1. Essbase Independent Deployment
  2. Select Identity Provider
  3. WebLogic Authentication
  4. Integrate WebLogic to Use Microsoft Active Directory

Integrate WebLogic to Use Microsoft Active Directory

You can integrate Essbase WebLogic with Microsoft Active Directory (MSAD).

Add Provider

To add the Microsoft Active Directory provider to your security realm,

  1. Log in to the WebLogic Server Administration Console for your Essbase instance.

    To get to the console,

    1. In a browser, enter <host_url>:<wl_adminserver_port>/console, where <host_url> is http(s):// + the server name of your Essbase instance, and <wl_adminserver_port> is the Admin Server Port you specified in the WebLogic Server Ports screen during configuration.

      For example, http://myhost.example.com:7003/console

    2. Log in as the WebLogic administrator account you specified in the Domain Details screen during configuration.

  2. In the Change Center pane, click Lock & Edit.


    Change Center section of WebLogic Administration Console, focused on "Lock & Edit" button

  3. In the Domain Structure tree, under <your domain name>, click the Security Realms node.


    Domain Structure navigation tree in WebLogic Administration Console, focused on "Security Realms" link underneath an Essbase domain named essbase_domain2

  4. Click the name of the security realm so that you can open and configure it. For example, click the link myrealm (not the check box).


    WebLogic Server Administration Console containing link to a security realm named "myrealm"

  5. Modify Security Model Default from DD Only to Advanced, and click the Save button.


    WebLogic Server Administration Console general configuration settings for security realm "myrealm," focusing on changing the "Security Model Default" selection from DD Only to Advanced

  6. Select the Providers tab and click New to create a new authentication provider.


    WebLogic Server Administration Console, Providers > Authentication tab, focusing on a list of Authentication Providers and the New button.

  7. Enter msad as the name of the new authentication provider.


    WebLogic Server Administration Console, Providers > Create a new Authentication Provider screen, focusing on adding a new provider with Name: msad and Type: ActiveDirectoryAuthenticator.

  8. Select ActiveDirectoryAuthenticator as the authentication provider type, and click OK.

  9. Click Reorder. Move the msad provider up, using the buttons, so that it's the first provider, and click OK.


    WebLogic Server Administration Console, Providers > Authentication tab, focusing on a list of Authentication Providers available, with "msad" provider being moved to the top of the list, and the OK button highlighted.

  10. From the Authentication Providers list, click the link for the new provider (click the text link msad). In the settings, change the Control Flag from Optional to Sufficient, and click Save.


    WebLogic Server Administration Console, Providers > msad > Common tab, focusing on Control Flag setting being changed from OPTIONAL to SUFFICIENT, and the Save button.

  11. On the Provider Specific tab for the added msad provider, enter provider details.

    1. In the Connection section, enter your provider details for Host, Port (389), and Principal (you can save entering the credentials for last).


      Connection section of the Provider Specific settings tab for the provider named "msad" in the security realm "myrealm"

    2. In the Users section, enter your provider details for User Base DN.

    3. In the Groups section, enter your provider details for Group Base DN.

    4. In the Connection section, enter the Credentials twice: in Credential and Confirm Credential.

    5. Click Save.

  12. Click Activate Changes.


    Change Center section of WebLogic Administration Console, focused on "Activate Changes" button

  13. Start, Stop and Restart Essbase.

Verify External Users Were Added

Optionally, verify that the external users were added to your security realm.

  1. Log in again to the WebLogic Server Administration Console for your Essbase instance.

  2. Repeat steps 3 and 4 from the steps above (go to Security Realms > myrealm).

  3. Click the Users and Groups tab.

  4. Click Customize this table.

  5. In the filter, specify Filter by Column as Name, and specify a Criteria by entering the first letter of a known user name in the external provider. Click Apply. The filtered list of users should appear in the table.

Assign Roles

After federation to an external authentication provider, WebLogic Embedded LDAP users can't log into Essbase. Only the WebLogic Administrator user remains.

As the WebLogic Administrator account, use the Service Role Provisioning REST API endpoint, PUT /essbase/rest/v1/permissions/{id}, to assign Essbase service administrator role to at least one federated user. Then, this new service administrator can provision other external users with Essbase roles, using either the Essbase web interface or the REST API.

For example, to provision Active Directory user “sysadmin” with service_administrator role, issue the REST request below, using cURL. Please replace <weblogic_admin_user>, <weblogic_admin_password>, <Essbase_Host>, <Essbase_Managed_Server_Port>, and <sysadmin> with appropriate values for your environment. 

curl -k -X PUT -u <weblogic_admin_user>:<weblogic_admin_password> "http://<Essbase_Host>:<Essbase_Managed_Server_Port>/essbase/rest/v1/permissions/sysadmin" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"links\": [ {\"rel\": \"string\", \"href\": \"string\", \"method\": \"string\", \"type\": \"string\" } ], \"id\": \"sysadmin\", \"name\": \"sysadmin\", \"role\": \"service_administrator\", \"group\": false}"