OBI 11.1.1.6.SSO

Similar Messages

• Implementing SSO in OBIEE 11g

  Hi All,
  We have a requirement to implement custom SSO with OBIEE 11g.
  Is configuration of SSO in OBIEE 11g similar to that of OBIEE 10.1.3 ? (10g steps mentioned below)
  1. Changing Instanceconfig.xml
  2. Adding a user “Impersonate ” in Repository
  3. Adding Impersonate user Credentials to Credential Store using cryptotools
  4. Add Credential Store information to Instanceconfig .xml file
  Are there any additional configurations required to be related to weblogic integration with OBI?

  What sort of SSO setup are you looking to implement? The security model in 11g is much more complex and unfortunatelly it's all in Weblogic. I don't think that was a good idea but Oracle it's obviously pushing to use all of its products into OBIEE.
  On the positive side OBIEE 11g now supports configuring authentication and SSO with Active Directory and Windows Native Authentication using Kerberos (the next generation authentication protocol after NTLM). This SSO solution is sometimes called "silent SSO" as does not require domain authenticated users to login to OBIEE and it's completely transparent. In view it's the "real and proper" SSO solution as it's server side and it's unspoofable. Oracle Support Note ID 1274953.1 provides guidance on how to do that. The configuration process is complex but it provides a way to use Windows Native Authentication out-of-the-box in OBIEE 11g without having to rely on custom/3er party components or any additional license costs.

• OBIEE 11G with Single Sign-On and Active Directory

  Hi guys,
  Release Version: Oracle Business Intelligence 11.1.1.5.0
  Patch applied: 11.1.1.5.0 BP3 (Patch 13832750)
  OBIEE Server operating system: Windows Server 2008 SP2 (32-bits Operating System).
  We are trying to configure Single Sign-On according to TechNote_WNA_SSO_AD_V4.0.doc.
  Our krb5login.conf:
  com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  We generate de keytab file:
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.24\bin\ktab.exe -k cgdkobi2.keytab -a [email protected]
  Password for [email protected]:XXXXXXX
  Done!
  Service key for [email protected] is saved in cgdkobi2.keytab
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\kinit -k -t cgdkobi2.keytab cgdkobi2
  New ticket is stored in cache file C:\Users\cgdkobi2\krb5cc_cgdkobi2
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\klist -k -t cgdkobi2.keytab
  Key tab: cgdkobi2.keytab, 1 entry found.
  [1] Service principal: [email protected]
  KVNO: 1
  Time stamp: Mar 15, 2013 10:34
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>klist
  Current LogonId is 0:0x406163f5
  Cached Tickets: (0)
  We re-start the services and logon into analytics web and SSO doesn't work but there's not an error. It runs successfully with and Active Directoy user and password. Seems like SSO wasn't enabled, but I checked is enabled.
  Any suggestion?
  Thanks in advanced

  Follow the posts : OBI 11.1.1.6.SSO and You are not currently signed in to Oracle BI Server" for OBIEE 11.1.1.6 SSO do the troubleshooting mentioned there.
  Also check your logs for error like the one below:
  [2012-03-09T16:42:36.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 6c98b5cce1f24814:2a613331:135f95fbdff:-8000-0000000000005b7a,0:1:1] [tid: 5932] Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43113] Message returned from OBIS.
  [nQSError: 13039] The impersonator does not exist in the BI Security Service. (08004)[[
  If you are getting this when you login to OBIEE :      You are not currently signed in to Oracle BI Server"
  then you need to apply this patch : 13553428 QA:BLK:DELIVER TO CORP. OID LDAP USERS FAILED WITH IMPERSONATOR DOES'NT EXIST. 11.1.1.6.0 Generic Platform (American English) General Oracle BI Suite EE Apr 5, 2012 799.4 KB
  Let us know the updates. Hope this helps. Mark if it does.!
  Thanks,
  SVS

• Implementing SSO using Microsoft IIS with OBIEE 10.1.3.3.2

  We are running OBIEE 10.1.3.3.2 on Windows 2003 server and want to impement Single-Sign-On (SSO) using Microsoft IIS. We set up the SSO according to chapter #8 of the deployment guide but it doesn't work :when opening the web login pages of the OBI application it still ask the user for authentication.
  Also, according to the installation guide the SSO feature is deployed when chosing "Advanced installation type" during the installation. This advanced installation type requires the Oracle Application server. We have not installed Oracle Application server in our environment, and we chose "Basic" installation.
  Is the SSO functionality available without Oracle Application server? What are the steps to setup SSO in our environment?

