OBIEE 11.1.1.6 SSO with OAM 11.1.1.5: OID 11.1.1.6 attribute problem

Similar Messages

• Obiee 11.1.1.5 integration with OAM

  Hi,
  I integrated OBIEE 11.1.1.5 with OID11g (as a part of OAM integration),all OID users are getting reflected into obiee.Im able to login in to the ‘analytics’ but not able to access the reports.Also I'm not able to assign any BI groups to OID users.
  Have anyone faced this kind of a scenario?Can anyone please help me?
  If anyone have done obiee 11.1.1.5 integration with oam 11g,please provide me the document which you followed.
  Thanks in advance,
  Fathima farsatha.
  Edited by: 927873 on Jul 16, 2012 12:11 AM

  Hi,
  Please try to access Analytics Webservices by using 'analytics-ws' instead of only 'analytics' in the URL as below,
  http://<Host Name>:<Port>/analytics-ws/saw.dll?WSDL
  Give a try with below link it may help you..
  http://onlineappsdba.com/index.php/2011/12/05/integrate-obiee-11g-with-oam-11g-for-single-sign-on-in-13-steps/
  http://fusionsecurity.blogspot.com/2012/06/integrating-obiee-11g-into-weblogics.html
  http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/sso.htm#CEGJBAED
  Thanks
  Deva

• OBIEE 11.1.1.5 SSO integration with OAM 11gR1 (11.1.1.5)

  Hi,
  I am integrating OBIEE 11.1.1.5 with OAM 11gR1 (11.1.1.5).
  I have configured as per section 12.3 of following link:
  http://docs.oracle.com/cd/E22203_01/doc.31/e20664/chapter_12.htm#CHDFAFHH
  After making all these configurtions, when i access:
  http://<OHS server>:<OHS port>/analytics
  User is getting prompted for auth from OAM. After successful auth, request gets redirected to WebLogic server hosting the OBIEE app. I have verified in OBI logs that the header value OAM_REMOTE_USER gets passed to OBI.
  But even with all this, after successful OAM authentication, user is getting prompted with OBI login page.
  Pls help.
  Thanks

  Hi Abhinay,
  I have already make the following configurations as per the documentation:
  To enable SSO:
  1.Log in to OBIEE at
  http://[OBIEE server:port]/em.
  2.Click Farm_<OBIEEDomain>_domain > Business Intelligence > Coreapplication.
  3.Click the Security tab.
  4.Select Enable SSO.
  5.Select SSO Provider: Oracle Access Manager.
  6.Click Apply and Activate Changes.
  Do we need to make some other configurations also at OBIEE EM ?
  Thanks

• SecurityContext userName with OAM SSO

  Hi,
  We need to get the logged in userName property from the securityContext(). We are using OAM for SSO.
  The code #{securityContext.userName} works fine when we used Basic login process with OAM and we get the logged user info, but we need to use Form based login and when we change to Form based we keep getting "anonymous" and can't get any property from the securityContext.
  Didn't find any solution for this.
  Has anyone dealt with similar issue?
  Thanks

  Thanks for all the replies.
  I am working with another colleague who is configuring OAM and so have been testing different configurations.
  We are using WebCenter 11.1.1.5 and OAM 10g (10.1.4.3) and OAM is used as the SSO for OBIEE and other oracle apps. My application is a custom Portal app and we are not yet using Spaces.
  Access to all applications URLs, including WebCenter are protected by OAM configuation and Webgate. users for now will use an ID/pwd to login. But later they can also use a certificate.
  No security configuration was done at the WebCenter app side and the Login Authentication in web.xml was not set.
  In the WebCenter admin console we configured the OAM as a provider and added
  - "OAM ID Asserter" configured OAM_REMOTE_USER as the SSO Header Name and as the Active type assertor (didn't add obSSOCookie) and "OIDAuthenticator".
  We have no issues to login and if we used OAM Basic authentication. We always get the logged user fine in the securityContext.
  When changed OAM to use Form based authentication the loggin worked but get anonymous in securityContext.
  I am trying to get the securityContext from a custom JSPX page and from a Managed Bean (both work with Basic but not Form based)
  I will test with the:
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  </login-config>
  The question I have is do I need to configure WebCenter in other ways than to what I mentioned above? (currently don't see the need since OAM does the work of the authenticating and Asserting and worked with Basic authn.)
  1. I see in Jdev in the web.xml security has: Login Authentication (which will test with CLIENT-CERT), security roles and security Constraints. DON'T see for the need to configure the last two since will have the user roles in OID and securityContext have a method to get the user Roles.
  2. Do I need to enable for the WebCenter application ADF security and add "ADF Authentication and Authorization" ?
  Will provide more updates when we validate and tests the configurations.
  Thanks

