4 Enabling SSO Authentication

This chapter provides some general guidelines for configuring single sign-on (SSO) authentication for Oracle Business Intelligence.

Note:

For a detailed list of security setup steps, see Section 1.8, "Detailed List of Steps for Setting Up Security In Oracle Business Intelligence".

This chapter contains the following topics:

Note:

Oracle recommends using Oracle Access Manager as an enterprise-level SSO authentication provider with Oracle Fusion Middleware 11g. This chapter assumes that Oracle Access Manager is the SSO authentication provider being used unless stated otherwise. For more information about configuring and managing Oracle Access Manager with Oracle Fusion Middleware, see "Configuring Single Sign-On in Oracle Fusion Middleware" in Oracle Fusion Middleware Security Guide.

4.1 Common SSO Configuration Tasks for Oracle Business Intelligence

Table 4-1 contains common authentication configuration tasks and provides links for obtaining more information.

Table 4-1 Task Map: Configuring SSO Authentication for Oracle Business Intelligence

Task Description For More Information

Configure the SSO authentication provider.

Configure Oracle Access Manager to protect the Oracle Business Intelligence URL entry points.

Section 4.4, "Configuring SSO in an Oracle Access Manager Environment"

"Configuring Single Sign-On in Oracle Fusion Middleware" in Oracle Fusion Middleware Security Guide

Configure HTTP proxy.

Configure the web proxy to forward requests from Oracle BI Presentation Server to the SSO provider.

"Configuring Single Sign-On in Oracle Fusion Middleware" in Oracle Fusion Middleware Security Guide

Configure a new authenticator for Oracle WebLogic Server.

Configure the Oracle WebLogic Server domain in which Oracle Business Intelligence is installed to use the new identity store.

Section 4.4.1, "Configuring a New Authenticator for Oracle WebLogic Server"

Section 3.2, "Configuring an Alternative Authentication Provider"

Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help

Configure a new identity asserter for Oracle WebLogic Server.

Configure the Oracle WebLogic Server domain in which Oracle Business Intelligence is installed to use the SSO provider as an asserter.

Section 4.4.2, "Configuring a New Identity Asserter for Oracle WebLogic Server"

Section 3.2, "Configuring an Alternative Authentication Provider"

Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help

Configure the new trusted system user to replace the default BISystemUser.

Add the new trusted system user name from Oracle Internet Directory to become a member of the BISystem Application Role.

Section 3.2, "Configuring an Alternative Authentication Provider"

Section 3.2.1.3, "Configure a New Trusted User (BISystemUser)"

Refresh the user and group GUIDs.

Refresh the GUIDs of users and groups who migrated from the original identity store to the new identity store (authentication source).

Section 3.2.1.4, "Refresh the User GUIDs"

Enable Oracle Business Intelligence to accept SSO authentication.

Enable the SSO provider configured to work with Oracle Business Intelligence using Fusion Middleware Control.

Section 4.4.3, "Using Fusion Middleware Control to Enable SSO Authentication"

Note:

For an example of an Oracle Business Intelligence SSO installation scenario, see Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Business Intelligence.

4.2 Understanding SSO Authentication and Oracle Business Intelligence

Integrating a single sign-on (SSO) solution enables a user to log on (sign-on) and be authenticated once per browser session. Thereafter, the authenticated user is given access to system components or resources according to the permissions and privileges granted to that user. Oracle Business Intelligence can be configured to trust incoming HTTP requests authenticated by a SSO solution that is configured for use with Oracle Fusion Middleware and Oracle WebLogic Server. For more information about configuring SSO for Oracle Fusion Middleware, see "Configuring Single Sign-On in Oracle Fusion Middleware" in Oracle Fusion Middleware Security Guide.

When Oracle Business Intelligence is configured to use SSO authentication, it accepts authenticated users from whatever SSO solution Oracle Fusion Middleware is configured to use. If SSO is not enabled, then Oracle Business Intelligence challenges each user for authentication credentials. When Oracle Business Intelligence is configured to use SSO, a user is first redirected to the SSO solution's login page for authentication. After the user is authenticated the SSO solution forwards the user name to Oracle BI Presentation Services where this name is extracted. Next a session with the Oracle BI Server is established using the impersonation feature.

After a successful logon using SSO, users are still required to have the oracle.bi.server.manageRepositories permission to log in to Administration Tool using a valid user name and password combination. After installation, the oracle.bi.server.manageRepositories permission is granted by being a member of the default BIAdministration Application Role.

Configuring Oracle Business Intelligence to work with SSO authentication requires minimally that the following be done:

  • Oracle Fusion Middleware and Oracle WebLogic Server is configured to accept SSO authentication. Oracle Access Manager is recommended in production environments.

  • Oracle BI Presentation Services is configured to trust incoming messages.

  • The HTTP header information required for identity propagation with SSO configurations (namely, user identity and SSO cookie) is specified and configured.

