1. Security Configuration Guide
  2. Enabling SSO with Security Agents
  3. Configuring EPM System for SSO

Configuring EPM System for SSO

Oracle Enterprise Performance Management System products must be configured to support security agent for SSO. The configuration specified in Oracle Hyperion Shared Services determines the following for all EPM System products:

  • Whether to accept SSO from a security agent

  • The authentication mechanism to accept for SSO

In an SSO-enabled environment, the EPM System product that is first accessed by the user parses the SSO mechanism to retrieve the authenticated user ID contained in it. The EPM System product checks the user ID against the user directories configured in Shared Services to determine that the user is a valid EPM System user. It also issues a token that enables SSO across EPM System products.

The configuration specified in Shared Services enables SSO and determines the authentication mechanism to accept for SSO for all EPM System products.

To enable SSO from a web identity management solution:

  1. Launch the Oracle Hyperion Shared Services Console as a Shared Services Administrator. See Launching Shared Services Console.
  2. Select Administration, and then Configure User Directories.
  3. Verify that the user directories used by the web identity management solution are configured as external user directories in Shared Services.

    For example, to enable Kerberos SSO, you must configure the Active Directory that is configured for Kerberos authentication as an external user directory.

    For instructions, see Configuring User Directories.

  4. Select Security Options.
  5. Select Show Advanced Options.
  6. In Single Sign-on Configuration in the Defined User Directories screen, perform the following steps:
    1. Select Enable SSO.
    2. From SSO Provider or Agent, select a web identity management solution. Choose Other if you are configuring SSO with Kerberos.

      The recommended SSO mechanism is automatically selected. See the following table. Also, see Supported SSO Methods.

      Note:

      If you are not using the recommended SSO mechanism, you must choose Other in SSO Provider or Agent. For example, to use a mechanism other than HTTP Header for SiteMinder, choose Other in SSO Provider or Agent , and then select the SSO Mechanism that you want to use in SSO Mechanism.

    Table 3-5 Preferred SSO Mechanisms for Web Identity Management Solutions

    Web Identity Management Solution Recommended SSO Mechanism

    Oracle Access Manager

    Custom HTTP HeaderFoot 1

    OSSO

    Custom HTTP Header

    SiteMinder

    Custom HTTP Header

    Kerberos

    Get Remote User from HTTP Request

    Footnote 1

    The default HTTP Header name is HYPLOGIN. If you are using a custom HTTP Header, replace the name.

  7. Click OK.