  Hi,
  I'm experiencing the same issue with IIS. Did you find any resolution in the meanwhile?
  Please let me know...
  Thanks a lot,
  GL

• 10g - how to configure sso with iis-

  hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
  but I always meet this message.
  Not Logged In
  You are not currently logged in to the Oracle BI Server.
  If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
  what steps are missing?
  how to check?

  hi, experts,
  I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
  at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
  however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
  any setup on IIS are wrong? thank you very much!
  =========================================================================================
  Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
  Type: Error
  Severity: 40
  Time: Thu Feb 17 14:48:46 2011
  File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
  Properties: ConnId-1,1;ThreadID-1796
  Location:
       saw.odbc.connection.open
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
  Type: Error
  Severity: 42
  Time: Thu Feb 17 14:48:46 2011
  File: project/webconnect/connection.cpp Line: 276
  Properties: ThreadID-1796
  Location:
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  ---------------------------------------

• Unable to view BI Publisher report with SSO configuration enabled

  Hi All,
  Can anybody let us know the configuration of the BI publisher with SSO enabled. We are unable to see any of the BI Publisher reports. without SSO configuration we have integration working perfectly fine with the OBIEE and Publisher.
  We followed the configuration steps to integrate BI Publisher with Oracle SSO. The following are the steps:
  1. deploy analytics.ear as a new application 'analyticsSOAP' in OAS
  2. protect analyticsSOAP in mod_osso.conf file under OAS
  3. change OBIEE Presentation services configuration to use analyticsSOAP/saw.dll
  4. run credstore utility to encrypt password
  5.restart xmlp server
  6.restart http server
  7.restart obiee server
  8. restart obiee presentation service
  Still we have issues when we try to accesses BI Publisher reports by clicking more Products -> BI Publisher or view reports directly on the OBIEE Dashboard
  Thanks in advance.

  configure one more virtual path which is unprotected from site minder. we had similar issue for Marketing and resolved by this virtual path.
  ref:
  http://vaandun-analytics.blogspot.com/2009/11/obi-publisher-with-empty-obi-catalog.html
  Thanks
  Sarathi

• SSO and normal login

  Hi All,
  Thanks for any replies in advance. Is it possible to have SSO and the normal login mechanism enabled at the same time? I want to enable SSO, but if the user is not authenticated, I want the normal login screen to appear. What I mean is that if SSO is not enabled and you are not logged in, you should get the default OBI login screen, not some LogonURL that I specify. However, when SSO is enabled and the user is not logged in, all I see is a "Not logged in" message. I know I can enable a login URL that should presumably take the user to the SSO login page. However, is there anyway that OBI checks cookies to see if the user is logged in and if not it should present the default OBI login screen.
  The reason is that I want some external users to be authenticated using SSO, but I want the normal screen to appear for internal company users. Thanks.

  There isn't much documentation in OBIEE about how to implement your own SSO authentication. The documentation (Deployment Guide) simply says:
  "When using a J2EE Application Server and the BI Presentation Services Plug-In (Java Servlet), from the getRemoteUser method of the javax.servlet.http.HttpServletRequest.getRemoteUser API. In this case, the SSO system must be able to integrate with the J2EE environment of choice and set up the framework such that the getRemoteUser method returns the username of the end user."
  And that's what you have to do. Implementing the getRemoteUser method in a Java WebApp is not difficult, the difficulty will depend on how you want to authenticate your users. Also you need to integrate this custom Java WebApp within your Presentation Services plug-in. In JBOSS we have done this by creating a custom Valve. The integration will vary depending on your J2EE server and your custom SSO authenticator. Once setup it works pretty well. Users go to any /analytics URL and if the they have not been authenticated before our custom SSO Java kicks in. In they are authenticated correctly the getRemoteUser method gets set with their current user ID. Then on the OBIEE side we have the impersonator user and the usual Init Blocks to validate the user on the BI Server and grant them Web Catalog groups, BI Server Groups, set the Display Name, etc.

