When a user logs in, the web identity management solution authenticates the user against a directory server and encapsulates the credentials of the authenticated user in an SSO mechanism to enable SSO with downstream systems. If the web identity management solution uses a mechanism unsupported by EPM System products, or if the value of the Login Attribute is not available in the SSO mechanism, you can use a custom login class to derive and pass the value of the Login Attribute to EPM System products.
This method allows EPM System to integrate with security agents that use X509 certificate-based authentication. Using a custom login class as the authentication mechanism requires using standard Shared Services APIs to define the SSO interface between EPM System products and the web identity management solution. The custom login class must pass the value of the Login Attribute to EPM System products. See “Configuring OID, Active Directory, and Other LDAP-Based User Directories” in the Oracle Hyperion Enterprise Performance Management System User and Role Security Guide for a brief description of Login Attribute. For sample code and implementation steps, see Implementing a Custom Login Class.
To use a custom login class, an implementation of com.hyperion.css.CSSSecurityAgentIF interface must be available in the classpath. CSSSecurityAgentIF defines the getter method for retrieving user name and password (optional). If the interface returns a null password, security authentication treats the provider as trusted and verifies the existence of the user in configured providers. If the interface returns a non-null value for password, EPM System attempts to authenticate the request using the user name and password returned by this implementation.
CSSSecurityAgentIF comprises two methods: getUserName and getPassword.