Single Sign On in OBIEE

Hi Gurus,
I have 2 Enterprise Manager (one for BI Applications, one for web portal).
I want the user&group listed in Enterprise Manager for web portal, can be used for login in Enterprise Manager & Analytics of BI.
I have moved some WLS*.jar from EM web portal to BI.It was worked for Enterprise Manager of BI.
I can login in Enterprise Manager BI using username of Enterprise Manager of web portal.
But, it failed when login to Analytics BI. I guess it related to BI roles(BIAdministrator, BIAuthor, etc) which can't be recognized.
Do anybody know how to build single sign on here?
PS:
I use OBIEE 11.1.1.6
Any help would be appreciated
Regards
JOE
Edited by: JoeSSI on Nov 7, 2012 10:47 PM
Edited by: JoeSSI on Nov 13, 2012 3:35 AM

Hi Alastair,
Thank you so much for this really very very helpful document but still I am facing some issues:
1.     The pdf file is specific to Linux environment while I have windows environment for:
Oracle Application Server 10.1.3.x
OBIEE Server 10.1.3.4
2.     We are using MS Active Directory for the domain login authentication process. I have configured the OBIEE with that Active directory to allow users to use their domain credentials to login to OBIEE. I need to provide the SSO in this environment. But the document provides very good and elaborated information about SSO using OID. Is there any way we can do SSO using MS AD or we have to import the users in OID?
3.     We are using a db table for the authorization process for users after authentication is passed in which we are storing the USER NAME and GROUP information. The Authorization block of rpd select the corresponding GROUP from this table using SQL query and authorizes the users for their access scope. I was trying to execute the function AD_Authorization using the sql supplied after creating it in db but it is showing the below error: (Oracle11gR2 DB Server)
SELECT getldapgroups('domainname\username') FROM dual;
ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid DN syntax. 0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0, vece
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
ORA-06512: at "SYS.DBMS_LDAP", line 1487
ORA-06512: at "SYS.DBMS_LDAP", line 234
ORA-06512: at "SCHEMA.GETLDAPGROUPS", line 45
4.     Can we install OIM on Windows machine having the Oracle DB server installed already on it?
Your valuable response will be much awaited.
Thanks,

Similar Messages

  • OBIEE 11G with Single Sign-On and Active Directory

    Hi guys,
    Release Version: Oracle Business Intelligence 11.1.1.5.0
    Patch applied: 11.1.1.5.0 BP3 (Patch 13832750)
    OBIEE Server operating system: Windows Server 2008 SP2 (32-bits Operating System).
    We are trying to configure Single Sign-On according to TechNote_WNA_SSO_AD_V4.0.doc.
    Our krb5login.conf:
    com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    principal="[email protected]"
    keyTab=cgdkobi2.keytab
    useKeyTab=true
    storeKey=true
    debug=true
    com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    principal="[email protected]"
    keyTab=cgdkobi2.keytab
    useKeyTab=true
    storeKey=true
    debug=true
    We generate de keytab file:
    C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.24\bin\ktab.exe -k cgdkobi2.keytab -a [email protected]
    Password for [email protected]:XXXXXXX
    Done!
    Service key for [email protected] is saved in cgdkobi2.keytab
    C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\kinit -k -t cgdkobi2.keytab cgdkobi2
    New ticket is stored in cache file C:\Users\cgdkobi2\krb5cc_cgdkobi2
    C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\klist -k -t cgdkobi2.keytab
    Key tab: cgdkobi2.keytab, 1 entry found.
    [1] Service principal: [email protected]
    KVNO: 1
    Time stamp: Mar 15, 2013 10:34
    C:\OracleBI11g\user_projects\domains\bifoundation_domain>klist
    Current LogonId is 0:0x406163f5
    Cached Tickets: (0)
    We re-start the services and logon into analytics web and SSO doesn't work but there's not an error. It runs successfully with and Active Directoy user and password. Seems like SSO wasn't enabled, but I checked is enabled.
    Any suggestion?
    Thanks in advanced

    Follow the posts : OBI 11.1.1.6.SSO and You are not currently signed in to Oracle BI Server" for OBIEE 11.1.1.6 SSO do the troubleshooting mentioned there.
    Also check your logs for error like the one below:
    [2012-03-09T16:42:36.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 6c98b5cce1f24814:2a613331:135f95fbdff:-8000-0000000000005b7a,0:1:1] [tid: 5932] Authentication Failure.
    Odbc driver returned an error (SQLDriverConnectW).
    State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
    [nQSError: 43113] Message returned from OBIS.
    [nQSError: 13039] The impersonator does not exist in the BI Security Service. (08004)[[
    If you are getting this when you login to OBIEE :      You are not currently signed in to Oracle BI Server"
    then you need to apply this patch : 13553428 QA:BLK:DELIVER TO CORP. OID LDAP USERS FAILED WITH IMPERSONATOR DOES'NT EXIST. 11.1.1.6.0 Generic Platform (American English) General Oracle BI Suite EE Apr 5, 2012 799.4 KB
    Let us know the updates. Hope this helps. Mark if it does.!
    Thanks,
    SVS

