Single Sign-on from Oracle Access Manager
Oracle Enterprise Performance Management System integrates with Oracle Access Manager by accepting a custom HTTP header (default name HYPLOGIN) that contains the login attribute value. The login attribute is set when you configure an external user directory in Oracle Hyperion Shared Services. See "Configuring OID, Active Directory, and Other LDAP-Based User Directories" in the Oracle Enterprise Performance Management System User Security Administration Guide for a brief description of Login Attribute.
You can use any header name that provides the value of login attribute to EPM System. You use the header name while configuring Shared Services for SSO from Oracle Access Manager.
EPM System uses the value of the login attribute to authenticate the user against a configured user directory (in this case, the user directory against which Oracle Access Manager authenticates users) and then generates an EPM SSO token that enables SSO across EPM System. Provisioning information of the user is checked in Native Directory to authorize the user to EPM System resources.
Note:
Oracle Essbase Administration Services console, which is a thick client, does not support SSO from Oracle Access Manager.
Information about configuring Oracle Access Manager and performing tasks such as setting up the HTTP header and policy domains is available in the Oracle Access Manager documentation. This guide assumes a working Oracle Access Manager deployment where you have completed the following tasks:
-
Set up the required policy domains foEPM System components
-
Configured an HTTP header to pass login attribute value to EPM System
-
Protected the EPM System resources listed in Resources to Protect. Requests to access protected resources are challenged by Oracle Access Manager.
-
Unprotected the EPM System resources listed in Resources to Unprotect. Requests to access unprotected resources are not challenged by Oracle Access Manager.
To configure EPM System for SSO from Oracle Access Manager: