Configuring the EPM System for SSO

EPM System products must be configured to support security agent for SSO. The configuration specified in Shared Services determines the following for all EPM System products:

Whether to accept SSO from a security agent
The authentication mechanism to accept for SSO

In an SSO-enabled environment, the EPM System product that is first accessed by the user parses the SSO mechanism to retrieve the authenticated user ID contained in it. The EPM System product checks the user ID against the user directories configured in Shared Services to determine that the user is a valid EPM System user. It also issues a token that enables SSO across EPM System products.

The configuration specified in Shared Services enables SSO and determines the authentication mechanism to accept for SSO for all EPM System products.

To enable SSO from a web identity management solution:

Launch the Shared Services Console. See "Launching Shared Services Console” in the Oracle Hyperion Enterprise Performance Management System User and Role Security Guide. Log in as a Shared Services Administrator.
Select Administration, then Configure User Directories.
Verify that the user directories used by the web identity management solution are configured as external user directories in Shared Services.
For example, to enable Kerberos SSO, you must configure the Active Directory that is configured for Kerberos authentication as an external user directory.
See “Configuring User Directories” in the Oracle Hyperion Enterprise Performance Management System User and Role Security Guide.
Select Security Options.
Select Show Advanced Options.

In Single Sign-on Configuration in the Defined User Directories screen, perform the following steps.

Select Enable SSO.

From SSO Provider or Agent, select a web identity management solution. Choose Other if you are configuring SSO with Kerberos.

The recommended SSO mechanism is automatically selected. See Table 20. See Supported SSO Methods.

Note:

If you are not using the recommended SSO mechanism, you must choose Other in SSO Provider or Agent. For example, to use a mechanism other than HTTP Header for SiteMinder, choose Other in SSO Provider or Agent and then select the SSO Mechanism that you want to use in SSO Mechanism.

Table 20. Preferred SSO Mechanisms for Web Identity Management Solutions

Web Identity Management Solution	Recommended SSO Mechanism
Oracle Access Manager	Custom HTTP Header^[1]
OSSO	Select Other in SSO Provider or Agent and Custom HTTP Header in SSO Mechanism. Enter Proxy-Remote-User as the name of the custom HTTP header.
SiteMinder	Custom HTTP Header
Kerberos	WebLogic Server: Custom HTTP Header

¹The default HTTP Header name is HYPLOGIN. If you are using a custom HTTP Header, replace the name.

Click OK.