  • Help on Obiee single sign on

    Hi All,
    Based on the article on http://www.oracle.com/technology/oramag/oracle/08-jan/o18identity.html, I tried to implement the Single Sign on, as it was mentioned in the article.
    I installed the Oracle Application Server 10.1.3.1 and Obiee 10.1.3.4 and the Identity management 10.1.4.0.1.
    I setup the single sign on server as mentioned in the article.
    But when I login to the analytics server it first routes me to the Single sign on server, I enter the user name/password (I use orcladmin/passwd) to login. It then takes the browser to the analytics screen where it shows "Logging in" (for some time) and after that it takes me directly to the "Not Logged In" saying "If you have already logged in, your connection might have timed out, or a communications or server error may have occurred."
    Can anyone please suggest me what possibly I am doing wrong.
    Thanks

    Hi...
    See this, hope this what you want...??
    If not .. ignore...
    Thanks & Regards
    Kishore Guggilla

  • Oracle identity federation 10g--error while login with single sign

    Hi...
    I installed oif10g using microsoft ad2003.now i am integrating with salesforce.com to provide single sign on...but while signing authentication is failed...so for that we need to search for assertion which will be under federation-mssg.log..
    but no error messg is under it...so can any one help to enable all debug settings in oif..

    Hello,
    I think its not possible to mix and match authentication once you have set OBIEE to use EBS ICX cookie based authentication, you would not able to use the DefaultAuthenticator Provider.
    Let me know the updates.
    Thanks,
    SVS.

  • " Path not found() "error when implementing single sign on

    Hi,
    We are implementing single sign on so that when users click on the "Reports Login" he is navigated to the obiee presentation services screen. For the reports login we have a .asp page which directs to the presentation services.
    I have done the necessary changes in the instanceconfig and credentialstore xml files.
    I have been receiving a strange error when I click on the reports login. I get the error
    Path not found ()
    Error Details
    Error Codes: U9KP7Q94
    I have checked the presentation server log file and I see the below error
    Type: Error
    Severity: 45
    Time: Tue Mar 09 09:18:44 2010
    File: project/websubsystems/ssportal.cpp Line: 1907
    Properties: ThreadID-2672;HttpCommand-Dashboard;Proxy-;RemoteIP-127.0.0.1;User-;Impersonator-
    Location:
         saw.subsystem.portal
         saw.httpserver.request
         saw.rpc.server.responder
         saw.rpc.server
         saw.rpc.server.handleConnection
         saw.rpc.server.dispatch
         saw.threadPool
         saw.threads
    Path not found ()
    Can anyone provide me an input how to resolve this issue?
    This is bit urgent for me.
    Thanks

    Hi,
    Please ensure that the navigational attribute is checked at the attribute level and also at the Infocube level and also check that correct mapping of this navigational attribute is done at the Multiprovider level.
    Thanks,
    Venkat

  • Oracle BIEE Single Sign-On

    Can single sign-on be use for Oracle BIEE and another portal application? What is needed to configure the two application? Does Oracle BIEE 10.1.3.2 come with OAS?

    SSO integration is covered in the OBIEE deployment guide. It currently supports two kings of SSO environments:
    1. Oracle SSO (OSSO)
    2. Anything else
    The second option must be able to call the remote user interface but I have not implemented this so can not comment further.
    OSSO refers to use of Oracle Infrastructure with OID and the implementation is quite simple but only follow the chapter on integrating to OSSO and not Oracle Application Server. This is some this else entirely.

  • Partner application single sign-on and Oc4j

    hello,
    I'm trying to test portal's partner application single sign-on, following the examples inside the "Oracle9 iAS Single Sign-On Application Developers Guide":
    With Tomcat as jsp engine everything works fine, but with Oc4j when I try to enter the protected jsp page i have this exception:
    oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved
         at SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java:153)
         at SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java:57)
         at /protetta.jsp._jspService(/protetta.jsp.java:37) (JSP page line 4)
    Any suggestion?
    Thanks in advance.

