16.2 Configuring Single Sign-On
To run a report, you must login with a valid SSO userid and password. The Oracle Internet Directory instance installed with Oracle Fusion Middleware is used as the default repository for user and group information. If you want to configure the Reports Server to use a different Oracle Internet Directory instance or disable security, refer to Section 16.3, "Administering Single Sign-On". For information on how to add users to Oracle Internet Directory, refer to Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. In addition, for each Oracle Fusion Middleware installation, the Reports Server instances connect to Oracle Internet Directory as an application entity that is unique to the Oracle Fusion Middleware installation. For more information on this behavior, refer to Section 16.3.4, "Connecting to Oracle Internet Directory".
If a user is not already logged in to Single Sign-On, they are prompted to log in when they attempt to run a report to the Reports Server through rwservlet. If the user parameters for a report include SSOCONN, OracleAS Single Sign-On server will search for the user's data source credentials in Oracle Internet Directory. If none are found, then OracleAS Single Sign-On server prompts the user to create a new resource. For more information on rwservlet, refer to Section A.2.5, "rwservlet". For more information on SSOCONN, refer to Section 16.3.3.1, "SSOCONN". In case of OAM server, if the user's data source credentials do not exist in Oracle Internet Directory, then Oracle Reports raises a 'key does not exist' error message. You must create a new resource in Oracle Internet Directory using the LDIF samples located on OTN at http://www.oracle.com/technetwork/middleware/reports/overview/index.htmlor see Section 16.3.3.2.3, "Batch Loading". For more informating, see Oracle Fusion Middleware Administrator's guide for Oracle Internet Directory.
The Reports Server is also configured to operate with Oracle Portal by default if Oracle Portal is configured. You can optionally add reports to the portal and enable users to launch them from the portal. Since users must login to the portal in this case, they are not prompted to login again when they launch their reports because they have already been identified to Single Sign-On mode by logging in to the portal.
You can also optionally define access controls for resources associated with the Reports Server (for example, reports, printers, Reports Servers, and calendars) in Oracle Portal. To control access to resources, you must add them to the portal and specify their access options. The resource access controls you specify in Oracle Portal apply to reports that you run outside of the portal as well. For example, if a user tries to run a report through rwservlet, it will be subject to any access controls you have put in place through Oracle Portal.
See Also:
Chapter 15, "Deploying Reports in Oracle Portal" for more information about the integration between Oracle Portal and Oracle Reports Services.Note:
In case of OSSO server, it is recommended that you use Single Sign-on to hide authid in URLs. For more information see, Section 7.3.1.1.18, "allowauthid".16.2.1 Single Sign-On Components used by Oracle Reports
Figure 16-1 provides an overview of the Single Sign-On component architecture.
The components of the Single Sign-On environment include:
-
A client Web browser
-
The Oracle HTTP Server processes requests from the client browser.
Note:
At the highest level, all communication to and from Oracle HTTP Server may be configured to use SSL. The Oracle HTTP Server incorporates an OpenSSL module to provide support for Secure Sockets Layer (SSL) and HTTP Secure Sockets Layer (HTTPS). Once this is set up in the Oracle HTTP Server (see Oracle Fusion Middleware Administrator's Guide for Oracle HTTP Server),rwservletautomatically detects the SSL port number. -
Oracle Reports Servlet (
rwservlet) is a component of Oracle Reports Services that runs inside Oracle WebLogic Server. When a report request comes to the Oracle HTTP Server, Oracle Reports Servlet (rwservlet) passes the job request to Reports Server. -
Reports Server (
rwserver) processes client requests, which includes ushering them through authentication and authorization checking, scheduling, caching, and distribution. -
-
Oracle AS Single Sign-On server (OSSO) - OracleAS Single Sign-On is responsible for managing users' Single Sign-On sessions. It verifies login credentials by looking them up in Oracle Internet Directory.
-
Oracle Access Manager (OAM server) - It is an Oracle FMW 11g authentication server that provides a full range of security functions that include Web single sign-on, authentication and authorization. When running Reports Services, it uses Oracle Internet Directory as the Identity Store. Oracle Access Manager can use either
mod_ossoorwebgateas the access client configured with Oracle HTTP Server.
-
-
Access Client
-
mod_osso- The HTTP modulemod_ossosimplifies the authentication process by serving as a partner application to the authentication server, rendering authentication transparent for applications. Oracle Forms Services and Oracle Reports Services can usemod_ossoto register as partner applications with the authentication server. -
webgate- WebGate provides single sign-on support. It intercepts incoming HTTP requests and forwards them to the Access Server for authentication. Oracle Forms Services and Oracle Reports Services can usewebgateas an access client with the authentication server.
-
-
Oracle Internet Directory is Oracle's highly scalable, native LDAP version 3 service and hosts the Oracle common user identity. OracleAS Single Sign-On authenticates users against the information stored in Oracle Internet Directory. As noted in earlier sections, when Single Sign-On is enabled for Oracle Reports Services, it checks Oracle Internet Directory for user and group privilege information. It also retrieves data source connection information from Oracle Internet Directory.
-
Oracle Delegated Administration Services
The Delegated Administration Service provides a comprehensive interface for making updates to Oracle Internet Directory. Oracle Reports Services displays Oracle Delegated Administration Services when it encounters a Single Sign-On key that does not already have a data source connection string associated with it in Oracle Internet Directory.
