Setting Up Single Sign-on Using CSS Token for External User Directories

  To set up single sign-on using CSS Token for external user directories (LDAP/MSAD), perform the following:

  1. Ensure that Oracle BI EE and Shared Services are connected to the same LDAP or MSAD store.

  2. Open the online RPD, and then go to the HFM Connection pool. Select SSO using CSS Token, and then restart the BI server.

    SSO Connection Pool Settings
  3. Unzip the utility regSyncUtil_OBIEE-TO-EPM.zip from the location: <OBIEE Installed Location>/Oracle_BI1/common/CSS/11.1.2.0 and follow the instructions in the readme to run the utility.

    Note:

    This syncing of keys in the registry is required when using EPM 11.1.2.x.

  4. For Oracle BI EE Domain Configuration, perform these steps:

    • Log on to http://<ServerName>:7001/em/

      Where ServerName is the name of the computer hosting the Oracle BI EE server.

    • Expand WebLogic Domain folder, then right click on bifoundation_domain folder, then select Security, and then select Security Provider Configuration.

    • Under Identity Store Provider, click Configure.

    • Under Identity Store Configuration, click add button. The Add New Property dialog box is displayed.

    • Set Property Name to virtualize and set the value to true, and then click OK.

  5. While configuring the external user directory in OBIEE, if the “virtualize” property is set to true in the jps-config.xml file BI_DOMAIN_HOME/config/fmwconfig/jps-config.xml perform the following:

    Edit the setDomainEnv.cmd. From the following path: BI_DOMAIN_HOME/bin/ and add the following command lines: Set EXTRA_JAVA_PROPERTIES=-Dcommon.components.home=%COMMON_COMPONENTS_HOME% -Didstore.identityAttribute=<value> %EXTRA_JAVA_PROPERTIES% export EXTRA_JAVA_PROPERTIES

    Where <value> is based on the type of External user directory (OID/MSAD) configured. The value of Didstore.identityAttribute must be set differently, as shown:

    Microsoft Active Directory = objectguid

    Oracle Internet Directory | Oracle Virtual Directory = orclguid

  6. If, while configuring external user directory in OBIEE, the “virtualize” property is set to false in the jps-config.xml file BI_DOMAIN_HOME/config/fmwconfig/jps-config.xml and perform the following:

    • If only one External User directory is configured with default Unique Identity Attribute, as Authentication Provider in WLS Security Realm and ordered it as First provider in the stack, NO further action is required. In this case, the following DIRECTORY_TYPE=IDENTITY_ATTRIBUTE is used

      Microsoft Active Directory = objectguid

      Oracle Internet Directory | Oracle Virtual Directory = orclguid

      Novell EDirectory = guid

      Sun One Directory = nsuniqueid

      Open Ldap = entryuuid

    • If the External LDAP User Directory Authentication Provider in WLS Security Realm is configured to use Unique Identity Attribute different from above defaults, it should pass the Java System Property, idstore.identityAttribute, in the BI Domain setDomainEnv.sh file available at BI_DOMAIN_HOME/bin/

      For example: set EXTRA_JAVA_PROPERTIES= -Dcommon.components.home=%COMMON_COMPONENTS_HOME% -Didstore.identityAttribute=customguid %EXTRA_JAVA_PROPERTIES% export EXTRA_JAVA_PROPERTIES

  7. In the epmsys_registry.bat file, you must perform the following:

    Ensure to include the epm_j2se.jar file in the CLASSPATH. For example: set CLASSPATH=%CLASSPATH%;C:/OBIEE/Oracle_BI1/common/jlib/11.1.2. 0/epm.jar;C:/OBIEE/Oracle_BI1/common/jlib/11.1.2.0/epm_j2se.jar.

    Note:

    The epmsys_registry.bat file is located at <OBIEE Installed Location>/instances/instance1/config/foundation/11.1.2.0> epmsys_registry.bat.

  8. Restart BI Domain, including Admin Server and Managed Server(s).

  9. Restart OPMN Processes dependent on Admin or Managed Server(s).

  10. Log in using the external directory user credential to Oracle Financial Management Analytics, and you can view the dashboards.