Setting Up User Authentication
Users sign directly into Oracle Business Intelligence Enterprise Edition (OBIEE) to access the Fusion Campus Solutions Intelligence application. By setting up single signon with user identity management, you eliminate the need to maintain multiple user ID repositories. The OBIEE system authenticates the user at signon and associates the user with their Application Roles in OBIEE.
The single signon with user identity management feature also enables users to drill in place from the Fusion Campus Solutions Intelligence dashboards or reports to source data in online PeopleSoft transaction applications without encountering an additional PeopleSoft signon page.
This section discusses how to complete the following tasks to set up Oracle Single Signon with Oracle Identity Management for the Fusion Campus Solutions Intelligence application:
Configure PeopleTools for LDAP authentication.
Configure OBIEE to use LDAP authentication.
Register PeopleSoft as a partner application with Oracle Single Signon Server.
Register OBIEE as a partner application with Oracle Single Signon Server.
Configure PeopleSoft for Single Signon with Oracle Application Server.
Configure OBIEE for Single Signon with Oracle Application Server.
Note: PeopleSoft and OBIEE also support third-party single signon authentication systems. For more details, refer to the PeopleSoft PeopleTools : Security Administration.
Configuring PeopleTools for LDAP Authentication
To configure the PeopleTools system for LDAP authentication, use the instructions in the PeopleSoft PeopleTools : Security Administration to complete these tasks:
Configure the LDAP directory.
Use the Configure Directory - Directory Setup page to specify the network information of your LDAP directory servers.
Use the Configure Directory - Additional Connect DNs (distinguished names) page to specify connect DNs, in addition to the default connect DN specified on the Directory Setup page.
Cache the directory schema.
Use the Configure Directory - Schema Management page to install selected PeopleSoft-specific schema extensions into your directory.
Use the Configure Directory - Test Connectivity page to test the DNs and search criteria that you entered on the previous pages of the Configure Directory component, and view the results.
Create authentication maps.
Use the Authentication Map - Authentication page to map to the directory that the PeopleSoft system uses to authenticate users.
Create user profile maps.
Use the User Profile Map - Mandatory User Properties page to specify the attributes that are required for signon.
Note: Skip these tasks if you configured the PeopleTools system for LDAP authentication as part of a previous installation.
See PeopleSoft PeopleTools : Security Administration, "Employing LDAP Directory Services," Configuring the LDAP Directory.
Verify the Configuration
Perform the following steps to verify the correct configuration:
Sign onto Oracle's PeopleSoft application as a user with administrative rights, such as VP1, password VP1, and navigate to the Configure Directory component (PSDSSETUP).
Verify that an LDAP server is configured to match your OID.
Access the Test Connectivity page and verify that all tests are successful.
Navigate to the Authentication Map - Authentication page.
Verify that a map exists that matches the directory server in the previous step.
Navigate to the User Profile Map - Mandatory User Properties page.
Verify that a user profile map exists for the directory server in the previous step.
Navigate to the Signon PeopleCode page
Verify that the Invoke as button is enabled, and the User ID and Password fields are populated with the person who has the authority to execute the signon PeopleCode.
Verify that the functions LDAP_Authentication and LDAP_ProfileSynch are enabled.
Sign onto the PeopleSoft application as an enterprise user that exists in the LDAP server.
If the signon to the PeopleSoft application fails, reboot the associated application server.
Note: The LDAP profiles are synchronized with PeopleSoft user profiles only when users sign onto the application. Therefore, all enterprise users (users that are created in the LDAP server) must sign onto the PeopleSoft application at least once before using the Fusion Campus Solutions Intelligence application.
Configuring OBIEE to Use LDAP Authentication (Oracle Internet Directory)
See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1),Configuring Oracle BI to use Oracle Internet Directory, sections 3.2.1.1 through 3.2.1.4.
Registering PeopleSoft as a Partner Application with Oracle Access Manager 11g (SSO)
See Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager 11g Release 1 (11.1.1), "Registering Partners (Agents and Applications) by Using the Console," to register PeopleSoft as a partner application with Oracle Access Manager 11g.
