Configuring Oracle Business Intelligence Enterprise Edition 11G To Work With Siteminder Sso

Configuring
Oracle
Business
Intelligence
Enterprise Edition 11g to
work with SiteMinder SSO
An Oracle White Paper
April 2011 (Updated July 2011)
Purpose....................................................................3
Scope.......................................................................3
2.1
Pre-requisites....................................................4
Configuration Instructions......................................4
3.1
Create an Agent on the SiteMinder Policy Server
3.2
Required setup on HTTP Server.......................5
3.3
Web Agent setup on HTTP Server.....................6
3.4
Required setup on SiteMinder Policy Server....6
3.5
Configuration Required in the RPD..................7
3.6
Configure Oracle BI for SSO...........................12
3.7
Configuration on WebLogic to protect direct access
15
3.7.1 Protect direct http access to OBIPS............15

4
Troubleshooting.....................................................16
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 2
Configuring Oracle Business

Intelligence Enterprise Edition
11g to work with SiteMinder SSO
1 Purpose
This paper examines how to configure Oracle Business Intelligence Enterprise
Edition (Oracle BI EE) 11.1.1.3.0 to use SiteMinder version 6 as a Single Sign-on
mechanism (SSO).
There are two possible approaches for configuring SiteMinder with Oracle BI EE
11g.
One approach involves using a SiteMinder Asserter (Application Agent) provided by
Computer Associates as a plugin to WebLogic combined with a supported
Authenticator such as an Active Directory Authenticator. This approach is not
described in this document and has not been certified by Oracle at this point.
However, customers have successfully configured this approach and it does not
have the same limitations as the approach described in this document.
Under certain circumstances, the approach using an Asserter in WebLogic will not
be possible. In this case, the approach described in this document should be
followed. For example, if group membership for users is defined in a database
table it is not possible in BI 11.1.1.3.0 to use an authenticator and asserter
approach for authentication.
The approach described in this document is based on an HTTP header provided by
SiteMinder that contains the UserID of an authenticated user. This HTTP header is
then used by Oracle BI EE to logon. The scenario documented assumes that a user
population exists in an LDAP directory and that the BI Server will retrieve group
membership information for these users via a single SQL statement executed by an
Initialization Block.
2 Scope
This document describes the steps required to integrate Oracle BI Enterprise
Edition with SiteMinder SSO in order to use SiteMinder to provide single-sign on
and secure access to the Oracle BI /analytics URL.
This document is aimed at Oracle BI professionals familiar with both SiteMinder
and Oracle BI Enterprise Edition 11g. In particular, you should have familiarity
with SiteMinder Policy Server and Web Agent as well as HTTP server functionality
and experience of maintaining metadata in the Oracle BI Administration Tool.
Setup is required in both Oracle BI and SiteMinder to perform this integration.
This document assumes that a supported HTTP server has been configured with the
appropriate WebLogic plugin in front of the WebLogic server hosting the web
components of Oracle BI. An example of the WebLogic plugin configuration is
given for an Apache HTTP server, links to the documentation for configuring the IIS
plugin are provided.
You should be aware that there are some limitations of this approach. The known
limitations are as follows:
Access to RTD is not possible using this approach.
Access to BIP via Oracle BI has known issues using this approach which are
not planned to be addressed for Oracle BI 11.1.1.3.0.
This document does not address any additional configuration that might be
required to configure BI Publisher for SiteMinder SSO.
Invoking Actions that are configured to propagate user identity to targets has
not been certified.
Using Essbase as a data source including propagating the user identity of the
BI User to Essbase via a CSS Token is not certified with this approach.
BISearch is not certified with this approach due to limitations around Secure
Enterprise Search support for SiteMinder
Editing a view in Excel under BIOffice does not work as BIOffice requires an
IP address to access analytics whereas SiteMinder must be configured to
protect analytics via a fully qualified hostname
This approach has been tested against the following release versions:
Oracle BI EE 11.1.1.3.0
SiteMinder 6.0
2.1 Prerequisites
The following prerequisites must be satisfied before you configure Oracle BI 11g
with SiteMinder:
Oracle Business Intelligence 11.1.1.3 must be installed and running
A supported web server (e.g. Apache 2.0, IIS 7.0) must be installed and
running
SiteMinder Policy Server 6 must be installed and running on the same

