SSO OBIEE11g

Similar Messages

• SSO!!!

  Sun Access Manager v7Q1 and Directory Server v5.2 is installed in a single solaris machine.
  Websphere Application Server is running on windows 2000 professional and Policy Agent v2.1.0 for Websphere Application Server is installed on the same machine.
  1. We hit the application page as http://<hostname>:<port>/<appname>
  2. AM login page is thrown
  3. We enter the username/password.
  4. Successfully authenticating against Sun DS.
  5. After successful authentication, the page is redirected to application login page. (!! actually the page should be redirected to appropriate home page for which the user is authorized)
  Can anybody guide on Policy Agent settings for Websphere Application Server to achieve SSO and the exact steps?
  Would be greatful if anybody can throw light on this.
  Thanks in anticipation.
  Regards
  Prem

  I recently configured LDAP with MSAD on 11.1.1.6. My question is it possible that AD users login to BIEE without giving their username passwords (because they are already authenticated on the operating system level). Can single sign on solve this problem ?Please see these docs.
  OBIEE 11g: Configuring Authentication and SSO with Active Directory and Windows Native Authentication [ID 1274953.1]
  OBIEE 11g: How To Setup ADSI LDAP Security Provider [ID 1273961.1]
  OBIEE11g - SSL LDAP/ADSI Authentication Setup and Configuration [ID 1326641.1]
  Master Note for Security/Access Control Issues in OBIEE [ID 1293407.1]
  Please also see these docs.
  OBIEE 11g - AES Encryption for SSO with Active Directory and Windows Native Authentication [ID 1391057.1]
  External LDAP Authenticated Users Are Unable To Sign In With OBIEE 11g Or View Catalogs In BI Publisher [ID 1275266.1]
  OBIEE 11.1.1.5: Administration Link Is Not Displayed With Microsoft Active Directory Services (AD) as the LDAP provider [ID 1404033.1]
  External LDAP Authenticated Users Are Unable To Sign In With OBIEE 11g Or View Catalogs In BI Publisher [ID 1275266.1]
  After Configuring OBIEE 11g With MS Active Directory (MSAD) LDAP And External BISystemUser Login Fails With 'Unable To Sign In' [ID 1302444.1]
  OBIEE 11g: Active Directory Authentication Is Extremely Slow [ID 1352186.1]
  OBIEE 11g: New Groups Added onto Active Directory (ADSI) Not Visible in OBIEE [ID 1381617.1]
  OBIEE11g: Authentication when Users are in LDAP and Groups are in a Database [ID 1427194.1]
  How are Credentials Stored In OBIEE 11G and WebLogic Infrastructure ? [ID 1371058.1]
  Thanks,
  Hussein

• OBIEE11g - Session Management

  Hi,
  in order to integrate OBIEE11g Presentation Server with our Session Management infrastructure, we need to retrieve (from an external application component) the following informations:
  1. Presentation Server Session ID of all users logged into OBIEE Presentation Server in a certain instant
  2. For each user session, the timestamp of the last action performed
  3. Any other possible information related to user session
  Our requirement is to check the elapsed time since user performed his last action in OBIEE.
  Whenever the elapsed time has reached a prefixed value, we need to force log off of the user from Presentation Server (killing his session) and redirect him to a custom page into our internal portal.
  Otherwise, we need a way to force "keep alive" of the user session on BI Presentation Server.
  SSO is not a valid option for our company.
  Any idea on if and how this could be feasible?
  Thanks in advance,
  Massimo

  Hi,
  in order to integrate OBIEE11g Presentation Server with our Session Management infrastructure, we need to retrieve (from an external application component) the following informations:
  1. Presentation Server Session ID of all users logged into OBIEE Presentation Server in a certain instant
  2. For each user session, the timestamp of the last action performed
  3. Any other possible information related to user session
  Our requirement is to check the elapsed time since user performed his last action in OBIEE.
  Whenever the elapsed time has reached a prefixed value, we need to force log off of the user from Presentation Server (killing his session) and redirect him to a custom page into our internal portal.
  Otherwise, we need a way to force "keep alive" of the user session on BI Presentation Server.
  SSO is not a valid option for our company.
  Any idea on if and how this could be feasible?
  Thanks in advance,
  Massimo

