Supported SSO Methods

SSO requires that the web identity management solution pass the login name of authenticated users to Oracle Enterprise Performance Management System products. You can use the following standard EPM System methods to integrate EPM System with commercial and custom web-based SSO solutions.

• HTTP Header
• Custom Login Class
• HTTP Authorization Header
• Get Remote User from HTTP Request
• Header-based Authentication with Identity Management Products

Caution:

As a security measure, Oracle recommends that you implement client certificate authentication (two-way SSL) between the web server and the application server if your organization uses methods that carry user identity in the header for identity propagation.

HTTP Header

If you are using Oracle Single Sign-on (OSSO), SiteMinder, or Oracle Access Manager as the web identity management solution, EPM System security automatically selects Custom HTTP header to pass the login name of authenticated users to EPM System components.

The login name of an EPM System product user is determined by the Login Attribute that is specified while configuring user directories in Oracle Hyperion Shared Services. See "Configuring OID, Active Directory, and Other LDAP-Based User Directories" in the Oracle Enterprise Performance Management System User Security Administration Guide for a brief description of the Login Attribute.

The HTTP header must contain the value of the attribute that is set as the Login Attribute. For example, if uid is the Login Attribute value, the HTTP header must carry the value of the uid attribute.

See your web identity management solution documentation for detailed information on defining and issuing custom HTTP headers.

EPM System security parses the HTTP header and validates the login name that it carries against the user directories configured on Shared Services.

Custom Login Class

When a user logs in, the web identity management solution authenticates the user against a directory server and encapsulates the credentials of the authenticated user in an SSO mechanism to enable SSO with downstream systems. If the web identity management solution uses a mechanism unsupported by EPM System products, or if the value of the Login Attribute is not available in the SSO mechanism, you can use a custom login class to derive and pass the value of the Login Attribute to EPM System products.

Using a custom login class enables EPM System to integrate with security agents that use X509 certificate-based authentication. Using this authentication mechanism requires the implementation of standard Shared Services APIs to define the SSO interface between EPM System components and the web identity management solution. The custom login class must pass the value of the Login Attribute to EPM System products. See "Configuring OID, Active Directory, and Other LDAP-Based User Directories" in the Oracle Enterprise Performance Management System User Security Administration Guide for a brief description of Login Attribute. For sample code and implementation steps, see Implementing a Custom Login Class.

To use a custom login class (default name is com.hyperion.css.sso.agent.X509CertificateSecurityAgentImpl), an implementation of com.hyperion.css.CSSSecurityAgentIF interface must be available in the classpath. CSSSecurityAgentIF defines the getter method for retrieving the user name and password (optional). If the interface returns a null password, security authentication treats the provider as trusted and verifies the existence of the user in configured providers. If the interface returns a non-null value for the password, EPM System attempts to authenticate the request using the user name and password returned by this implementation.

CSSSecurityAgentIF comprises two methods: getUserName and getPassword.

getUserName Method

This method returns the user name for authentication.

java.lang.String getUserName(
                    javax.servlet.http.HttpServletRequest req,
                    javax.servlet.http.HttpServletResponse res)
                    throws java.lang.Exception

The req parameter identifies the HTTP request that carries the information that is used to determine the user name. The res parameter is not used (preset for backward compatibility).

getPassword Method

This method returns clear-text password for authentication. Password retrieval is optional.

java.lang.String getPassword(
                    javax.servlet.http.HttpServletRequest req,
                    javax.servlet.http.HttpServletResponse res)
                    throws java.lang.Exception

The req parameter identifies the HTTP request that carries the information that is used to determine the password. The res parameter is not used (preset for backward compatibility).

HTTP Authorization Header

EPM System security supports the use of an HTTP authorization header to pass value the of Login Attribute to EPM System products from web identity management solutions. EPM System products parse the authorization header to retrieve the user's login name.

Get Remote User from HTTP Request

EPM System security supports the use of an HTTP request to pass the value of Login Attribute to EPM System products from web identity management solutions. Use this SSO method if the web identity management solution passes an HTTP request containing the value of the Login Attribute, which is set using the setRemoteUser function.

Header-based Authentication with Identity Management Products

EPM System supports any identity management product such as Oracle Identity Cloud Services, Microsoft Azure AD, Okta, that supports header-based authentication. Conceptual work flow is as follows:

• A gateway application acting as a reverse proxy protects EPM System components by restricting unauthenticated network access.
• The gateway application intercepts HTTP(S) requests to EPM System components and ensures that the identity management product authenticates users before forwarding requests to EPM System components.
• While forwarding requests to EPM System components, the gateway application propagates the authenticated user's identity to the EPM System component through HTTP header requests.

To support this authentication scenario, EPM System should be configured to work with the authenticated user's identity that is propagated through HTTP(S) header requests.