internet domain as the web server
A User Directory should be configured on the SiteMinder Policy Server for

both Authentication and Authorization. This User Directory needs to point to
an LDAP directory that can also be used directly by the BI Server.
3 Configuration Instructions
3.1 Creating an Agent on the SiteMinder Policy Server
Follow the SiteMinder documentation to create an Agent to use with your web
server. Here is a summary of the required tasks:
1. Log on to Policy Server Administration console.
a. Right-click on Agents->Create Agent.
b. In Agent Properties, enter a name for the agent (e.g. Hostname of the
machine hosting the web server and SiteMinder Agent)
c. Optional: Enter a description of a new agent.
d. Click OK.
2. In the left tree view:
a. Select Agent Conf Objects.
b. Right-click on IISDefaultSettings or ApacheDefaultSettings, depending
on the Web server software you have installed, and select Duplicate
Configuration Object in context menu.
3. On Agent Configuration Object Properties

a. Give a name to a new configuration object.
b. Double-click on #DefaultAgentName.
c. In the Edit Parameter Dialog, in Parameter Name, remove the comment
(#) character from the property name and change the Value to the
same name as specified for the Agent.
d. Double-click on #BadUrlChars and remove // from BadUrlChars
value.
e. Uncomment #BadCssChars and leave Value blank.
f. Double-click on #IgnoreExt.
g. Uncomment #IgnoreExt and, for Value, remove the following
extensions: .gif, .jpg,.jpeg,.png.
h. Uncomment #LogFileName and, for Value, enter a log file name and
location.
i. Set Logfile property to yes if you want to enable agent logging.
j. Click OK.
3.2 Setting up the HTTP Server

1. Install web server if not already available, e.g., install Apache 2.0.64
2. Download the appropriate WebLogic plugin for your version of the webserver
(you can find further information on which is the most appropriate plugin
from
the
WebLogic
WebServer
plugins
guide
at
http://download.oracle.com/docs/cd/E14571_01/web.1111/e14395/overview.h
tm).
3. The latest maintenance releases for the version 1.0 and the version 1.1 plugins are posted on My Oracle Support search for Patch Number 10051798
(for version 1.0 of the plugins) or Patch Number 10051826 (for version 1.1
plug-ins).
4. This document covers configuring the plugin for Apache 2.0 as an example,
which requires the 1.0 plugins - full instructions on configuring this plugin
with
the
Apache
web
server
are
available
at
http://download.oracle.com/docs/cd/E14571_01/web.1111/e14395/apache.ht
m
5. Unpack the plugins and find the appropriate version of the plugin for your
platform to the Apache modules directory
e.g. for a 32-bit Linux install, where you unpacked the plugins zip file to
/home/user/WLSPlugins1.0/, the appropriate plugin would be located at
/home/user/WLSPlugins1.0/ linux/i686/mod_wl_20.so
6. Copy the mod_wl_20.so file to the modules directory under your Apache
install directory.
7. Open your <apache install directory>/conf/httpd.conf file and add the
following lines at the end of the file:
LoadModule WebLogic_module
modules/mod_wl_20.so
<Location /analytics>
SetHandler WebLogic-handler
WebLogicHost [fully qualified hostname of the BI Server]
WebLogicPort [WebLogic managed Server port default is 9704]
</Location>
<Location /ui>
</Location>
<Location /xmlpserver>
</Location>
<Location /analytics-ws>
</Location>
<Location /biservices>
</Location>
<Location /biofficeclient>
</Location>
8. Restart your web server and navigate to http://[fully-qualified hostname for

webserver:port]/analytics
9. You should see the BI login screen.
3.3 Setting up the Web Agent on the HTTP Server

Complete the following steps:
1. Follow SiteMinder documentation to install and configure SiteMinder Web
Agent on your web server. You should include the steps to perform host
registration. Any issues with this step should be directed to SiteMinder
support rather than Oracle support.
TROUBLESHOOTING TIP: C HECK THAT YOUR S ITE MINDER P OLICY SERVER SHOWS A NEW
TRUSTED H OST AFTER COMPLETING HOST REGISTRATION VIA WEB AGENT .
2. Restart your web server .

