SiteMinder SSO

SiteMinder is a web-only solution. Desktop applications and their add-ins (for example, Microsoft Excel and Report Designer) cannot use authentication through SiteMinder. However, Oracle Smart View for Office can use SiteMinder authentication.

Process Flow

Illustrated overview of SiteMinder-enabled SSO:

The SiteMinder SSO process:

Users try to access a SiteMinder-protected Oracle Enterprise Performance Management System resource. They use a URL that connects them to the web server that front-ends the SiteMinder policy server; for example, http://WebAgent_Web_Server_Name:WebAgent_Web_ServerPort/interop/index.jsp.
The web server redirects users to the policy server, which challenges users for credentials. After verifying credentials against configured user directories, the policy server passes the credentials to the web server that hosts the SiteMinder Web Agent.
The web server that hosts the SiteMinder Web Agent redirects the request to the Oracle HTTP Server that front-ends EPM System. Oracle HTTP Server redirects users to the requested application deployed on Oracle WebLogic Server.
The EPM System component checks provisioning information and serves up content. For this process to work, the user directories that SiteMinder uses to authenticate users must be configured as external user directories in the EPM System. These directories must be configured as trusted.

Special Considerations

Prerequisites

A fully functional SiteMinder installation comprising the following components:
- SiteMinder Policy Server on which policies and agent objects are defined
- SiteMinder Web Agent installed on the web server that front-ends the SiteMinder Policy Server
A fully functional EPM System deployment.
When you configure the web server for EPM System components, EPM System Configurator configures mod_wl_ohs.conf to proxy requests to the WebLogic Server.

Enabling SiteMinder Web Agent

The web agent is installed on a web server that intercepts requests for EPM System resources. Attempts by unauthenticated users to access a protected EPM System resources forces the web agent to challenge users for SSO credentials. When a user is authenticated, the policy server adds the login name of the authenticated user, which is carried by the header. Thereafter, the HTTP request is passed to the EPM System web server, which redirects the requests. EPM System components extracts the authenticated user credentials from headers.

SiteMinder supports SSO across EPM System products running on heterogeneous web server platforms. If EPM System products use different web servers, you must ensure that the SiteMinder cookie can be passed among web servers within the same domain. You do so by specifying the appropriate EPM System application domain as the value of the Cookiedomain property in the WebAgent.conf file of each web server.

See the "Configuring Web Agents" in the Netegrity SiteMinder Agent Guide.

Note:

Because Oracle Hyperion Shared Services uses basic authentication to protect its content, the web server that intercepts requests to Shared Services should enable basic authentication to support SSO with SiteMinder.

You configure the web Agent by running the SiteMinder Web Agent Configuration wizard (by executing WEBAGENT_HOME/install_config_info/nete-wa-config; for example, C:\netegrity\webagent\install_config_info\nete-wa-config.exe on Windows). The configuration process creates a WebAgent.conf for the SiteMinder web server.

To enable SiteMinder Web Agent:

Using a text editor, open WebAgent.conf. The location of this file depends on the web server that you are using.
Set the value of enableWebAgent property to Yes.
enableWebAgent="YES"
Save and close the web agent configuration file.

Example 3-1 Configuring the SiteMinder Policy Server

A SiteMinder administrator must configure the policy server to enable SSO to EPM System products.

The configuration process involves:

Creating a SiteMinder Web Agent and adding configuration objects appropriate for the SiteMinder web server
Creating a realm for each EPM System resource that should be protected and adding the web agent to the realm. See Resources to Protect
Within the realm that was created for protected EPM System resources, create realms for unprotected resources. See Resources to Unprotect
Creating HTTP header reference. The header should provide the value of Login Attribute to EPM System applications. See "Configuring OID, Active Directory, and Other LDAP-Based User Directories" in the Oracle Enterprise Performance Management System User Security Administration Guide for a brief description of Login Attribute.
Creating rules within the realms with Get, Post, and Put as web agent actions
Creating a response attribute with hyplogin=<%userattr="SM_USERLOGINNAME"%> as the value
Creating a policy, assigning user directory access, and adding rules that you created for EPM System to Current Members list
Setting responses for the rules you created for EPM System components

Example 3-2 Configuring SiteMinder Web Server to Forward Requests to the EPM System Web Server

Configure the web server that hosts the SiteMinder web agent to forward requests from authenticated users (containing the header identifying the user) to the EPM System web server.

For Apache-based web servers, use directives similar to the following to forward authenticated requests:

ProxyPass / http://EPM_WEB_SERVER:EPM_WEB_SERVER_PORT/
ProxyPassReverse / http://EPM_WEB_SERVER:EPM_WEB_SERVER_PORT/
ProxyPreserveHost On
#If SiteMinder Web Server is using HTTPS but EPM Web Server is using HTTP
RequestHeader set WL-Proxy-SSL true

In this directive, replace EPM_WEB_SERVER and EPM_WEB_SERVER_PORT with the actual values for your environment.

Example 3-3 Enabling SiteMinder in EPM System

Integration with SiteMinder requires that you enable SiteMinder authentication for EPM System products. See Configuring EPM System for SSO.