• Regarding sso confrigaution

  Hi All,
  i have just migrated from obiee10 to obiee11g.
  since i configured sso in 10g so it also got configured in obiee11g.
  the problem is that it showing sign out button after sign in in any application.
  previously in 10 it was not coming but in obiee11g it is coming.

  Hi All,
  i have just migrated from obiee10 to obiee11g.
  since i configured sso in 10g so it also got configured in obiee11g.
  the problem is that it showing sign out button after sign in in any application.
  previously in 10 it was not coming but in obiee11g it is coming.

• SSO to partner application running under IIS

  Hi,
  We have a complete set-up for 9iAS Release2 where some applications are running. In parallell we have an application running under IIS, and would now like to enable the IIS application as a partner application to 9iAS letting the 9iAS SSO server handle the authentication.
  In the documentation of Oracle Proxy Plug-in I read that this proxy plug-in can be used to proxy requests from IIS to Oracle http server (OHS) and also in this way enable SSO.
  My question is if this can be done only for applications running under 9iAS but having IIS as web server, or if it is also possible like in our case to enable SSO via the proxy plug-in to applications runnind under IIS?
  If this is not supported is the only available solution to use the SSO SDK in my IIS application?
  Thanks and regards,
  Rikard

  Here's a DIY answer.
  See Metalink Note 269820.1 which shows you how to use Perl to overwrite the host name in the HTTP header and remove the port number.

• SSO java sample application problem

  Hi all,
  I am trying to run the SSO java sample application, but am experiencing a problem:
  When I request the papp.jsp page I end up in an infinte loop, caught between papp.jsp and ssosignon.jsp.
  An earlier thread in this forum discussed the same problem, guessing that the cookie handling was the problem. This thread recommended a particlar servlet , ShowCookie, for inspecting the cookies for the current session.
  I have installed this cookie on the server, but don't see anything but one cookie, JSESSIONID.
  At present I am running the jsp sample app on a Tomcat server, while Oracle 9iAS with sso and portal is running on another machine on the LAN.
  The configuration of the SSO sample application is as follows:
  Cut from SSOEnablerJspBean.java:
  // Listener token for this partner application name
  private static String m_listenerToken = "wmli007251:8080";
  // Partner application session cookie name
  private static String m_cookieName = "SSO_PAPP_JSP_ID";
  // Partner application session domain
  private static String m_cookieDomain = "wmli007251:8080/";
  // Partner application session path scope
  private static String m_cookiePath = "/";
  // Host name of the database
  private static String m_dbHostName = "wmsi001370";
  // Port for database
  private static String m_dbPort = "1521";
  // Sehema name
  private static String m_dbSchemaName = "testpartnerapp";
  // Schema password
  private static String m_dbSchemaPasswd = "testpartnerapp";
  // Database SID name
  private static String m_dbSID = "IASDB.WMDATA.DK";
  // Requested URL (User requested page)
  private static String m_requestUrl = "http://wmli007251:8080/testsso/papp.jsp";
  // Cancel URL(Home page for this application which don't require authentication)
  private static String m_cancelUrl = "http://wmli007251:8080/testsso/fejl.html";
  Values specified in the Oracle Portal partner app administration page:
       ID: 1326
       Token: O87JOE971326
       Encryption key: 67854625C8B9BE96
       Logon-URL: http://wmsi001370:7777/pls/orasso/orasso.wwsso_app_admin.ls_login
       single signoff-URL: http://wmsi001370:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout
       Name: testsso
       Start-URL: http://wmli007251:8080/testsso/
       Succes-URL: http://wmli007251:8080/testsso/ssosignon.jsp
       Log off-URL: http://wmli007251:8080/testsso/papplogoff.jsp
  Finally I have specified the cookie version to be v1.0 when running the regapp.sql script. Other parameters for this script are copied from the values specified above.
  Unfortunately the discussion in the earlier thread did not go any further but to recognize the cookieproblem, so I am now looking for help to move further on from here.
  Any ideas will be greatly appreciated!
  /Mads