3. Clear the browser cache and cookies.
4. Navigate to http://[fully-qualified hostname for webserver:port] /analytics .
5. You should be challenged for SiteMinder authentication.
6. On successful authentication you should be directed to the BI login page .
3.4 Setting up the SiteMinder Policy Server

Use the SiteMinder documentation to complete the following steps:
1. Add a Domain that uses the User Directory to be used with Oracle BI.
2. Create a Policy for the Domain. NB in the SiteMinder Domain, do not create a
Realm to protect /, instead, create a Realm for each uri pattern we need to
either protect or unprotect.
3. Create a separate Realm to protect each of the following:
/analytics/saw.dll (Oracle BI EE)
/xmlpserver (BI Publisher)
4. Create a Rule for each of the above Realms and attach to the Domain's Policy.
5. Each Rule should be set to Allow Access with the Web Agent actions of Get
and Post.
6. Create a separate Realm to unprotect each of the following:
/analytics-ws
/xmlpserver/services/
/xmlpserver/report_service
/xmlpserver/ReportTemplateService.xls
/xmlpserver/Guest
/biservices (Oracle BI EE Web Services for SOA)
7. Make sure that each Realm created uses the User Directory pointing to the
same Identity Store being used by Oracle BI.
8. Make sure that the SiteMinder Policy is configured to provide the HTTP
header SM_USER, which is the HTTP SiteMinder will typically set by
default.
3.5 Configuring the RPD File

Open the RPD using the BI Admin Tool and complete the following steps:
1. Create a new LDAP Server connection under Manage > Action > New >
LDAP Server. This needs to point to the same LDAP store that is used by the
SiteMinder User Directory.
2. This is documented in Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition, Section A1.1 Setting up LDAP
Authentication:
http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10543/legacy.htm#
BABFJEJF
3. Test the connection and make sure that it works.
4. Create a new Initialization Block (Manage > Variables > Action > New >
Session > Initialization Block) called authenticationLDAP (the name is not
important) as shown below:
5. Create another Initialization Block called authorization as shown:
6. The SQL can be anything that returns either a list of groups, or a single
group if row-wise initialization is not used.
IMPORTANT NOTES:
In Oracle BI 11g, Init Blocks to set USER and GROUP will only fire when
the user trying to authenticate is not found via an Authenticator
configured in the WebLogic security Realm. Therefore, you should not
configure any authenticators other than the default authenticator when
using the method described in this document. The default authenticator
still needs to be configured and should contain the BI System User and the
OracleSystemUser and related group.
When using an Init Block to set the GROUP session variable, the values of
this variable should be set to match by name against one or more
Application Roles configured via Enterprise Manager Fusion Middleware
Control, for example, BIConsumer.
A user will be assigned these
Application Roles and associated permissions during authentication.
Please refer to the documentation in Oracle Fusion Middleware Security

Guide for Oracle Business Intelligence for information about Application
Roles and how to add a new Application Role.
When using init blocks to set USER and GROUP, the association of groups
to Application Roles is performed using the logic described above.
Assignment of users and groups to Application Roles in the policy store is
not used in this case.
Any values of the GROUP variable that do not match an Application Role
will be matched by name against the available Web Groups in the BI
Presentation Services Web Catalog. The user will be assigned these Web
Groups and associated privileges.
Any value of GROUP that does not match an Application Role or a Web
Group will be ignored.
3.6 Configuring Oracle BI for SSO

