Bookshelf Home | Contents | Index | PDF     

Oracle® Business Intelligence Enterprise Edition Deployment Guide > Implementing Single Sign-On Products With Oracle Business Intelligence >

Understanding How Oracle BI Presentation Services Operates in an SSO Environment

In an environment where SSO has been implemented, when Oracle BI Presentation Services receives an incoming web request, it assumes that the user who issued the request has already been authenticated by the SSO system. Oracle BI Presentation Services uses its own credentials to establish a connection with the Oracle BI Server on behalf of the end user. User personalization and access controls such as data-level security are maintained in this environment. Oracle BI Presentation Services then uses the Oracle BI Server Impersonation feature to create a connection to the Oracle BI Server on behalf of the authenticated end user.

To establish the connection toOracle BI Server, Oracle BI Presentation Services issues a connection string. This connection string has one required parameter called Impersonate. In addition, any parameters supplied by the SSO system, for example locale, default dashboard or other personalization parameters, can be passed to the Oracle BI Server through the connection string.

Oracle BI Presentation Services must be instructed on how to build the connection string. This is done by setting param name attributes for each of the parameters that need to be passed in the connection string in the instanceconfig.xml configuration file.

For every parameter that is passed through in the connection string, Oracle BI Presentation Services has to be instructed on where to query the value of the parameter from. The possible sources, as described in topic Prerequisites for SSO Systems to Integrate With Oracle Business Intelligence, are:

  • HTTP header
  • HTTP cookie
  • Server variable

For example, the following section of the instanceconfig.xml file has been configured to flag that SSO is enabled to direct Oracle BI Presentation Services to include the Impersonate parameter in the connection string and obtain its value from server variable using the server-side option:

<!-- other settings ... -->
   <Auth>
      <SSO enabled="true">
         <ParamList>
            <!--IMPERSONATE param is used to get the authenticated user's username and is required -->
            <Param name="IMPERSONATE"
            source="serverVariable"
            nameInSource="REMOTE_USER"/>
         </ParamList>
      </SSO>
<!-- other settings ... -->

NOTE:  Any URL parameters, for example, nQUser, nQPassword, Impersonate, take precedence over SSO authentication. If Oracle BI Presentation Services is passed authentication information in the URL, it will ignore any values read from configured SSO sources. For example, Symbolic URLs for integration with Oracle's Siebel CRM are configured to support nQUser/nQPassword authentication. To enable SSO authentication, you must remove nQUser and nQPassword from the URLs.

  
Oracle® Business Intelligence Enterprise Edition Deployment Guide Copyright © 2006, Oracle. All rights reserved.