• OBIEE SSO with BI Publisher integration

  Hey everyone,
  I did some searching and I found several threads in regards to bhe BI Publisher and OBIEE integration but so far nothing completely solved my problem.
  Here's my situation.
  Linux OS
  Apache web server
  OAS
  OBIEE 10.1.3.3.2
  We've got SSO implemented and it is going against active directory. In order to get that setup, we had to create the impersonator user, had it to the crendential store, setup the instance config correctly ,etc. Also, we had to install MOD_NTLM because Apache does not natively support NTLM like IIS does. Once we did that, the signle sign on works wonderfully and I'm logged directly into OBIEE Dashboards as my OS authenticated user.
  As my OS user (which does not have an account in the RPD, only has an account in AD), I try to open BI Publisher from OBIEE going to More Products-> BI Publisher. I get the "Reporting Login: Login failed:" message. When I use the URL NQUser and NQPassword parameters to login as Administrator, I am able to log in just fine.
  In BI Publisher, the security model is set to BI_SERVER and all the OBIEE Administrator passwords are updated and current. I've also tested the DSN connection string and created the super user. I've created the six XMLP_* roles as groups in the RPD and added both the Administrator user and the Impersonator user to the XMLP_ADMIN group. I'm starting to run out of ideas at this point. Am I missing a step here to get standard users to access BI Publisher?
  I'd appreciate any help on this.
  Thanks!
  -Joe

  What Group is the default user group for your OBIEE users? Log into Answers with your user account, then check value of Session variable GROUP.
  You need to give the User group(s) permissions in BI Publisher. They will need permissions to Shared folders and OBIEE data source.

• OBIEE  SSO  with authorization

  Hi Gurus,
  1)I have instance configured the SSO with windows Active Directory and OBIEE.
  2)I also have another instance ( without SSO configured) with external table authentication( user name and password verification) and authorization( groups , which populate the session variables for data filtering) .
  Now my question is , i want a combination of Scenario 1 and Scenario 2. I want to have OBIEE SSO with Active directory
  and external table groups.
  The reason being , my groups are custom groups in external table, i do not want to maintain users in repository.
  can you please give me pointers if the scenario is possible . Thanks in Advance
  Thanks and Regards
  Satya

  Now my question is , i want a combination of Scenario 1 and Scenario 2. I want to have OBIEE SSO with Active directory and external table groups.I don't what your issue is? Just do SSO with AD and then load the groups in the GROUP init block via SQL. What is your actual issue?
  In order to filter the data in reports you need to have the same group structure in Web Cat i guess ( correct me if i am wrong).Yes, although you don't need to use the same group names. Inm fact I prefer to have completely separate groups names, some for RPD security some for Web Catalog security. As long as the the groups exist in the proper location (RPD or Web Catalog) and they get assigned in the GROUP init block then OBIEE will be happy, they don't need to exist in both places.
  2) Will not SSO populate the Remote_User variable rather than the USER variable by default.No, you have to tell OBIEE where to put the REMOTE_USER value. You can simply do SELECT ':USER' FROM DUAL or if you have your users defined in a table you can also authenticate that the user exists in this table SELECT ':USER' FROM USER_TABLE WHERE USER_ID = ':USER' which adds another layer of authentication to your SSO solution.