Follow the instructions below to configure Oracle BI to use an HTTP header from
SiteMinder in order to assert the user identity.
1) Login to Enterprise Manager Fusion Middleware Control.
2) Select Business Intelligence and go to the Security tab.
3) Click Lock and Edit.
4) In the SSO drop down, select SiteMinder SSO.
5) Click Apply.
6) Click Activate changes.
7) Configure authenticationschemas.xml as follows:
a) On your BI installation go to mwhome/OracleBI1/bifoundation/web/display
b) Edit authenticationschemas.xml with the following changes (shown in bold):
<?xml version="1.0"?>
<AuthenticationSchemas xmlns="oracle.bi.presentation/authschemas/v1" defaultSchema="UidPwd">





<SchemaKeyVariable source="serverVariable" nameInSource="AUTHSCHEMA" options="trim"/>

<SchemaKeyVariable source="serverVariable" nameInSource="REMOTE_USER" forceValue="SSO"/>
<SchemaKeyVariable source="serverVariable" nameInSource="REMOTE_USER" forceValue="SSOATG"/>
<SchemaKeyVariable source="httpHeader" nameInSource="SM_USER" forceValue="SSOSiteminder"/>


<SchemaKeyVariable source="url soap" nameInSource="AuthSchema" options="trim"/>

<SchemaKeyVariable source="url" nameInSource="Impersonate" forceValue="Impersonate"/>
<SchemaKeyVariable source="url" nameInSource="NQUser" forceValue="UidPwd"/>

<SchemaKeyVariable source="serverVariable" nameInSource="HSS_REMOTE_USER"
forceValue="HyperionCSS"/>

<SchemaKeyVariable source="cookie" nameInSource="ICX_SESSION" forceValue="EBS-ICX"/>


<AuthenticationSchemaGroup>
<RequestVariable source="url" type="auth" nameInSource="NQUser" biVariableName="UID"
options="trim" />
<RequestVariable source="url" type="auth" nameInSource="NQPassword"
biVariableName="PWD" options="secure"/>
<RequestVariable source="url" type="proxyUserAuth" nameInSource="RUNAS"
biVariableName="NQ_SESSION.RUNAS" />

<AuthenticationSchema name="UidPwd" displayName="Username Password (Browser)"
userID="UID" proxyUserID="NQ_SESSION.RUNAS" />

<AuthenticationSchema name="Impersonate" displayName="Impersonation (Browser)"
userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS">
<RequestVariable source="url" type="auth" nameInSource="Impersonate"
biVariableName="IMPERSONATE" options="required"/>
</AuthenticationSchema>
</AuthenticationSchemaGroup>

<RequestVariable source="soap" type="auth" nameInSource="name" biVariableName="UID"/>
<RequestVariable source="soap" type="auth" nameInSource="password" biVariableName="PWD"
options="secure"/>
<RequestVariable source="soap" type="auth" nameInSource="AUTHINITBLOCKSONLY"
biVariableName="NQ_SESSION.AUTHINITBLOCKSONLY" options="secure"/>

<AuthenticationSchema name="UidPwd-soap" displayName="Username Password (SOAP)"
userID="UID" proxyUserID="NQ_SESSION.RUNAS"/>

<AuthenticationSchema name="Impersonate-soap" displayName="Impersonation (SOAP)"
<RequestVariable source="soap" type="auth" nameInSource="impersonateID"

<RequestVariable source="credStoreUser" type="auth"

nameInSource="oracle.bi.system/system.user" biVariableName="UID"/>
<RequestVariable source="credStorePwd" type="auth"
nameInSource="oracle.bi.system/system.user" biVariableName="PWD" options="secure"/>
<RequestVariable source="url" type="proxyUserAuth" nameInSource="RUNAS"
biVariableName="NQ_SESSION.RUNAS"/>


<AuthenticationSchema name="SSO" displayName="Single Sign On" userID="IMPERSONATE"
proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">
<RequestVariable source="serverVariable" type="auth" nameInSource="REMOTE_USER"
biVariableName="IMPERSONATE" options="stripWindowsDomain required"/>