  Pierre - When you work on the sample application, you should test the pages in a separate browser instance. Don't use the Run Page links from the Builder. The sample app has a different authentication scheme from that used in the development environment so it'll work better for you to use a separate development browser from the application testing browser. In the testing browser, to request the page you just modified, login to the application, then change the page ID in the URL. Then put some navigation controls into the application so you can run your page more easily by clicking links from other pages.
  Scott

• How to change SSO Partner Application Login_url and Logout_url

  As part of a deployment in a different data centre, we needed to change the domain name of an application using SSO for authentication. We have gone through the process of re-registering the SSO server but this does not update the domain name
  By using diagnostic tools from Oracle we have discovered that the file 'osso.conf' in $ORACLE_HOME/Apache/Apache/conf/osso contains incorrect entries for login_url and logout_url.
  These settings are of the form:
  login_url=http://www.ourolddomain.com/pls/orasso/orasso.wwsso_app_admin.ls_login
  logout_url=http://www.ourolddomain.com/pls/orasso/orasso.wwsso_app_admin.ls_logout
  Please can anyone tell me how these settings can be changed.

  Hi,
  [Solved] SSO fails to show success page you can find some information on re registering mod_osso.
  Hope it helps.

• HOW TO SET UP PARTNER APPLICATION TO USE SSO OUTSIDE OF PORTAL

  If anyone knows how Portal switches context to run as the db user mapped to the lightweight schema and how it knows the db schema password please let me know.
  Should you have any queries please do not hesitate to contact me on 07775 896738.
  From document Oracle Portal Security Overview on PortalStudio.oracle.com:
  In Single Sign On mode (EnableSSO=Yes in the DAD), mod_plsql determines the name of the light-weight user and mapped database schema by calling
  WPG_SESSION_PRIVATE.GET_LW_USER and WPG_SESSION_PRIVATE.GET_DB_USER respectively.
  ** These calls are done using the Portal Schema (PORTAL30) and Portal schema password **
  mod_plsql then executes the procedure in the requested URL by using the N-Tier Authentication feature to connect to the database as the user returned from
  WPG_SESSION_PRIVATE.GET_DB_USER. ..... Note that N-Tier Authentication requires all schemas to be used for Portal user mappings to be granted 'connect
  through' privleges to the Portal schema (PORTAL30).
  The WWCTX packages are also used.
  So this is how it works with standard Portal
  - the document states that the WPG_SESSION_PRIVATE package is only accessible to the Portal schema
  - but I checked and it is also available to PORTAL30_SSO
  SQL> desc WPG_SESSION_PRIVATE
  PROCEDURE CREATE_SESSION
  Argument Name Type In/Out Default?
  P_COOKIE_NAME VARCHAR2 IN
  FUNCTION GET_DB_USER RETURNS VARCHAR2
  FUNCTION GET_LW_USER RETURNS VARCHAR2
  PROCEDURE GET_SESSION_INFO
  Argument Name Type In/Out Default?
  NUM_PARAMS NUMBER OUT
  PARAM_NAMES TABLE OF VARCHAR2(32000) OUT
  PARAM_VALUES TABLE OF VARCHAR2(32000) OUT
  PROCEDURE RESET_SESSION
  Argument Name Type In/Out Default?
  P_COOKIE_NAME VARCHAR2 IN
  In my case only the Login Server (PORTAL30_SSO) is going to be used/installed
  - the SAMPLE_SSO_PAPP application will only work if the DAD used to access is it set to use Basic authentication, i.e. the actual integration with the Login Server
  is done in the sample application code calls, stored in the database
