Enabling OAM SSO for Essbase 21c embedded with EPM 11.2.15 and above

For OAM (Oracle Access Manager) SSO (Single Sign-On) to function with Essbase, OAMIdentityAsserter must be added and configured in the WebLogic domain that Essbase uses.

Add OAMIdentityAsserter

To add OAMIdentityAsserter as a new Authentication Provider in the WebLogic console:

1. Log in to the WebLogic Administration Console if you are not already logged in.
2. Click Security Realms on the left, click myrealm, and then click the Providers tab.
3. Click New, and enter the following details:
   • Name: OAMIdentityAsserter
   • Type: OAMIdentityAsserter
4. Click OK.

Configure OAMIdentityAsserter

In the Authentication Providers table, click the provider you just created. On the Common tab:

1. Set the Control Flag to "Required".
2. Ensure that the Active Types selection for the SSO mechanism is appropriately chosen to include the header such as OAM_REMOTE_USER, which your WebGate adds after OAM authentication. This enables Identity Assertion based on the specified header.
3. Click Save to save the configuration.

Reorder Providers

1. Under the Authentication Providers table, click Reorder.
2. Select the OAMIdentityAsserter provider on the Reorder Authentication Providers page, and then use the arrows next to the list to arrange it so that it comes before EssbaseCSSAuthenticator.

Update Logout URL

Update or add the LOGOUT_URL in $ESSBASE_DOMAIN\bin\setStartupEnv.cmd or $ESSBASE_DOMAIN\bin\setStartupEnv.sh under startup group condition:

'if "%STARTUP_GROUP%"=="ESSBASE-MAN-SVR"'

Use the Fully-Qualified Domain Name (FQDN) of the OAM server and set the logout URL as below:

-DLOGOUT_URL=https://<oam.server.host>:<oam.server.port>/oam/server/logout?end_url=https://<oam.server.host>:<oam.server.port>/oam/pages/logout.jsp