4.2.1 How an Identity Asserter Works

How an identity asserter works is described using Oracle Access Manager Identity Asserter for single sign-on. The Oracle Access Manager authentication provider works with Oracle WebLogic Server and provides the following features:

  • Identity Asserter for Single Sign-on

    This feature uses the Oracle Access Manager authentication services and validates already-authenticated Oracle Access Manager users through the ObSSOCookie and creates a WebLogic-authenticated session. It also provides single sign-on between WebGates and portals. WebGate is a plug-in that intercepts Web resource (HTTP) requests and forwards them to the Access Server for authentication and authorization.

  • Authenticator

    This feature uses Oracle Access Manager authentication services to authenticate users who access an application deployed in Oracle WebLogic Server. Users are authenticated based on their credentials, for example a user name and password.

After the authentication provider for Oracle Access Manager is configured as the Identity Asserter for single sign-on, the Web resources are protected. Perimeter authentication is performed by WebGate on the web tier and by the ObSSOCookie to assert the identity of users who attempt access to the protected WebLogic resources.

All access requests are routed to a reverse proxy Web server. These requests are in turn intercepted by WebGate. The user is challenged for credentials based on the authentication scheme configured within Oracle Access Manager (form-based login recommended).

After successful authentication, WebGate generates an ObSSOCookie and the Web server forwards the request to Oracle WebLogic Server, which in turn invokes Oracle Access Manager Identity Asserter for single sign-on validation. The WebLogic Security Service invokes Oracle Access Manager Identity Asserter for single sign-on, which next gets the ObSSOCookie from the incoming request and populates the subject with the WLSUserImpl principal. The Identity Asserter for single sign-on adds the WLSGroupImpl principal corresponding to the groups the user is a member of. Oracle Access Manager then validates the cookie.

Figure 4-1 depicts the distribution of components and the flow of information when the Oracle Access Manager Authentication Provider is configured as an Identity Asserter for SSO with Oracle Fusion Middleware.

Figure 4-1 Oracle Access Manager Single Sign-On Solution for Web Resources Only

This screenshot or diagram is described in surrounding text.

4.2.2 How Oracle Business Intelligence Operates With SSO Authentication

After SSO authorization has been implemented, Oracle BI Presentation Services operates as if the incoming web request is from a user authenticated by the SSO solution. Oracle BI Presentation Services next creates a connection to the Oracle BI Server using the impersonation feature and establishes the connection to the Oracle BI Server on behalf of the user. User personalization and access controls such as data-level security are maintained in this environment.

4.3 SSO Implementation Considerations

When implementing a SSO solution with Oracle Business Intelligence you should consider the following:

  • When accepting trusted information from the HTTP server or servlet container, it is essential to secure the machines that communicate directly with the Oracle BI Presentation Server. This can be done by setting the Listener\Firewall node in the instanceconfig.xml file with the list of HTTP Server or servlet container IP addresses. Additionally, the Firewall node must include the IP addresses of all Oracle BI Scheduler instances, Oracle BI Presentation Services Plug-in instances and Oracle BI Javahost instances. If any of these components are co-located with Oracle BI Presentation Services, then address 127.0.0.1 must be added in this list as well. This setting does not control end-user browser IP addresses.

  • When using mutually-authenticated SSL, you must specify the Distinguished Names (DNs) of all trusted hosts in the Listener\TrustedPeers node.

4.4 Configuring SSO in an Oracle Access Manager Environment

For information about how to configure Oracle Access Manager as the SSO authentication provider for Oracle Fusion Middleware with, see "Configuring Single Sign-On in Oracle Fusion Middleware" in Oracle Fusion Middleware Security Guide. For more information about managing Oracle Access Manager, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

After the Oracle Fusion Middleware environment is configured, in general the following must be done to configure Oracle Business Intelligence:

4.4.1 Configuring a New Authenticator for Oracle WebLogic Server

After Oracle Business Intelligence is installed, the Oracle WebLogic Server embedded LDAP server is the default authentication source (identity store). The Oracle WebLogic Server domain in which Oracle Business Intelligence is installed must be configured to use the new identity store as the main authentication source. This topic uses Oracle Internet Directory as an example and you should adapt accordingly for the SSO provider being used.

Setting the Control Flag attribute for the authenticator provider determines the ordered execution of the Authentication providers. The possible values for the Control Flag attribute are:

  • REQUIRED - This LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers. This setting is the default.

  • REQUISITE - This LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, return control to the application.

  • SUFFICIENT - This LoginModule needs not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.

  • OPTIONAL - The user is allowed to pass or fail the authentication test of this Authentication providers. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.

For more information about creating a new default authenticator in Oracle WebLogic Server, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help or Oracle Fusion Middleware Securing Oracle WebLogic Server.

To configure a new authenticator in Oracle WebLogic Server:

  1. Log in to Oracle WebLogic Server Administration Console.

    For more information, see Section 2.4.2, "How to Launch Oracle WebLogic Server Administration Console".