Registering OBIEE as a Partner Application with Oracle Access Manager 11g (SSO)
The steps to register OBIEE as a partner application with Oracle Access Manager Server are identical to the steps that you completed when you registered PeopleSoft as a partner application with Oracle Access Manager Server.
Configuring PeopleSoft for Single Signon with Oracle Access Manager 11g
To configure PeopleSoft for single signon with the Oracle Access Manager, complete the tasks that are discussed in this section.
See PeopleSoft PeopleTools : Security Administration, Implementing Single Signon, Implementing Oracle Access Manager as the PeopleSoft Single Signon Solution.
Create a default user ID, which is similar to implementing the web server security exit in PeopleSoft.
See PeopleSoft PeopleTools : Security Administration, "Employing Signon PeopleCode and User Exits," Using the Web Server Security Exit, Creating a Default User.
Modify the PeopleSoft web profile to contain default user signon information.
Enable the Allow Public Access option for the web profile.
Enter the same user ID that you created in the previous step.
To prevent a user ID from appearing as the default user on the signon page, enter a 0 value for the Days to Auto Fill User ID field.
See PeopleSoft PeopleTools : Security Administration, "Employing Signon PeopleCode and User Exits," Using the Web Server Security Exit, Modifying the Web Profile.
See PeopleSoft PeopleTools : PeopleTools Portal Technologies, "Configuring the Portal Environment," Configuring Web Profiles, Configuring Portal Security.
Implement signon PeopleCode.
Make sure that the Oracle Internet Directory user information exists in PeopleSoft, which can be accomplished with a delivered Signon PeopleCode function.
This step requires that user profiles are defined in the Oracle Internet Directory and in PeopleSoft. PeopleSoft provides the OSSO_AUTHENTICATION Signon PeopleCode function to obtain user profile and role information from the Oracle Internet Directory. To use this information, add and enable OSSO_AUTHENTICATION in the FUNCLIB_LDAP record definition by using the Signon PeopleCode page.
We recommend that you modify the entry for SSO_AUTHENTICATION and change the function name to OSSO_AUTHENTICATION. This action avoids mixing single signon options. In your Signon PeopleCode program, modify the getWWWAuthConfig( ) function to assign the value of the default user that you created to the &defaultuserId variable.
Note: OSSO_AUTHENTICATION must appear before LDAP_PROFILESYNC in the Signon PeopleCode page grid.
See PeopleSoft PeopleTools : Security Administration, "Employing Signon PeopleCode and User Exits," Using Signon PeopleCode, Enabling Signon PeopleCode.
Note: Alternatively, you can write a custom PeopleCode program to create the user as needed. However, this customization is not supported by Oracle.
Modify mod_wl_ohs.conf file, located in to redirect users to the Oracle Single Signon page.
This is an example of code in the mod_wl_ohs.conf file:
<Location /PORTAL> SetHandler weblogic-handler WebLogicHost <server name> WeblogicPort <port> </Location>
Configuring OBIEE for Single Sign on with Oracle Access Manager 11g
To configure OBIEE for single signon with Oracle Access Manager 11g, complete the tasks that are discussed in this section.
Change the Oracle OBIEE WebLogic Server authenticator from the default identity store (i.e. the embedded LDAP server) to the new identity store and new SSO provider.
See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1), Enabling SSO Authentication, Configuring a New Authenticator for Oracle WebLogic Server.
See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1), Enabling SSO Authentication, Configuring a New Identity Asserter for Oracle WebLogic Server.
Add the user name(s) from OID into the pre-existing BISystem Application Role and refresh users and group GUIDs
See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1), Using Alternative Authentication Providers, Configuring a New Trusted User (BISystemUser).
See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1), Using Alternative Authentication Providers, Regenerating User GUIDs.
Enable OBIEE to accept SSO authentication
See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1), Enabling SSO Authentication, Using Fusion Middleware Control to Enable SSO Authentication.