<AuthenticationSchema name="SSO-Siteminder" displayName="CA Siteminder"
userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">

<RequestVariable source="httpHeader" type="auth" nameInSource="SM_USER"



<AuthenticationSchema name="HyperionCSS" displayName="Hyperion CSS Token"
<RequestVariable source="serverVariable" type="auth" nameInSource="HSS_REMOTE_USER"

<RequestVariable source="serverVariable soap" type="informational"
nameInSource="AOL_LANGUAGE" biVariableName="NQ_SESSION.AOL_LANGUAGE"/>
nameInSource="AOL_TIMEZONE" biVariableName="NQ_SESSION.AOL_TIMZONE"/>
nameInSource="AOL_TERRITORY" biVariableName="NQ_SESSION.AOL_TERRITORY"/>
nameInSource="AOL_TIME_FORMAT" biVariableName="NQ_SESSION.AOL_TIME_FORMAT"/>
nameInSource="AOL_CURRENCY" biVariableName="NQ_SESSION.AOL_CURRENCY"/>
nameInSource="AOL_DATE_FORMAT" biVariableName="NQ_SESSION.AOL_DATE_FORMAT"/>
nameInSource="AOL_DECIMAL_SEPARATOR" biVariableName="NQ_SESSION.AOL_DECIMAL_SEPARATOR"/>
nameInSource="AOL_GROUPING_SEPARATOR" biVariableName="NQ_SESSION.AOL_GROUPING_SEPARATOR"/>
nameInSource="AOL_CLIENT_ENCODING" biVariableName="NQ_SESSION.AOL_CLIENT_ENCODING"/>
nameInSource="AOL_ACCESSIBILITY_MODE" biVariableName="NQ_SESSION.AOL_ACCESSIBILITY_MODE"/>
nameInSource="AOL_NLS_LANG" biVariableName="NQ_SESSION.AOL_NLS_LANG"/>

nameInSource="AOL_NLS_LANGUAGE" biVariableName="NQ_SESSION.AOL_NLS_LANGUAGE"/>
nameInSource="AOL_NLS_SORT" biVariableName="NQ_SESSION.AOL_NLS_SORT"/>
nameInSource="AOL_NUMBER_FORMAT" biVariableName="NQ_SESSION.AOL_NUMBER_FORMAT"/>
nameInSource="AOL_APPLICATION_ID" biVariableName="NQ_SESSION.AOL_APPLICATION_ID"/>
nameInSource="AOL_COLOR_CONTRAST" biVariableName="NQ_SESSION.AOL_COLOR_CONTRAST"/>
nameInSource="AOL_EMBEDDED_HELP_ENABLED"
biVariableName="NQ_SESSION.AOL_EMBEDDED_HELP_ENABLED"/>
nameInSource="AOL_FONT_SIZE" biVariableName="NQ_SESSION.AOL_FONT_SIZE"/>

<AuthenticationSchema name="Impersonate-ATG-soap" displayName="Impersonation + Fusion
Applications Interop (SOAP)" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS">
<RequestVariable source="soap" type="auth" nameInSource="name"
biVariableName="UID"/>
<RequestVariable source="soap" type="auth" nameInSource="password"
biVariableName="PWD" options="secure"/>
<RequestVariable source="soap" type="auth" nameInSource="impersonateID"

<AuthenticationSchema name="SSO-ATG" displayName="SSO + Fusion Applications Interop"
userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI" >
<RequestVariable source="credStoreUser" type="auth"
nameInSource="oracle.bi.system/system.user" biVariableName="UID"/>
<RequestVariable source="credStorePwd" type="auth"
nameInSource="oracle.bi.system/system.user" biVariableName="PWD" options="secure"/>
<RequestVariable source="serverVariable" type="auth" nameInSource="REMOTE_USER"
biVariableName="IMPERSONATE" options="required" />

<AuthenticationSchema name="EBS-ICX" displayName="Oracle eBusiness Applications ICX
Session" options="noLogoffUI noLogonUI" >