• SSO based on NT account for BI Publisher

  Dear all,
  We have setup SSO for OBIEE presentation based on NT authentication by following Chapter 8 of Oracle Business Intelligence Enterprise Edition Deployment Guide. and it is working fine. but when I try to open more products-> BI publisher it throws error "Reporting Login: Login failed: Please contact administrator for your username/password."
  without SSO we are successfully able to login to BI publisher through more product link.
  OBIEE is deployed on IIS whereas BI publisher is using OC4J server.
  Any suggestion?
  Edited by: user10139165 on Oct 18, 2010 6:13 PM

  hi User,
  Refer : Re: Integrating BIP with OBI on SSO
  Thanks,
  Saichand.v

• Error in BI publisher integration with OBIEE with SSO

  Hi,
  Whenever we click on BI publisher in OBIEE(More Products-> BI Publisher) which is Sitemider protected we are getting the below error.
  Reporting Login: Login failed. Please contact Administrator for your username/password.
  Even at the BI publisher , at the SSO section below setting are given.
  Single Sing-on Type: CA Siteminder
  Single Sign-off URL: http://[host]:[port]/
  How to get username: HTTP Header
  User Name Parameter : EIN
  How to get user locale: HTTP Header
  User Locale Parameter: LOCALE_LANGUAGE
  When I checked the sawlog, after clicking on BI publisher this is error which we are getting.
  Type: Error
  Severity: 42
  Time: Thu Jun 16 17:42:32 2011
  File: project/websubsystems/xmlpublisherreportingproxy.cpp Line: 87
  Properties: ThreadID-7296;HttpCommand-AdvancedReports;Proxy-605090109;RemoteIP-10.35.25.122;User-605090109;Impersonator-Impersonator
  Location:
  saw.httpserver.request
  saw.rpc.server.responder
  saw.rpc.server
  saw.rpc.server.handleConnection
  saw.rpc.server.dispatch
  saw.threadPool
  saw.threads
  Any other setting needs to be carried out for this BI publsher to work in SSO enabled OBIEE?
  Thanks in advance.

  Hi Kranthi,
  When i go through the 1st link, I have noticed the steps which are written for Enabling "Admin" tab in BI publisher.
  In my case, i am bale to see the Admin tab.
  But the error which i am getting is "Reporting Login: Login failed. Please contact Administrator for your username/password" after clicking on BI publisher in OBIEE which is Siteminder protected.
  I am not getting any error, if i disable the SM.
  In my case, OBIEE is working on IIS & BI publisher on OC4J and OBI version in 10.1.3.4.1.
  Thanks in advance.