    I get the same problem with my partner application. It runs fine on JServer but I get the following problem on oc4j:
    oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved     
    at oracle.br.aerochain.sso.SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java, Compiled Code)     
    at oracle.br.aerochain.sso.SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java, Compiled Code)     
    at /jsp/papp.jsp._jspService(/jsp/papp.jsp.java, Compiled Code)     
    at com.orionserver[Oracle9iAS (9.0.2.0.0) Containers for J2EE].http.OrionHttpJspPage.service(OrionHttpJspPage.java, Compiled Code)     
    at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpApplication.serviceJSP(HttpApplication.java, Compiled Code)     
    at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.JSPServlet.service(JSPServlet.java, Compiled Code)     
    at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java, Compiled Code)     
    at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java, Compiled Code)     
    at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java, Compiled Code)     at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.run(HttpRequestHandler.java, Compiled Code)     
    at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java, Compiled Code)
    Did anyone get a solution for this?
    TIA

  • Configuring JCo3 Connection Pool with single sign on on non SAP Java server

    Hi Everyone,
    i have configured a connection pool on JBoss as per JCo3 Documentation and is working great.
    Now I need help to configure this connection pool with single sign on so that RFc on SAP ECC systems are executed using end users credential rather than using single user name password used to configure JCo connection pool.
    On SAP Java stack I am sure its possible within Java WebDynpro    and i assume using JCA resource adapter. But what if we don't want to use SAP Java App server.
    Any help will be appreciated.
    Thanks,
    Divyakumar Jain

    Eason, 你好!
    I have exactly the same problem.  Did you find a solution to this problem?  If so, please let me know!

  • How to pass credentials/saml token access sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication

    How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication 
    Identity provider here is Oracle identity provider 
    harika kakkireni

    Hi,
    The following materials for your reference:
    Consuming List.asmx on a claims based sharepoint site
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
    Sharepoint Claims based authentication and Single Sign on
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
    Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
    Best Regards
    Dennis Guo
    TechNet Community Support

  • ApEx 2.1.0.00.39 as Partner Application in Oracle AS Single Sign-On

    Hi,
    I've installed the last Application Express 2.1.0.00.39 (oracle-xe-10.2.0.1-1.0.i386.rpm and oracle-xe-univ-10.2.0.1-1.0.i386.rpm) but, when I try to "create an authentication scheme" for configure an ApEx application to use SSO under
    Home>Application Builder>Application xxx>Shared Components>Authentication Schemes>Create Authentication Scheme
    in the second step of the procedure I don't find the choice "Oracle Application Server Single Sign-On (Application Express engine as Partner App)".
    I found only these:
    - Show Built-In Login Page and Use Open Door Credentials
    - Show Login Page and Use Application Express Account Credentials
    - Show Login Page and Use Database Account Credentials
    - Show Login Page and Use LDAP Directory Credentials
    - No Authentication (using DAD)
    even if under the help voice "V Information" the others two are describes:
    Oracle Application Server Single Sign-On (Application Express engine as Partner App) delegates authentication to the Oracle Application Server Single Sign-On (SSO) Server. This Application Express site must have already been registered as a partner application with the SSO server. For more information, contact your administrator.
    Oracle Application Server Single Sign-On (My application as Partner App) delegates authentication to the SSO server. In this case, you must register an application with SSO as a partner application. See the next page for more details.
    Does Someone know how to resolve it?
    Thanks
    Emanuele

    Thanks for all your help Scott
    I've added the -PORTAL_SSO- .....
    After this I've had a new problem same to this: Re: SSO Authentication Not Working
    "get the error below and it then directs me to http://hostx/htmldb/f? and the "p=" is missing"
    But after a lot of tests I discovered where was the problem: "The apache configuration for the proxy!!"
    This an extract from the installation doc :
    SetEnv force-proxy-request-1.0 1
    ProxyPass /htmldb http://127.0.0.1:8080/htmldb
    ProxyPassReverse /htmldb http://127.0.0.1:8080/htmldb
    ProxyPass /i http://127.0.0.1:8080/i
    ProxyPassReverse /i http://127.0.0.1:8080/i
    ProxyPass /sys http://127.0.0.1:8080/sys
    ProxyPassReverse /sys http://127.0.0.1:8080/sys
    where you replace 127.0.0.1 with the name OR ip address of your XE installation. 8080 is the default http port of your XE installation. "
    Well, I used the IP ADDRESS and in the @regapp > listener_token the NAME!!! (HTML_DB:servername.domain:80)
    I changed the IP ADDRESS with the NAME, restarted the httpd service and now all works fine.
    Emanuele

  • Single Sign on using SAML between JWS application and Web Application

    Hi,
    We have two applications one is swing based Java Web Start application and other is a normal web application. We are trying to enable single sign on between both the applications. Can SAML be used to enable single sign on? If yes, can some one let us know how to do this?
    Thanks,
    Rama

