Professional Documents
Culture Documents
Oracle
Business
Intelligence
Enterprise Edition 11g to
work with SiteMinder SSO
An Oracle White Paper
April 2011 (Updated July 2011)
Purpose....................................................................3
Scope.......................................................................3
2.1
Pre-requisites....................................................4
Configuration Instructions......................................4
3.1
3.2
3.3
3.4
3.5
3.6
3.7
15
Troubleshooting.....................................................16
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 2
1 Purpose
This paper examines how to configure Oracle Business Intelligence Enterprise
Edition (Oracle BI EE) 11.1.1.3.0 to use SiteMinder version 6 as a Single Sign-on
mechanism (SSO).
There are two possible approaches for configuring SiteMinder with Oracle BI EE
11g.
One approach involves using a SiteMinder Asserter (Application Agent) provided by
Computer Associates as a plugin to WebLogic combined with a supported
Authenticator such as an Active Directory Authenticator. This approach is not
described in this document and has not been certified by Oracle at this point.
However, customers have successfully configured this approach and it does not
have the same limitations as the approach described in this document.
Under certain circumstances, the approach using an Asserter in WebLogic will not
be possible. In this case, the approach described in this document should be
followed. For example, if group membership for users is defined in a database
table it is not possible in BI 11.1.1.3.0 to use an authenticator and asserter
approach for authentication.
The approach described in this document is based on an HTTP header provided by
SiteMinder that contains the UserID of an authenticated user. This HTTP header is
then used by Oracle BI EE to logon. The scenario documented assumes that a user
population exists in an LDAP directory and that the BI Server will retrieve group
membership information for these users via a single SQL statement executed by an
Initialization Block.
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 3
2 Scope
This document describes the steps required to integrate Oracle BI Enterprise
Edition with SiteMinder SSO in order to use SiteMinder to provide single-sign on
and secure access to the Oracle BI /analytics URL.
This document is aimed at Oracle BI professionals familiar with both SiteMinder
and Oracle BI Enterprise Edition 11g. In particular, you should have familiarity
with SiteMinder Policy Server and Web Agent as well as HTTP server functionality
and experience of maintaining metadata in the Oracle BI Administration Tool.
Setup is required in both Oracle BI and SiteMinder to perform this integration.
This document assumes that a supported HTTP server has been configured with the
appropriate WebLogic plugin in front of the WebLogic server hosting the web
components of Oracle BI. An example of the WebLogic plugin configuration is
given for an Apache HTTP server, links to the documentation for configuring the IIS
plugin are provided.
You should be aware that there are some limitations of this approach. The known
limitations are as follows:
Access to BIP via Oracle BI has known issues using this approach which are
not planned to be addressed for Oracle BI 11.1.1.3.0.
This document does not address any additional configuration that might be
required to configure BI Publisher for SiteMinder SSO.
Invoking Actions that are configured to propagate user identity to targets has
not been certified.
Using Essbase as a data source including propagating the user identity of the
BI User to Essbase via a CSS Token is not certified with this approach.
BISearch is not certified with this approach due to limitations around Secure
Enterprise Search support for SiteMinder
Editing a view in Excel under BIOffice does not work as BIOffice requires an
IP address to access analytics whereas SiteMinder must be configured to
protect analytics via a fully qualified hostname
This approach has been tested against the following release versions:
Oracle BI EE 11.1.1.3.0
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 4
SiteMinder 6.0
2.1 Prerequisites
The following prerequisites must be satisfied before you configure Oracle BI 11g
with SiteMinder:
A supported web server (e.g. Apache 2.0, IIS 7.0) must be installed and
running
3 Configuration Instructions
3.1 Creating an Agent on the SiteMinder Policy Server
Follow the SiteMinder documentation to create an Agent to use with your web
server. Here is a summary of the required tasks:
1. Log on to Policy Server Administration console.
a. Right-click on Agents->Create Agent.
b. In Agent Properties, enter a name for the agent (e.g. Hostname of the
machine hosting the web server and SiteMinder Agent)
c. Optional: Enter a description of a new agent.
d. Click OK.
2. In the left tree view:
a. Select Agent Conf Objects.
b. Right-click on IISDefaultSettings or ApacheDefaultSettings, depending
on the Web server software you have installed, and select Duplicate
Configuration Object in context menu.
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 5
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 6
6. Copy the mod_wl_20.so file to the modules directory under your Apache
install directory.
7. Open your <apache install directory>/conf/httpd.conf file and add the
following lines at the end of the file:
LoadModule WebLogic_module
modules/mod_wl_20.so
<Location /analytics>
SetHandler WebLogic-handler
WebLogicHost [fully qualified hostname of the BI Server]
WebLogicPort [WebLogic managed Server port default is 9704]
</Location>
<Location /ui>
SetHandler WebLogic-handler
WebLogicHost [fully qualified hostname of the BI Server]
WebLogicPort [WebLogic managed Server port default is 9704]
</Location>
<Location /xmlpserver>
SetHandler WebLogic-handler
WebLogicHost [fully qualified hostname of the BI Server]
WebLogicPort [WebLogic managed Server port default is 9704]
</Location>
<Location /analytics-ws>
SetHandler WebLogic-handler
WebLogicHost [fully qualified hostname of the BI Server]
WebLogicPort [WebLogic managed Server port default is 9704]
</Location>
<Location /biservices>
SetHandler WebLogic-handler
WebLogicHost [fully qualified hostname of the BI Server]
WebLogicPort [WebLogic managed Server port default is 9704]
</Location>
<Location /biofficeclient>
SetHandler WebLogic-handler
WebLogicHost [fully qualified hostname of the BI Server]
WebLogicPort [WebLogic managed Server port default is 9704]
</Location>
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 7
Agent on your web server. You should include the steps to perform host
registration. Any issues with this step should be directed to SiteMinder
support rather than Oracle support.