• After Setting Up SSO Managed Server Won't Start

  I am using the Oracle supplied white paper to set up SSO using Active Directory. Following those instructions everything was working and testing correctly until I added the NegotiateIdentityAsserter provider to the list of WLS providers. Now the managed server won't start. The admin server starts without any errors and goes to the RUNNING state. But the Start BI Services command window gets to the wls.alive: prompt and hangs. And hangs. Eventually the window goes away and it may throw an error but I've never seen it. You can login to the WLS console and EM without a problem. Remove the new provider and everything comes up normally. I have looked at the krb5.ini and krb5login.conf files and even rewritten them from scratch without any change in behavior.
  While looking for answers I ran into the SPNEGOCheck webapp that Oracle makes available to diagnose problems. It says everything is OK until it parses the krb5login.conf and then complains that the Username associated with SPN in AD is blank and so doesn't match the SPN specified in the krblogin config. But I can't see anything wrong in the files themselves.
  from the log:
  In section 'libdefaults'
  LSA: Found Ticket
  LSA: Made NewWeakGlobalRef
  LSA: Found PrincipalName
  LSA: Made NewWeakGlobalRef
  LSA: Found DerValue
  LSA: Made NewWeakGlobalRef
  LSA: Found EncryptionKey
  LSA: Made NewWeakGlobalRef
  LSA: Found TicketFlags
  LSA: Made NewWeakGlobalRef
  LSA: Found KerberosTime
  LSA: Made NewWeakGlobalRef
  LSA: Found String
  LSA: Made NewWeakGlobalRef
  LSA: Found DerValue constructor
  LSA: Found Ticket constructor
  LSA: Found PrincipalName constructor
  LSA: Found EncryptionKey constructor
  LSA: Found TicketFlags constructor
  LSA: Found KerberosTime constructor
  LSA: Finished OnLoad processing
  Config name: C:\Windows\krb5.ini
  KdcAccessibility: reset
  KdcAccessibility: reset
  Reachable? true
  Connection seems to have succeeded.
  Parsing section contents 'com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required principal="[email protected]" keyTab=biwhse1a.keytab useKeyTab=true storeKey=true debug=true;};'
  Section name: 'com.sun.security.jgss.krb5.accept'
  Getting next NV pair beginning at 'principal="[email protected]" keyTab=biwhse1a.keytab useKeyTab=true storeKey=true debug=true'
  NVPair name: 'principal' value: '[email protected]'
  NVPair name: 'keyTab' value: 'biwhse1a.keytab'
  NVPair name: 'useKeyTab' value: 'true'
  NVPair name: 'storeKey' value: 'true'
  Got back 4 name/value pairs.
  section com.sun.security.jgss.krb5.accept should probably contain a setting for debug=true
  Section com.sun.security.jgss.krb5.accept seems OK
  The krb5.ini file:
  [libdefaults]
  default_realm = SRS1.COM
  default_tkt_enctypes = des-cbc-crc
  default_tgs_enctypes = des-cbc-crc
  ticket_lifetime = 600
  [realms]
  SRS1.COM = {
  kdc = 129.58.120.200
  admin_server = adc01.srs1.com
  default_domain = SRS1.COM
  [domain_realm]
  .srs1.com = SRS1.COM
  [appdefaults]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true
  The krb5login.conf file:
  com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=biwhse1a.keytab
  useKeyTab=true
  storeKey=true
  debug=true;
  [D:\] setspn -L bi_kerb_prin
  Registered ServicePrincipalNames for CN=bi_kerb_prin,OU=Non-Person Users,OU=WRC Users,DC=srs1,DC=com:
  HTTP/biwhse1a.srs1.com
  HTTP/biwhse1a
  [D:\]
  OBIEE 11.1.1.6.2 BP2
  Windows Server 2008 SP1

  Did you try -Djava.security.krb5.conf=<path>/krb5.conf before the %EXTRA_JAVA_PROPERTIES%. in your C:\OBI\user_projects\domains\bifoundation_domain\bin\setDomainEnv.cmd .?
  Also change your JAAS config file and try with
  com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="HTTP/[email protected]"
  keyTab=biwhse1a.keytab
  useKeyTab=true
  storeKey=true
  debug=true;
  com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="HTTP/[email protected]"
  keyTab=biwhse1a.keytab
  useKeyTab=true
  storeKey=true
  debug=true;
  Now restart and see.
  Hope this helps. Pls mark if it does.
  Thanks,
  SVS
  Edited by: SSVS on Mar 17, 2013 11:47 PM

• Oracle BI Apps Financial Analytics 7.9.6 Patches for EBS & SSO

  Hi All,
  Happy New Year.
  Thanks for taking the time to review this post. I am about to commence an Oracle BI Apps Financial Analytics 7.9.6 install using Oracle E-Business Suite 11.5.10.2 as a source for the BAW utilising Single Sign-On (SSO). Is there a list of any paticular EBS Interoperability patches, minimum EBS Family Packs for the EBS modules within Financial Analytics (GL, AR, AP) and SSO patches I need to be aware of?
  Oracle E-Business Suite 11.5.10.2
  Oracle BI Applications 7.9.6
  Oracle BI Enterprise Edition Plus 10.1.3.4
  Oracle Database 10g R2
  All Oracle BI Applications components hosted on a Linux 4.0 32 bit platform.
  Your assistance is greatly appreciated.
  Kind Regards,
  Gary.