    Thanks. But it is based on two WEB applications deployed on two different weblogic domains. What I am looking for is one application which is launched using Java Web Start(JNLP) and other a web application. The Java Web Start application uses its proprietary authentication implementation and the web application used DefaultAuthenticator of weblogic. Hope this detail will help you to answer my question better. I should have given this information earlier.
    Thanks.
    Rama

  • Difference between Federated single sign on  and just Single sign on

    Can anyone please give a clear definition of what is
    1. Federated Single sign on?
    2. Just Single Sign on ?
    As a security expert if you were to Architect security what will you suggest ?
    Lets take an example Landscape
    NW1(ABAP + JAVA)- system, NW-2(ABAP+JAVA)  system and EP( java only), LDAP
    I am having a hard time convincing the customer to have both CONSUMER AND PRODUCER PORTAL for Federated single sign on? is this a bad idea. Customer says just give me SSO(with just one portal acting as CONSUMER/PRODUCER).
    initial GOLIVE user load will be 700+ users.
    Edited by: Franklin Jayasim on Jul 16, 2010 7:52 PM
    Edited by: Franklin Jayasim on Jul 16, 2010 7:53 PM
    Edited by: Franklin Jayasim on Jul 16, 2010 7:57 PM
    Edited by: Franklin Jayasim on Jul 17, 2010 12:17 AM

    Hi  Denny Liao
    The project is going to have BI(NW) and ECC/SRM/HR(NW) and sepparate  portal ( EP - Java only )
    I thought that normal SSO will help in the intranetwork, what happens if the employee(user)  needs to work from home.
    What about the external vendors suppliers etc...?

  • How to integrate Single Sign-On and JSF?

    Hi all,
    We are going to develop a web application using Oracle technologies, including ADF and JSF.
    But we´ll need to secure our website using Oracle Identity Manager (Single Sign-On). I am having difficulties to find any resource explaining how to do that.
    Also, the IM (SSO) will run on a Oracle AS instance and our web app (ADF+JSF) will run on a separete OC4J instance, due to ADF version. Is this a problem?
    Thanks

    We too are in the process of implementing iStore with SSO features.
    And if you believe me it seems to me as nightmare.
    In our scenerio we are intgrating this SSO with Third party access control too (AD and Siteminder). I would request you to please respond me on the following mail id , so we can share our experince which will help us in our implementation
    [email protected]
    regards and thanks in advance
    Vikas Deep

  • OAM 11g Single Sign-On and OAM 11g Cookies

    Hi all,
    I need to know following,
    is it possible to get the username and password from the OAM 11g + IIS Webgate cookies and forward the same to the application for further authentication? is there any way to decrypt the cookie and use the information in the application?
    Regards.

    Yes , you can get the user password ,but for that you will have to write a custom plugin , else it is not possible.
    Refer step number 9 in the blog Single Sign on with Oracle Access Manager: Creating a Custom Authentication Plugin

  • Active Directory, single sign-on and  SRM Users

    We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
    - My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
    - Single sign-on will not  at this point be used for our SAP ECC 6.0 system
    My questions are:
    1. If active directory is being used do we need to create actual users within the SRM system?
    2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
    Many Thanks

    Hi Claire,
    The Single Sign On work only if user exist on every systemes.
    For example :
    If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
    For Active Directory you can synchronize your user table to AD by using LDAP option.
    The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
    Finally use the SSO certificate between Portal ECC and SRM.
    Regards,
    Gilles SEBBAG
    Sap Technical Consultant.

Maybe you are looking for

  • URGENT SQL question!

    Hi all, I've been struggling with this for quite some time now... Let us assume that I have a table "EMPLOYEE" consisting of the following columns and data ('DD/MM/YYYY'): EMP_NAME START_DATE END_DATE john 01/01/2003 mark 02/02/2003 peter 03/03/2003

  • Custom Icons with JTree

    I am using a CustomTreeCellRenderer to import my own icons for nodes in a tree. The problem is that the icons I have are too big and get 'cut-off' when they are displayed in the tree. Is there a way to make java shrink the icons down to the appropria

  • Lion Server - MDM setup - Error in device enrollment

    I have MAC server (10.7.5). I configured with internal static IP and not configured with DNS. Looks like, Primary address     = 10.300.40.90 Current HostName    = 10.300.40.90 DNS HostName        = 10.300.40.90 I setup the profile manager using Self-

  • Mi ipod touch no recarga.

    mi ipod touch recarga solo apagado.. nunca encendido.

  • ADF-SOA integration getting class cast exception when creating a BPEL task

    Hi, We are creating a BPEL task programmatically using below code snippet IInitiateTaskResponse tResponse = iTask.initiateTask(task); when initiateTask() is called i keep getting below exception. oracle.bpel.services.workflow.task.ejb.TaskServiceBean