17.2 Configuring Out-of-the-Box OracleAS Single Sign-On

To run a report, you must login with a valid OracleAS Single Sign-On userid and password. The Reports Server is configured by default with the OracleAS Single Sign-On instance installed as part of Oracle Fusion Middleware. The Oracle Internet Directory instance installed with Oracle Fusion Middleware is used as the default repository for user and group information. If you want to configure the Reports Server to use a different Oracle Internet Directory instance or disable security, refer to Section 17.3, "Administering OracleAS Single Sign-On". For information on how to add users to Oracle Internet Directory, refer to Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. In addition, for each Oracle Fusion Middleware installation, the Reports Server instances connect to Oracle Internet Directory as an application entity that is unique to the Oracle Fusion Middleware installation. For more information on this behavior, refer to Section 17.3.4, "Connecting to Oracle Internet Directory".

If a user is not already logged in to OracleAS Single Sign-On, they are prompted to log in when they attempt to run a report to the Reports Server through rwservlet. If the user parameters for a report include SSOCONN, OracleAS Single Sign-On will search for the user's data source credentials in Oracle Internet Directory. If none are found, then OracleAS Single Sign-On prompts the user to create a new resource. For more information on rwservlet, refer to Section A.2.5, "rwservlet". For more information on SSOCONN, refer to Section 17.3.3.1, "SSOCONN".

The Reports Server is also configured to operate with Oracle Portal by default. You can optionally add reports to the portal and enable users to launch them from the portal. Since users must login to the portal in this case, they are not prompted to login again when they launch their reports because they have already been identified to OracleAS Single Sign-On by logging in to the portal.

You can also optionally define access controls for resources associated with the Reports Server (for example, reports, printers, Reports Servers, and calendars) in Oracle Portal. To control access to resources, you must add them to the portal and specify their access options. The resource access controls you specify in Oracle Portal apply to reports that you run outside of the portal as well. For example, if a user tries to run a report through rwservlet, it will be subject to any access controls you have put in place through Oracle Portal.

17.2.1 Oracle Identity Management and OracleAS Single Sign-On Infrastructure

Oracle Reports Services can take advantage of the capabilities in OracleAS Single Sign-On, which is part of the Oracle Identity Management infrastructure.

17.2.1.1 OracleAS Single Sign-On

With the increasing number of Web-based, e-business applications that companies deploy for use by their employees, customers, and partners, many businesses must now consider Single Sign-On functionality. Single Sign-On refers to the ability to log on to a single security system once, rather than logging on separately to multiple security systems. With Single Sign-On, each user maintains a single identity and password for all data and associated resources to which they need access.

Within a given Web application, Oracle Reports Services eases the user's experience with OracleAS Single Sign-On. OracleAS Single Sign-On ensures that each user authenticates only once.

Note:

It is recommended that you use Single Sign-on to hide authid in URLs. For more information see, Section 8.3.1.1.18, "allowauthid".

17.2.1.1.1 Single Sign-On Components

Figure 17-1 provides an overview of the Single Sign-On component architecture.

Figure 17-1 Single Sign-On Architecture

Description of "Figure 17-1 Single Sign-On Architecture"

The components of the Single Sign-On environment include:

A client Web browser
Oracle HTTP Server

The Oracle HTTP Server processes requests from the client browser.

Note:
At the highest level, all communication to and from Oracle HTTP Server may be configured to use SSL. The Oracle HTTP Server incorporates an OpenSSL module to provide support for Secure Sockets Layer (SSL) and HTTP Secure Sockets Layer (HTTPS). Once this is set up in the Oracle HTTP Server (see Oracle Fusion Middleware Administrator's Guide for Oracle HTTP Server), rwservlet automatically detects the SSL port number.
Reports Servlet

Oracle Reports Servlet (rwservlet) is a component of Oracle Reports Services that runs inside Oracle WebLogic Server. When a report request comes to the Oracle HTTP Server, Oracle Reports Servlet (rwservlet) passes the job request to Reports Server.
Reports Server

Reports Server (rwserver) processes client requests, which includes ushering them through authentication and authorization checking, scheduling, caching, and distribution.
OracleAS Single Sign-On

OracleAS Single Sign-On is responsible for managing users' Single Sign-On sessions. It verifies login credentials by looking them up in Oracle Internet Directory.
Oracle Internet Directory

Oracle Internet Directory is Oracle's highly scalable, native LDAP version 3 service and hosts the Oracle common user identity. OracleAS Single Sign-On authenticates users against the information stored in Oracle Internet Directory. As noted in earlier sections, when Single Sign-On is enabled for Oracle Reports Services, it checks Oracle Internet Directory for user and group privilege information. It also retrieves data source connection information from Oracle Internet Directory.
Oracle Delegated Administration Services

The Delegated Administration Service provides a comprehensive interface for making updates to Oracle Internet Directory. Oracle Reports Services displays Oracle Delegated Administration Services when it encounters a Single Sign-On key that does not already have a data source connection string associated with it in Oracle Internet Directory.

For more information, refer to Chapter 17, "Configuring and Administering OracleAS Single Sign-On".