  - when a DAD has enableSSO=yes it automatically accesses Portal (PORTAL30) packages to implement N-Tier authentication
  I'm currently testing:
  1. Configuring the SAMPLE_SSO_PAPP sample as documented with a DAD with Basic authentication
  2. Amending the ssoapp procedure to set context to another (db) user on successful authentication:
  wwctx_api.set_context (
  p_user_name => 'SCOTT',
  p_password => 'TIGER' );
  3. If this works then set_context with get_lw_user instead
  I have now amended the ssoapp procedure as follows to print out
  1. The userid entered when the login box is presented
  2. The Database user which the Portal Lightweight user is mapped to
  3. The Lightweight user Portal has used for authentication
  Amendments to papp.pkb:
  (ssoapp procedure, declare db_user_info and lw_user_info as VARCHAR2 in declare section)
  htp.p('Congratulations! It is working!<br>');
  db_user_info := wwctx_api.get_db_user;
  lw_user_info := wwctx_api.get_user;
  htp.p('User Information:' || l_user_info || '<br>');
  htp.p('DB User Information:' || db_user_info || '<br>');
  htp.p('LW User Information:' || lw_user_info || '<br>');
  The following shows the interesting results from my testing:
  - if the user owning the sample_sso_papp package is PORTAL30_SSO then the call to wwctx_api.get_db_user succeeds
  - if the user owning the sample_sso_papp package is a non-portal schema e.g. SSOAPP below the call to wwctx_api.get_db_user generates a User Defined exception
  Steps to test:
  Created new schema SSOAPP on the database
  - edited it in Portal and checked the use this schema for Portal users checkbox
  - created new Lightweight user SSO_LW in Portal, mapped it to SSOAPP schema
  - created new Lightweight user SSO_SCOTT in Portal, mapped to SCOTT schema
  - loadjava -user ssoapp/ssoapp@portal30 SSOHash.class
  - sqlplus portal30/portal30@portal30
  @provsyns ssoapp
  - sqlplus ssoapp/ssoapp@portal30
  @loadsdk.sql
  @loadpapp.sql
  Created DAD with basic authentication SAMPLE_SSO_PAPP
  - username: ssoapp
  - default home page: sample_sso_papp.ssoapp
  Registered the Sample SSO Partner Application with the Login Server and ran regapp.sql
  Commented out the calls to get_db_user in papp.pkb to avoid exception
  - called http://<server>/pls/sample_sso_papp
  - logged on as SSO_LW/sso_lw
  - got output:
  Congratulations! It is working!
  User Information: SSO_LW
  LW User Information: PUBLIC
  So the Portal lightweight user is not returned as SSO_LW
  if anyone knows why the Lightweight User in my test is returned as PUBLIC not SSO_LW
  Best Regards
  MIchael

  http://support.mozilla.com/en-US/kb/Changing+the+e-mail+program+used+by+Firefox

• SSO for partner applications

  Hi All,
  I have installed 10g AS Release 2 on a system. I also have Application Express(formerly HTML DB) installed on the same system. I registered one of the HTML DB applications as partner applications and have put SSO authentication for it.
  When I try to login the AS looks at the OID installed on the system(which I gave during installation). I want it to look at the Oracle gmldap.oraclecorp.com server OID so that only Oracle employees login.
  Can anybody tell me how to change the OID and what are the entries to be give to configure it to gmldap.oraclecorp.com server??
  Thanks,
  Swaroop

  See Task 3 in the Section 9.4 of the Oracle Application Server Administrator's Guide:
  http://download-west.oracle.com/docs/cd/B14099_17/core.1012/b13995/chginfra.htm#i1014978
  See the following for information about what to specify on each page.
  http://download-west.oracle.com/docs/cd/B14099_17/core.1012/b13995/reconfig.htm#i1013341