TROUBLESHOOTING TIP: C HECK THAT YOUR S ITE MINDER P OLICY SERVER SHOWS A NEW
TRUSTED H OST AFTER COMPLETING HOST REGISTRATION VIA WEB AGENT .
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 8
7. Make sure that each Realm created uses the User Directory pointing to the
same Identity Store being used by Oracle BI.
8. Make sure that the SiteMinder Policy is configured to provide the HTTP
header SM_USER, which is the HTTP SiteMinder will typically set by
default.
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 9
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 10
6. The SQL can be anything that returns either a list of groups, or a single
group if row-wise initialization is not used.
IMPORTANT NOTES:
In Oracle BI 11g, Init Blocks to set USER and GROUP will only fire when
the user trying to authenticate is not found via an Authenticator
configured in the WebLogic security Realm. Therefore, you should not
configure any authenticators other than the default authenticator when
using the method described in this document. The default authenticator
still needs to be configured and should contain the BI System User and the
OracleSystemUser and related group.
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 11
When using an Init Block to set the GROUP session variable, the values of
this variable should be set to match by name against one or more
Application Roles configured via Enterprise Manager Fusion Middleware
Control, for example, BIConsumer.
A user will be assigned these
Application Roles and associated permissions during authentication.
When using init blocks to set USER and GROUP, the association of groups
to Application Roles is performed using the logic described above.
Assignment of users and groups to Application Roles in the policy store is
not used in this case.
Any values of the GROUP variable that do not match an Application Role
will be matched by name against the available Web Groups in the BI
Presentation Services Web Catalog. The user will be assigned these Web
Groups and associated privileges.
Any value of GROUP that does not match an Application Role or a Web
Group will be ignored.
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 12
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 13
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 14
IMPORTANT NOTE:
INTERNAL
CONFIGURATION
AS THOSE
DESCRIBED IN THIS DOCUMENT WILL NOT BE HANDLED BY PATCHING OR UPGRADE
PROCESSES .
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 15
10)
11)
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 16
When implementing a SSO solution with Oracle Business Intelligence you should
consider the following:
<Listener>
<Firewall>
<Allow address="[IP Address of 1st machine hosting BI Components]"/>
<Allow address="[IP Address of another machine hosting BI Components if
it exists]"/>
<Allow address="[IP Address of another machine hosting BI Components if
it exists]"/>
</Firewall>
<!-- other settings ... -->
</Listener>
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 17
4 Troubleshooting
Some common problems and resolutions are listed below.
Issue
/analytics
is
protected
by
SiteMinder, but you
still just see the BI
login page
User
experiences
issues with access to
webcat folder 'My
Folders'
Hints
Is the UserID being passed to BI via the SM_USER HTTP
header variable?
Turn on some logging in instanceconfig.xml
<FilterRecord
writerClassGroup="File"
disableCentralControl="true"
path="saw.httpserver.request"
information="16"
warning="32"
error="32"
trace="32"
incident_error="32"/>
<FilterRecord
writerClassGroup="File"
disableCentralControl="true" path="saw.httpserver.response"
information="16"
warning="32"
error="32"
trace="32"
incident_error="32"/>
Then restart OBIPS. Try to login again and review the end
of the OBIPS log. Look for HTTP header variables
This allows you to review the http headers and cookie
values being received by OBIPS in order to debug SSO
Turn on logging/debug for your Web Agent. Refer to
SiteMinder documentation for details on how to do this.
Try again and review log
In Oracle BI 11.1.1.3.0, if an Init Block is used to set
USER variable, but this variable has a default initializer
and the Init Block is not marked 'Required for
Authentication', then 'Act As' functionality is invoked.
Make sure the Init Block to set USER is marked 'Required
for Authentication'
Make sure the USER variable does not have a default
value.
Refresh Guids. Refer to the Oracle BI 11.1.1.3.0 Security
Guide Section 3.2.1.4 for more information.
Make sure that the User does not exist in the WebLogic
LDAP as well as the primary Identity Store.
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO Page 18
Configuring Oracle Business Intelligence Enterprise Edition 11g to work with SiteMinder SSO
April 2011
Author: Adam Bloom
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
www.oracle.com
Copyright 2011, Oracle. All rights reserved.
This document is provided for information purposes only
and the contents hereof are subject to change without notice.
This document is not warranted to be error-free, nor subject to
any other warranties or conditions, whether expressed orally
or implied in law, including implied warranties and conditions of
merchantability or fitness for a particular purpose. We specifically
disclaim any liability with respect to this document and no
contractual obligations are formed either directly or indirectly
by this document. This document may not be reproduced or
transmitted in any form or by any means, electronic or mechanical,
for any purpose, without our prior written permission.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective owners.