  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm. Select Providers.

  3. Click New. Complete the fields as follows:

    • Name: OID Provider, or a name of your choosing.

    • Type: OracleInternetDirectoryAuthenticator

    • Click OK

  4. In the Authentication Providers table, click the newly added authenticator.

  5. Navigate to Settings, then select Common:

    • Set the Control Flag to SUFFICIENT.

    • Click Save.

  6. Click the Provider Specific tab and enter the following required settings using values for your environment:

    • Host: Your LDAP host. For example: localhost.

    • Port: Your LDAP host listening port. For example: 6050.

    • Principal: LDAP administrative user. For example: cn=orcladmin.

    • Credential: LDAP administrative user password.

    • User Base DN: Same searchbase as in Oracle Access Manager.

    • All Users Filter: For example, (&(uid=*) (objectclass=person))

    • User Name Attribute: Set as the default attribute for username in the directory server. For example: uid

    • Group Base DN: The group searchbase (same as User Base DN)

    • Do not set the All Groups filter as the default works fine as is.

    • Click Save.

  7. Default Authenticator: Perform the following steps to set up the Default Authenticator for use with the Identity Asserter:

    1. From Providers tab, select Authentication, then select DefaultAuthenticator to display its configuration page.

    2. Select the Common tab and set the Control Flag to SUFFICIENT.

    3. Click Save.

  8. In the Providers tab, perform the following steps to reorder Providers:

    1. Click Reorder.

    2. On the Reorder Authentication Providers page, select a provider name and use the arrows beside the list to order the providers as follows:

      • OID Authenticator (SUFFICIENT)

      • OAM Identity Asserter (REQUIRED)

      • Default Authenticator (SUFFICIENT)

    3. Click OK to save your changes.

  9. Activate Changes: In the Change Center, click Activate Changes.

  10. Restart Oracle WebLogic Server.

4.4.2 Configuring a New Identity Asserter for Oracle WebLogic Server

The Oracle WebLogic Server domain in which Oracle Business Intelligence is installed must be configured to use an Oracle Access Manager asserter.

For more information about creating a new asserter in Oracle WebLogic Server, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.

To configure a new asserter for Oracle WebLogic Server:

  1. Log in to Oracle WebLogic Server Administration Console.

    For more information, see Section 2.4.2, "How to Launch Oracle WebLogic Server Administration Console".

  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm. Select Providers.

  3. Click New. Complete the fields as follows:

    • Name: OAM Provider, or a name of your choosing.

    • Type: OAMIdentityAsserter.

    • Click OK.

    • Click Save.

  4. In the Providers tab, perform the following steps to reorder Providers:

    1. Click Reorder

    2. On the Reorder Authentication Providers page, select a provider name and use the arrows beside the list to order the providers as follows:

      • OID Authenticator (SUFFICIENT)

      • OAM Identity Asserter (REQUIRED)

      • Default Authenticator (SUFFICIENT)

    3. Click OK to save your changes.

  5. Activate Changes: In the Change Center, click Activate Changes.

  6. Restart Oracle WebLogic Server.

You can verify that Oracle Internet Directory is the new identity store (default authenticator) by logging back into Oracle WebLogic Server and verifying the users and groups stored in the LDAP server appear in the console.

4.4.3 Using Fusion Middleware Control to Enable SSO Authentication

After Oracle Business Intelligence has been configured to use the SSO solution configured for use by Oracle Fusion Middleware, you enabled SSO authentication for Oracle Business Intelligence in Fusion Middleware Control from the Security tab.

To enable Oracle Business Intelligence to use SSO authentication:

  1. Go to the Business Intelligence Overview page.

    For information, see "Logging In to Fusion Middleware Control" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

  2. Go to the Security page.

    Click the Help button on the page to access the page-level help for its elements.

  3. Click Lock and Edit Configuration.

  4. Check Enable SSO.

    The SSO provider list becomes active.

  5. Select the configured SSO provider from the list.

  6. Click Apply, then Activate Changes.

  7. Manually edit each instanceconfig.xml file for every Oracle BI Presentation Services process to configure the login and logout information. Inside the <Authentication> section, add the following:

    <SchemaExtensions>
  <Schema name="SSO" logonURL="{your SSO logon URL}" logoffURL="{your logoff URL}/>
</SchemaExtensions>

    Note:

    For the logout page, you must use the URL specified by the SSO provider for this purpose. Do not use a URL within the domain and port protected by the SSO provider, because the system does not log users out.

    For information about where to locate Oracle Business Intelligence configuration files, see "Where Configuration Files are Located" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

  8. Save each instanceconfig.xml file.

  9. Restart the Oracle Business Intelligence components using Fusion Middleware Control.

    For more information, see "Starting and Stopping the Oracle Business Intelligence Components" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.