• SSO With XI 3.0 on IIS

  I've searched these forums and finding bits and pieces of information so I'm hoping someone can help me out.
  I've successfully installed XI 3.0 on a new server.  We're trying to get SSO to work from our custom application so that users won't have to sign onto BO seperately.
  Most of the documentation I've found has been related to XI 2.
  I'm very new to administrating BO.  I'm assuming that the SSO on XI 2 (which we currently have our users using) cannot simply be copied over (I've tried.).  Also, I'm assuming that the SSO is part of a SDK or API.  If so, are these installed by default or are they seperate downloads?
  Can someone point me in the right direction?
  Thanks

  3.0 does not support IIS for infoview, only java app servers. We can enable SSO for those.
  As far as what migrates over from XIR2, the users, groups, plugin config, but the SSO settings do have to be applied on the web/app server(s)
  If you get 3.1 (same license code) that does support IIS/SSO. You should get 3.1 regardless 3.0 was the very 1st version of 3.x and therefor has the most bugs.
  Regards,
  Tim

• SSO between a Java EE application (Running on CE) and r/3 backend

  Hi All,
  Over the past few days I have been trying to implement a SSO mechanism between NW CE Java Apps and R/3 backend without any success. I have been trying to use SAP logon tickets for implementing SSO.
  Below is what I need:
  I have a Java EE application which draws data from R/3 backend and does some processing before showing data to the users. As of now the only way the Java App on CE authenticates to r/3 backend is by passing the userid and pwds explicitly. See sample authentication code below:
  BindingProvider bp = (BindingProvider) myService;
  Map<String,Object> context = bp.getRequestContext();
  context.put(BindingProvider.USERNAME_PROPERTY, userID);
  context.put(BindingProvider.PASSWORD_PROPERTY, userPwd);
  Now this is not the way we want to implement it. What we need is when the user authenticates to CE ( using CE's UME) CE issues a SAP logon ticket to the user. This ticket should be used to subsequently login to other system without having to pass the credentials. We have configured the CE and Backend to use SAP logon tickets as per SAP help.
  What I am not able to figure out is: How to authenticate to SAP r/3 service from the java APP using SAP logon tickets. I couldnt find any sample Java  code on SAP help to do this. (For example the above sample code authenticates the user by explicitly passing userid and pwd, I need something similar to pass a token to the backend)
  Any help/pointers on this would be great.
  Thanks,
  Dhananjay

  Hi,
  Have you imported the java certificate into R/3 backend system ? if so.
  Then just go to backend system and check on sm50 for each applicaion instance of any error eg.
  SM50-> Display files (ICON) as DB symbol with spect.(cntrlshiftF8)
  You will get logon ticket details.
  with thanks,
      Rajat

• SSO requires double login for partner application

  I'm having some trouble with SSO partner applications, when I login to a SSO protected application, the login works fine, but when I try to navigate to another application I'm presented with the login page again, the sso cookie seems to be working since clicking on the login button without entering the user credentials works. For example, I log in to portal and from there I navigate to a forms application that is on the same server and the same port (portal: https://apps.mydomain.com:4444/pls/portal --> forms: https://apps.mydomain.com/forms/frmservlet?config=app) I am presented with the login page and after clicking on the login button without entering any information everything works fine. This is happening for all the middle tiers that are connected to the same OID. Any ideas on what can be wrong on my configuration?

