question better. I should have given this information earlier.
Thanks.
Rama -
Difference between Federated single sign on and just Single sign on
Can anyone please give a clear definition of what is
1. Federated Single sign on?
2. Just Single Sign on ?
As a security expert if you were to Architect security what will you suggest ?
Lets take an example Landscape
NW1(ABAP + JAVA)- system, NW-2(ABAP+JAVA) system and EP( java only), LDAP
I am having a hard time convincing the customer to have both CONSUMER AND PRODUCER PORTAL for Federated single sign on? is this a bad idea. Customer says just give me SSO(with just one portal acting as CONSUMER/PRODUCER).
initial GOLIVE user load will be 700+ users.
Edited by: Franklin Jayasim on Jul 16, 2010 7:52 PM
Edited by: Franklin Jayasim on Jul 16, 2010 7:53 PM
Edited by: Franklin Jayasim on Jul 16, 2010 7:57 PM
Edited by: Franklin Jayasim on Jul 17, 2010 12:17 AMHi Denny Liao
The project is going to have BI(NW) and ECC/SRM/HR(NW) and sepparate portal ( EP - Java only )
I thought that normal SSO will help in the intranetwork, what happens if the employee(user) needs to work from home.
What about the external vendors suppliers etc...? -
How to integrate Single Sign-On and JSF?
Hi all,
We are going to develop a web application using Oracle technologies, including ADF and JSF.
But we´ll need to secure our website using Oracle Identity Manager (Single Sign-On). I am having difficulties to find any resource explaining how to do that.
Also, the IM (SSO) will run on a Oracle AS instance and our web app (ADF+JSF) will run on a separete OC4J instance, due to ADF version. Is this a problem?
ThanksWe too are in the process of implementing iStore with SSO features.
And if you believe me it seems to me as nightmare.
In our scenerio we are intgrating this SSO with Third party access control too (AD and Siteminder). I would request you to please respond me on the following mail id , so we can share our experince which will help us in our implementation
[email protected]
regards and thanks in advance
Vikas Deep -
OAM 11g Single Sign-On and OAM 11g Cookies
Hi all,
I need to know following,
is it possible to get the username and password from the OAM 11g + IIS Webgate cookies and forward the same to the application for further authentication? is there any way to decrypt the cookie and use the information in the application?
Regards.Yes , you can get the user password ,but for that you will have to write a custom plugin , else it is not possible.
Refer step number 9 in the blog Single Sign on with Oracle Access Manager: Creating a Custom Authentication Plugin -
Active Directory, single sign-on and SRM Users
We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
- My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
- Single sign-on will not at this point be used for our SAP ECC 6.0 system
My questions are:
1. If active directory is being used do we need to create actual users within the SRM system?
2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
Many ThanksHi Claire,
The Single Sign On work only if user exist on every systemes.
For example :
If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
For Active Directory you can synchronize your user table to AD by using LDAP option.
The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
Finally use the SSO certificate between Portal ECC and SRM.
Regards,
Gilles SEBBAG
Sap Technical Consultant.
Maybe you are looking for
-
Hi all, I've been struggling with this for quite some time now... Let us assume that I have a table "EMPLOYEE" consisting of the following columns and data ('DD/MM/YYYY'): EMP_NAME START_DATE END_DATE john 01/01/2003 mark 02/02/2003 peter 03/03/2003
-
I am using a CustomTreeCellRenderer to import my own icons for nodes in a tree. The problem is that the icons I have are too big and get 'cut-off' when they are displayed in the tree. Is there a way to make java shrink the icons down to the appropria
-
Lion Server - MDM setup - Error in device enrollment
I have MAC server (10.7.5). I configured with internal static IP and not configured with DNS. Looks like, Primary address = 10.300.40.90 Current HostName = 10.300.40.90 DNS HostName = 10.300.40.90 I setup the profile manager using Self-
-
Mi ipod touch no recarga.
mi ipod touch recarga solo apagado.. nunca encendido.
-
ADF-SOA integration getting class cast exception when creating a BPEL task
Hi, We are creating a BPEL task programmatically using below code snippet IInitiateTaskResponse tResponse = iTask.initiateTask(task); when initiateTask() is called i keep getting below exception. oracle.bpel.services.workflow.task.ejb.TaskServiceBean