For more information, refer to Chapter 16, "Configuring and Administering Oracle Single Sign-On".
16.2.2 Setup Process
The user can enable Single Sign-On for Reports application either during installation or postinstallation. This section discusses the following scenarios:
-
Enabling Single Sign-On for Reports Application during Installation
-
Enabling Single Sign-On for Reports Application Postinstallation
16.2.2.1 Enabling Single Sign-On for Reports Application during Installation
If the user selects Application Identity Store and an authentication server during the installation of Oracle Forms and Reports 11gR2, then the Reports applications will be configured to be authenticated by an authentication server. The flowchart in Figure 16-2 describes the steps to enable SSO authentication for Reports applications.
Figure 16-2 Enabling Single Sign-On for Reports Application during Installation
Description of "Figure 16-2 Enabling Single Sign-On for Reports Application during Installation"
The steps depicted in the flowchart are described in details in Table 16-1:
Table 16-1 Tasks to Enable Single Sign-On for Reports during installation
| Tasks | Options | Description | Comments |
|---|---|---|---|
|
Task 1: Select an Application Identity Store (OID) |
No |
User chooses not to configure Reports with Single Sign-On authentication |
|
|
Yes |
User chooses to configure Reports with Single Sign-On authentication. User has to provide the OID access details in the install screen. In the subsequent install screen, the user will be asked to choose the SSO server |
For detailed steps for selecting an Application Identity Store, see Flowchart of Oracle Forms and Reports Installation and Configuration Screens in Oracle Fusion Middleware Installation Guide for Oracle Forms and Reports. |
|
|
Task2: Select an Authentication (SSO) server |
Oracle Single Sign-On Server (OSSO) |
User selects Oracle AS 10g Oracle Single Sign On Server (OSSO) as the authentication server. No additional credentials required here |
For detailed steps for Selecting an Authentication server, see Flowchart of Oracle Forms and Reports Installation and Configuration Screens in Oracle Fusion Middleware Installation Guide for Oracle Forms and Reports. |
|
OAM Server |
User selects Oracle Access Manager (OAM Server) as the authentication server. User needs to provide OAM server Administrator Credentials |
For detailed steps for Selecting an Authentication server, see Flowchart of Oracle Forms and Reports Installation and Configuration Screens in Oracle Fusion Middleware Installation Guide for Oracle Forms and Reports. |
|
|
Task3: Setup Webgate Access Client |
No |
User chooses to configure Reports application with OAM authentication server in the out of the box setup. |
|
|
Yes |
User chooses to configure Reports application with OAM authentication server with webgate as the access client. The user must install and configure Webgate manually. |
For detailed steps for setting up Webgate Access Client, see Section 16.5.3, "Installing and Configuring Webgate with OAM". |
Note:
For more information about enabling Single Sign-On for Oracle Reports during installation, see Oracle Fusion Middleware Installation Guide for Oracle Forms and Reports.16.2.2.2 Enabling Single Sign-On for Reports Application Postinstallation
If the user does not select Application Identity store during the installation of Oracle Forms and Reports 11gR2, then the Reports application does not get authenticated by the authentication server. However, the user has the choice to enable single sign-on authentication for Reports application postinstallation. The flowchart in Figure 16-3 describes the steps to enable SSO for Reports application postinstallation.
Figure 16-3 Enabling SSO for Reports Application Postinstallation
Description of "Figure 16-3 Enabling SSO for Reports Application Postinstallation"
The steps depicted in the flowchart are described in details in Table 16-2:
Table 16-2 Tasks to Enable Single Sign-On for Reports Application Postinstallation
| Tasks | Options | Description | Comments |
|---|---|---|---|
|
Task 1: Use Fusion Middleware Control (EM) to associate Reports applications with OID |
User chooses to associate Reports application with Oracle Internet Directory. In the subsequent screen, the user will be asked to choose the SSO server |
For detailed steps for associating an Application Identity Store, see Section 14.9, "Configuring External Oracle Internet Directory and Reassociating Reports". |
|
|
Task2: Select an Authentication (SSO) server |
Oracle Single Sign-On Server (OSSO) |
User has selected Oracle AS 10g Oracle Single Sign On Server (OSSO) as the authentication server. |
If you already have an Oracle Single Sign-On (OSSO) 10g server installed and running, you can use that. If not, you can install Oracle Access Manager 11g.For detailed steps for installing OAM 11g, see Oracle Fusion Middleware Installation Guide for Oracle Forms and Reports. |
|
OAM Server |
User has selected Oracle Access Manager (OAM Server) as the authentication server. |
For detailed steps for installing OAM 11g, see Oracle Fusion Middleware Installation Guide for Oracle Forms and Reports. |
|
|
Task 3: Generate and apply the osso.conf file |
Oracle Single Sign-On Server (OSSO) |
User has selected Oracle AS 10g Oracle Single Sign-On Server (OSSO) as the authentication server. |
For detailed steps for generating the |
|
OAM Server |
User has selected Oracle Access Manager (OAM Server) as the authentication server. User must generate the osso.conf file on the OAM server using the OAM console. |
||
|
Task 5: Set up Webgate Access Client |
No |
The user chose to configure Reports with |
For detailed steps about registering |
|
Yes |
The user chose to configure Reports application with OAM authentication server with |
For detailed steps for setting up webgate access client, see Section 16.5.3, "Installing and Configuring Webgate with OAM". |