  Hi Andrey,
  The problem sounds really wierd.
  Can you check your SSO settings for your Portal ECC system? I mean, please check the User Management/Administration properties in your System Adminstration of Portal System that points to ECC.
  Regards
  <i><b>Raja Sekhar</b></i>

• SSO userid for a partner application

  Hi,
  We have one application deployed on WebLogic Application Server this is registred as Partner application over SSO server.
  On application side we have installed Oracle HTTP Server as webserver and configured mod_osso.
  Now when user attempt to access any secured page SSO askes for the authentication. And on successful login user landed back to application page configured while creating Partner application.
  After login we need userid of user who logged in on sso server. I have tried following and getting null.
  Remote User: <%=request.getRemoteUser() %>,
       Proxy-Remote-User: <%=request.getHeader("Proxy-Remote-User") %>
       Osso-User-Dn: <%=request.getHeader("Osso-User-Dn") %>
       Osso-User-Guid: <%=request.getHeader("Osso-User-Guid") %>
       Osso-Subscriber: <%=request.getHeader("Osso-Subscriber") %>
       Osso-Subscriber-Dn: <%=request.getHeader("Osso-Subscriber-Dn") %>
       Osso-Subscriber-Guid: <%=request.getHeader("Osso-Subscriber-Guid") %>
       Accept-Language: <%=request.getHeader("Accept-Language") %>
  output:
  Remote User: null,
  Proxy-Remote-User: null
  Osso-User-Dn: null
  Osso-User-Guid: null
  Osso-Subscriber: null
  Osso-Subscriber-Dn: null
  Osso-Subscriber-Guid: null
  Accept-Language: en-us,en;q=0.5
  Is any one there knows, what exactly i should do?
  Thanks & Regards,
  Kevin Chheda

  So the user has successfully authenticated and can access protected areas of the application?
  Have you tried using Http headers to see values/attribute names?
  Can you try this:
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
  <html>
  <body>
  <%@ page import = "java.util.*" %>
  <h1>Headers received:</h1>
  Remote user header is: <% out.println(request.getRemoteUser()); %>
  <p>
  <table>
  <%
  Enumeration headerNames = request.getHeaderNames();
  while(headerNames.hasMoreElements()) {
  String headerName = (String)headerNames.nextElement();
  out.println("<tr><td>" + headerName);
  out.println(" <td>" + request.getHeader(headerName));
  %>
  </table>
  </body></html>

• Sso session timeout per partner application

  Hello,
  I was just wondering if it is possible to configure SSO session timeouts per partner application? I'm looking to log out users of a particular application after 15 minutes, but don't want this change to affect any of my other SSO enabled applications. Is this possible?
  Thanks,

  Hi,
  I do not think so, you can not specify specail parameter for one application in SSO.
  Why because SSO is one component (within your Infra) through which you logon different apps.
  Another solution may be it will expensive is that you 'll need to use different infra for this specific application.
  Regards,
  Hamdy

• SSO to database

  We have Business Objects 3.1 SP2 FP2.3 running on Windows 2003 R2 SP2 64bits.
  CMS database on SQL 2005 x64
  Environment runs on Apache Tomcat
  Single Sign-On with kerberos on Active Directory is working fine.
  We have developers who want to use their Crystal Reports with SSO also and not use SQL authentication like they used to do in previous BO versions.
  In Windows AD Authenticaton of the CMC, I checked the option Cache security context (required for SSO database)
  In the Database Configuration of the Crystal Report we're testing, in the section "When viewing report", we selected Use SSO context for database logon
  Is there any other necessary configuration to be done in any config file?
  Not sure whether this should be added but in the krb5.ini file, I added the following value under libdefaults (just before the realms section): forwardable = true
  When I try to view the report, I get the following error message in InfoVIew:
  Error in File "testreport": Unable to connect: incorrect log on parameters: Details: [Database Vendor Code: 18456]
  For the same kind of report but with the option: "Use same database logon as when report is run", with SQL authentication parameters, everything is OK.
  DEV Environment: one InfoVIew FrontEnd server and one BO CMS server
  PROD Environment: one InfoView FrontEnd server and 2 BO clustered servers
  Regards
  Jay

  I think [this thread should get you going|SSO2DB / Use Database Credentials; about half way down I worte a response with links to setup the DB for kerberos.
  Regards,
  Tim