<RequestVariable source="cookie" type="auth" nameInSource="ICX_SESSION"
biVariableName="NQ_SESSION.ICX_SESSION_COOKIE"/>
<RequestVariable source="url" type="informational" nameInSource="ACF"
biVariableName="NQ_SESSION.ACF"/>
</AuthenticationSchemas>
IMPORTANT NOTE:
THE AUTHENTICATIONSCHEMAS.XML FILE IS AN

FILE. A NY CUSTOM CHANGES MADE TO THIS FILE SUCH
INTERNAL
CONFIGURATION
AS THOSE
DESCRIBED IN THIS DOCUMENT WILL NOT BE HANDLED BY PATCHING OR UPGRADE
PROCESSES .
8) Restart Oracle BI Presentation Services

9) Navigate to http://[webserver:port]/analytics. You should be prompted for
UID/password via a SiteMinder login screen or popup dialog.
10)
11)
Enter credentials from your LDAP identity store

You should get access to BI
3.7 Configuring WebLogic to prevent direct access to BI

Follow the WebLogic documentation to setup a Connection Filter so that only the
web server protected by the SiteMinder Web Agent and machines running BI
components are allowed to access the WebLogic server:
1. Instructions on configure the default connection filter are contained in the
section entitled Using Connection Filters in the WebLogic documentation
at:
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/domain.ht
m#SECMG410
2. Instructions on writing an appropriate filter rule are contained in the section
entitled Guidelines for Writing Connection Filter Rules in WebLogic
documentation at:
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13711/con_filtr.ht
m#SCPRG377
3. Your filter rule should look like this:
[web server IP Address] * [WebLogic Admin Server Port] allow
[web server IP Address] * [WebLogic Managed Server Port] allow
[BI component server IP Address] * [WebLogic Admin Server Port] allow
[Another BI component server IP Address (if it exists)] * [WebLogic Managed
Server Port] allow
0.0.0.0/0 * * deny
Test that you can access the WebLogic Administration Console and BI via the web
server, but not directly from any other machine.
3.7.1 Protecting direct HTTP access to OBIPS

Follow the guidance in the Oracle Fusion Middleware Security Guide for Oracle
Business Intelligence Enterprise Edition, section 4.3 SSO Implementation
Considerations
(http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10543/sso.htm#CEGBEC
IH). For convenience, an extract from the 11.1.1.3 document is shown below.
When implementing a SSO solution with Oracle Business Intelligence you should
consider the following:
When accepting trusted information from the HTTP server or servlet

container, it is essential to secure the machines that communicate directly
with the Oracle BI Presentation Server. This can be done by setting the
Listener\Firewall node in the instanceconfig.xml file with the list of HTTP
Server or servlet container IP addresses. Additionally, the Firewall node must
include the IP addresses of all Oracle BI Scheduler instances, Oracle BI
Presentation Services Plug-in instances and Oracle BI Javahost instances. If
any of these components are co-located with Oracle BI Presentation Services,
then address 127.0.0.1 must be added in this list as well. This setting does
not control end-user browser IP addresses.
When using mutually-authenticated SSL, you must specify the Distinguished

Names (DNs) of all trusted hosts in the Listener\TrustedPeers node.
An example of the configuration required in your instanceconfig.xml file is

shown below:
<Listener>
<Firewall>
<Allow address="[IP Address of 1st machine hosting BI Components]"/>
<Allow address="[IP Address of another machine hosting BI Components if
it exists]"/>
<Allow address="[IP Address of another machine hosting BI Components if
it exists]"/>
</Firewall>