• Integrating Webcenter 11g (Discussions)  with OAM  for SSO

  Hi,
  I need some help in integrating Webcenter 11g with OAM 10g.
  Objective:
  =========
  My customer is using Webcenter 11.1.1.2.0 and they are primarily using Discussions and wiki .I would like to integrate OAM with Webcenter for providing SSO.
  Steps Followed:
  ============
  I have followed the steps mentioned in the section 23.7.1 and 23.7.1.7 in the doc
  http://download.oracle.com/docs/cd/E15523_01/webcenter.1111/e12405/wcadm_security.htm#BGBCEHGE
  and also referred metalink note ID 829122.1
  Scenario after integrating with OAM:
  ===========================
  1.Accessed the dicussions url through OHS proxy http://<ohs_host>:<ohs_proxy>/owc_discussions
  2.Click on Login button
  3.OAM Login page appears
  4.Provide credentials for orcladmin (admin user of OAM OID LDAP)
  5.Discussions default login screen appears ( I dont expect this default login page,as I have already authenticated with OAM)
  6.Provide orcladmin credentials
  7.Login screen is keep on popping and not able to login
  if i set owc_discussions.sso.mode=false,then looping (Step 7) is not occuring and could able to login.
  Am I doing anything wrong here? Or is there a way I can make it work.
  Thanks in Advance.

  Did you setup weblogic as per this doc? - http://download.oracle.com/docs/cd/E17904_01/webcenter.1111/e12405/wcadm_security_sso.htm#WCADM8175

• Softwares  Needed to Acheive SSO with Webcenter Suite 11.1.1.2

  Hi All
  I have Installed Web center suite 11.1.1.2 on my Machine. Can anybody suggests, what are the softwares that i need to install inorder to achieve
  Oracle SSO with E-Business Suite and OBIEE.
  Regards
  Nagaraju Manchala
  Edited by: user11965597 on Sep 15, 2011 3:58 AM

  Oracle Identity Management (OIM) is a collection of related products that provides identity and access management (IAM) services. These products includes
  Oracle Access Manager (OAM), Oracle Identity Manager (OIM), Oracle Virtual Directory (OVD), Oracle Internet Directory (OID) etc. The purpose of all these products is to provide LDAP directory services and/or security services and/or SSO service. For detail of all related products of OIM, pls see following link:-
  http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.html
  OIM and IAM is always create confusion when you go to their download page. You need to download Identity Management (11.1.1.2.0) from http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html. OIM will give you following products when you install it:-
  - OID
  - OVD
  - Oracle Identity Federation
  - Oracle Directory Integration Platform
  Also see installation guide:http://download.oracle.com/docs/cd/E12839_01/install.1111/e12002/overview.htm#sthref6
  For new features of PS3, pls see http://www.oracle.com/technetwork/middleware/webcenter/overview/wcps3-highlights-284637.html
  In PS4, Oracle removed few bugs.

• How to protect an application running on IIS with OAM 11gR2

  Hello Gurus,
  I have a question regarding protecting an application running on IIS with OAM 11gR2. We have an OHS server running and all the requests from the users are coming to this OHS server webgate for them to login using the SSO login page. These is all solaris. I am protecting other applications like pplsoft moduels with this OHS instance and OAM server. There is another application that I need to protect which is itself running on IIS windows machine. I need guidance as to -
  1.) Do I need to install a windows version of webgate to protect this IIS based application?
  2.) Or I can still protect and proxy requests from this application to current OHS instance? How can I do this?
  3.) Or Do I need to proxy requests directly from IIS to OAM weblogic server?
  Please advise to the earliest as this is an urgent issue.
  Thanks !!

  From your description it is not clear how exactly architecture looks like
  We have an OHS server running and all the requests from the users are coming to this OHS server webgate for them to login using the SSO login page.
  is this OHS centralized login farm ? (Case 1)
  OR is this OHS server (with webgate) acting as virtual web server hosting multiple web sites so that request to any site passes through this OHS/webgate (Case 2)
  1.) Do I need to install a windows version of webgate to protect this IIS based application?
  If case 1 then you need to install 10g webgate on top of IIS server to protect this application
  If case 2 then you can just proxy request from OHS to IIS server. As every request passes through OHS user will be authenticated before request hits IIS
  Look at Product documentation for virtual web sites : http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/shared.htm#autoId12
  It has steps to protect virtual web sites.
  Also you need to make sure no one hits IIIS web sites directly.
  Hope this helps