  Oracle BI Applications 7.9.6
  Oracle BI Enterprise Edition Plus 10.1.3.4Isn't 10.1.3.4.1 the OBIEE release for OBIA 7.9.6?
  And any reason you're not going for OBIA 7.9.6.1?
  I don't know of patches off the top of my head, you're best off spending a couple of hours trawling My Oracle Support, that'll throw the candidates up.
  cheers, rnm.

• Bookmark links for OBI in an iFrame

  Hi,
  We have OBI within an iFrame within an ADF portal with a SSO solution. The URL to access portal is a different one than the standalone analytics instance. When we create bookmarks in OBI it generates a link with the portal URL and on trying to use this it just gets to the landing page of the portal and not the OBI application.
  Has anyone successfully generated a bookmark link when OBI is sitting in an iFrame within a portal?

  Hi,
  I've seen some notes (http://gerardnico.com/wiki/dat/obiee/dashboard_url) on using the javascript function linkToPage(bInlineDrill,bGetBookmarkOnly) which depending on the parameters used (true/false) can prevent the address bar being updated and populates the variable saw.bookmarkURL with the bookmark link, however i'm having trouble getting it to work.
  The note does specify for the Javascript function to work a HardenXSSconfiguration setting must be set to false - does this apply for 11g?
  What is the security risk to the Presentation Layer if HardenXSSconfiguration is set to false ?
  thanks

• Client Session Not getting expired in OBI EE 10.1.3.4.1

  Hi All,
  I haave placed the below tag in the instanceconfig.xml file, but the client session is not getting expired.
  Can you please help me on the same.
  Our test environment OBI is enabled with the Site minder SSO.
  <ClientSessionExpireMinutes> 60</ClientSessionExpireMinutes>
  Thanks in Advance
  Siva

  Siva,
  There can be many factors for this: 'ClientSessionExpireMinutes'
  Defines the length of idle time that can pass before Oracle BI Presentation Server removes the user's client (browser) session information from its memory. This session includes user-specific state information such as request cache - dashboard page state - subject area information -connection information - and so on.
  Make sure while testing you are not doing anything on OBIEE browser window i.e. its idle
  Also, try to increase the minutes to say 240 and check how much time it takes ...??
  This shud solve..as this is very common problem with such tags..its not 100% guranteed !!

• OBIEE and Oracle Apps (E Business Suite) SSO implementation

  Hi Gurus,
  We are using apps 11i and OBIEE 10.1.3.4 . I would like to ask that is there any doc which could provide me steps of SSO implementation between both. Or if not in doc is there any body who incorporated the same. Here we dont have DAC and ETL as Informatica for etl we are using plsql. I want to make it work like when user types his id and password in Oracle E business , automatically he should be also directed to OBI also same user id and password could be used to the OBI. Please remember my OBI is not from apps package. It is EE and not OBI 7.9.6 So is it possible to implement SSO between OBIEE and apps 11i and how ?
  Thanks,

  Though this is not your complete answer, at some point this link might be of help to you if you have OBIEE hosted on Windows box.
  http://nerdsofobiee.wordpress.com/2009/10/20/obiee-sso-integration-in-windows/
  Thanks

• OBIEE and Apps SSO implementation

  Hi Gurus,
  We are using apps 11i and OBIEE 10.1.3.4 . I would like to ask that is there any doc which could provide me steps of SSO implementation between both. Or if not in doc is there any body who incorporated the same. Here we dont have DAC and ETL as Informatica for etl we are using plsql. I want to make it work like when user types his id and password in Oracle E business , automatically he should be also directed to OBI also same user id and password could be used to the OBI. Please remember my OBI is not from apps package. It is EE and not OBI 7.9.6 So is it possible to implement SSO between OBIEE and apps 11i and how ?

  Hi Amol,
  Check for this note 555254.1 in support.oracle.com. It contains the steps to implement SSO between EBS & OBIEE.
  Regards,