</Listener>
4 Troubleshooting
Some common problems and resolutions are listed below.
Issue
/analytics
is
protected
by
SiteMinder, but you
still just see the BI
login page
SiteMinder does not

let your user login
User logs in to BI
with 'Act As' by
default
User
experiences
issues with access to
webcat folder 'My
Folders'
Hints
Is the UserID being passed to BI via the SM_USER HTTP
header variable?
Turn on some logging in instanceconfig.xml
<FilterRecord
writerClassGroup="File"
disableCentralControl="true"
path="saw.httpserver.request"
information="16"
warning="32"
error="32"
trace="32"
incident_error="32"/>
<FilterRecord
writerClassGroup="File"
disableCentralControl="true" path="saw.httpserver.response"
information="16"
warning="32"
error="32"
trace="32"
incident_error="32"/>
Then restart OBIPS. Try to login again and review the end
of the OBIPS log. Look for HTTP header variables
This allows you to review the http headers and cookie
values being received by OBIPS in order to debug SSO
Turn on logging/debug for your Web Agent. Refer to
SiteMinder documentation for details on how to do this.
Try again and review log
In Oracle BI 11.1.1.3.0, if an Init Block is used to set
USER variable, but this variable has a default initializer
and the Init Block is not marked 'Required for
Authentication', then 'Act As' functionality is invoked.
Make sure the Init Block to set USER is marked 'Required
for Authentication'
Make sure the USER variable does not have a default
value.
Refresh Guids. Refer to the Oracle BI 11.1.1.3.0 Security
Guide Section 3.2.1.4 for more information.
Make sure that the User does not exist in the WebLogic
LDAP as well as the primary Identity Store.
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO
April 2011
Author: Adam Bloom
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
www.oracle.com
Copyright 2011, Oracle. All rights reserved.
This document is provided for information purposes only
and the contents hereof are subject to change without notice.
This document is not warranted to be error-free, nor subject to
any other warranties or conditions, whether expressed orally
or implied in law, including implied warranties and conditions of
merchantability or fitness for a particular purpose. We specifically
disclaim any liability with respect to this document and no
contractual obligations are formed either directly or indirectly
by this document. This document may not be reproduced or
transmitted in any form or by any means, electronic or mechanical,
for any purpose, without our prior written permission.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective owners.

Configuring Oracle Business Intelligence Enterprise Edition 11G To Work With Siteminder Sso

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuring Oracle Business Intelligence Enterprise Edition 11G To Work With Siteminder Sso

Uploaded by

Copyright:

Available Formats

Configuring

Create an Agent on the SiteMinder Policy Server

Required setup on HTTP Server.......................5

Web Agent setup on HTTP Server.....................6

Required setup on SiteMinder Policy Server....6

Configuration Required in the RPD..................7

Configure Oracle BI for SSO...........................12

Configuration on WebLogic to protect direct access

3.7.1 Protect direct http access to OBIPS............15

Configuring Oracle Business

Access to RTD is not possible using this approach.

Oracle Business Intelligence 11.1.1.3 must be installed and running

SiteMinder Policy Server 6 must be installed and running on the same

A User Directory should be configured on the SiteMinder Policy Server for

3. On Agent Configuration Object Properties

3.2 Setting up the HTTP Server

8. Restart your web server and navigate to http://[fully-qualified hostname for

9. You should see the BI login screen.

3.3 Setting up the Web Agent on the HTTP Server

1. Follow SiteMinder documentation to install and configure SiteMinder Web

2. Restart your web server .

3.4 Setting up the SiteMinder Policy Server

3.5 Configuring the RPD File

5. Create another Initialization Block called authorization as shown:

Please refer to the documentation in Oracle Fusion Middleware Security

3.6 Configuring Oracle BI for SSO

<SchemaKeyVariable source="httpHeader" nameInSource="SM_USER" forceValue="SSOSiteminder"/>

<RequestVariable source="credStoreUser" type="auth"

<RequestVariable source="serverVariable soap" type="informational"

THE AUTHENTICATIONSCHEMAS.XML FILE IS AN

8) Restart Oracle BI Presentation Services

Enter credentials from your LDAP identity store

3.7 Configuring WebLogic to prevent direct access to BI

3.7.1 Protecting direct HTTP access to OBIPS

When accepting trusted information from the HTTP server or servlet

When using mutually-authenticated SSL, you must specify the Distinguished

An example of the configuration required in your instanceconfig.xml file is

SiteMinder does not

You might also like