• SharePoint 2010 with OAM 11g

  We are currently trying to integrate SharePoint 2010 server with OAM 11g with 10g webgate. In our environment SharePoint site is configured with Claims based authentication with LDAP provider for membership. We have performed all the configurations based on the Oracle documentation with validation mode as OAMHttp.
  We are seeing the following behavior after this integration.
  1)     The user requests access to an SharePoint Site
  2)     Webgate protecting the site intercepts the request, determines if the resource is protected, and challenges the user.
  3)     The user enters their OAM credentials; Webgate contacts the OAM Server, which verifies the credentials from user store and authenticates the user. Webgate generates the OAM native SSO cookie (ObSSOCookie), which enables single sign-on and sets the User ID (to username) header variable in the HTTP request and redirects the user to SharePoint site.
  Here, instead of taking user to the home page of the site, the SharePoint login page is displayed again.
  =================================================================================================
  Looking into the debug logs i found the following error.
  Date ProcessId ThreadID ManagesThreadId ClassName MethodName Message
  =================================================================================================
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider Initialize validationMode^OAMHttp
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor Method Entered
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor ValidationURL configured validationUrl^http://wtv-sea-spapp01.chemd.net:8086/ValidateCookie.html
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor validationHost^wtv-sea-spapp01.chemd.net
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor OAMAuthUserCookieName^OAMAuthCookie
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor Method Exited
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider Initialize Setting Validation Type OAMHttp
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider ValidateUser Entering ValidateUser : username^IDG2M
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator ValidateUser Method Entered
  Exception Caught InValidateUser
  The remote server returned an error: (403) Forbidden. at System.Net.HttpWebRequest.GetResponse()
  at Oracle.OAMHttpValidator.ValidateUser(Dictionary`2 creds)5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator ValidateUser Exiting AuthStatus^AuthZFail
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider ValidateUser OAMauthStatus^AuthZFail
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider ValidateUser Method Exited returnCode^False
  If anyone have integrated OAM 11g with SharePoint 2010 earlier, appreciate your inputs in this regard.

  Each license is platform specific, you can't backwards apply or forwards apply licenses from one version of SharePoint to another.
  If you do have MSDN access, you'll have access to all current versions of SharePoint, across the current and retired server products.
  Steven Andrews
  SharePoint Business Analyst: LiveNation Entertainment
  Blog: baron72.wordpress.com
  Twitter: Follow @backpackerd00d
  My Wiki Articles:
  CodePlex Corner Series
  Please remember to mark your question as "answered" if this solves (or helps) your problem.

• What about the security we support when the BIA is not SSO with EBS

  For the following security mode, if all of them need the SSO with EBS?
  Operating Unit-Based Security for Oracle EBS
  Inventory Org-Based Security for Oracle EBS
  Ledger-Based Security for Oracle EBS
  Business Group Org-Based Security for Oracle EBS
  HR Org-Based Security for Oracle EBS
  Human Resource Personnel Data Analyst Security for Oracle EBS
  Employee-Based Security for Oracle EBS

  well you could do the security in OBIEE as well, but why shouldn't you use SSO?

• Oracle Forms 11g SSO with OID and IAM

  What versions of OID and Access Manager are required to get an Oracle Forms and Reports 11.1.1.2 application
  on Weblogic 10.3.2 configured for Oracle SSO using OID authentication?
  We want the OID to store and authenticate Users for username and password logins to the database, then
  ultimately by user Certificate authentication in OID. I have OID 11.1.1.2 installed and SSO enabled for Forms
  in Enterprise Manager.
  Is Access Manager required for Forms SSO with OID authentication to work or just to allow user interaction
  for registration and Password reset?
  Things mention OAM 10.4.3 and others talk about IAM 11g for Forms 11.1.1.2 SSO to work with OID.
  We did this back in Oracle Forms and OID 10g with JSP and LDAP to setup users but I understand 11g is
  different and IAM can help or is required for this type of SSO to work.
  Any help?
  Edited by: Kirch on Apr 30, 2013 7:39 AM

  Hi,
  According to Oracle's certification matrix found at http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls, Oracle Forms 11.1.1.2 is not supported to use any Oracle Access Manager (OAM) version. OAM is a component of IAM. It is only supported with Oracle SSO 10.1.4.x. The best solution would be to upgrade the Forms and Reports environment to either 11gR2 (11.1.2.1) or to the latest 11gR1 patchset 11.1.1.7. Both versions are compatible with OAM 11.1.1.7.0 and OID 11.1.1.7.0 where only Forms 11gR2 (11.1.2.1) is compatible with OAM 11.1.2.0 and OID 11.1.1.7.0. That would be the best solution as we have ran into configuration problems in the past with using Oracle SSO 10.1.4.x.
  Since OID 11.1.1.2.0 is already installed, you should be able to patch it up to 11.1.1.7.0.
  For user authentication in OID, it is required to have OAM or Oracle SSO as both products use WebGate or mod_osso agents for authentication and authorization. For purposes of allowing end users to register accounts and password reset, you will either need to also install another IAM component called Oracle Identity Manager (OIM) or create a customized SSO login page that can be coded to perform these actions. I believe there are some examples available on the Internet.
  Thanks,
  Scott
  http://pitss.com/us

• PLSQL toolkit with OAM 11gR2

  Hello,
  We're currently using PLSQL toolkit developed applications with Oracle SSO. We're looking to upgrade to OAM in the near future and would like to verify if we can use these PLSQL toolkit applications with OAM. Will this be a problem for us?
  Thanks for any information or insight.
  Ariel

  Colin,
  One more question pertaining to this is
  earlier i was not using any valid host:port combinations in host identifier. it was generic string equal to the the name of host identifier.
  But now after changing servercache to form and modifying the login form to return OAM_REQ, i have to put valid combinations in the host identifier. without that it shown Bad Access Manager error and in the logs:
  [2013-10-29T08:27:41.002-06:00] [oam_server2] [WARNING] [OAM-02073] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: c72ab7e1931dad2b:-ad6b939:1420484d41b:-8000-0000000000000014,1:27010] [APP: oam_server#11.1.2.0.0] Error while checking if the resource is protected or not.
  [2013-10-29T08:27:41.003-06:00] [oam_server2] [ERROR] [OAM-04029] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: c72ab7e1931dad2b:-ad6b939:1420484d41b:-8000-0000000000000014,1:27010] [APP: oam_server#11.1.2.0.0] Error in generating AMEvent. Details Event Response status is STATUS_FAIL for GET_AUTHN_SCHEME event. Error code OAM-02073 status fail isExcluded false
  Could you please explain the behaviour.
  Thanks in advance.

• Shared Services with OAM ?

  Plannign a green-field 11.1.2.2 implementation and want to understand whether it will be possible (or indeed is possible in current versions) to integrate Shared Services with OAM ?
  Thanks is advance !
  Alasdair
  Edited by: 919830 on 09-Mar-2012 03:25

  Hi,
  Yes is the answer, but I am not sure how can it be done. But the document of essbase states the below
  Security: Integration with Oracle Access Manager, Oracle SSO, Desktop Kerberos Support, OID as the Native Provider
  Sandeep Reddy Enti
  http://hyperionconsultancy.com/

• Sample code for SSO with ucm10gR3

  hi all,
  I am using ucm10gr3 and want to implement sso with my web application running on wls, I don't have OAM, I need to implment sso with ucm by my code, reading the following statement in metalink:
  REMOTE_USER is a computed Common Gateway Interface (CGI) variable that is used by the web server to indicate that the current acting request has been successfully authenticated as acting as the user identified by the value of this CGI variable. Getting the web server to set this variable for you is highly dependent on the particular APIs and data structures available in that web server. This may also require some customization and code be written within the web server, such as a custom web server plugin. This should not require additional code or components to be written on the UCM side.
  In other words, This is not specially a content server configuration issue. If you can get any standard 3rd party web application (such as PHP -- for example a Wiki application) to get the SSO solution to work using standard webserver authentication techniques and doing nothing special in the application, then it should work without needing any additional UCM specific code.
  All web servers have a built in understanding that the current request can act at the behest of a particular user. When web servers execute CGI applications, such as PHP, the standard CGI specification specifies that this user name be used to populate a parameter called REMOTE_USER. The mechanism by which this parameter is propagated to the script or plugin that is executing the request tends to be implementation specific. This parameter can be picked up by the CS web server plug-in.
  Per my understanding, I need to use CGI to produce a variable named REMOTE_USER, and save username in it, but I am not a CGI guy, who can give me a demo for this?
  Or is there any other solution to implement sso with ucm?
  Thanks a lot!
  Best regards

  While, seems one way is to use stream to bypass login.