1. Essbase Independent Deployment
  2. Select Identity Provider
  3. WebLogic Authentication
  4. Single Sign-On Using MSAD Federation Services

Single Sign-On Using MSAD Federation Services

You can enable Essbase to use single sign-on (SSO) from Microsoft Active Directory (MSAD) Federation Services (FS).

  • You must integrate Essbase with MSAD according to the instructions in Integrate WebLogic to Use Microsoft Active Directory. Note that no explicit role assignment is necessary in this single sign-on topic, as it is already addressed in the pre-requisite WebLogic integration.
  • You must make WebLogic Managed Server SSL-enabled, and only HTTPS URL can be protected. This task is included in the following steps.
  • The following tasks, to enable Essbase to use Single Sign-On using MSAD Federation Services, must be performed in the order presented.

Part A - Launch Active Directory Federated Services (ADFS) and Download Federation Metadata XML

  1. Connect to the Microsoft Windows system running ADFS and start the ADFS management interface. This provides SSO access for client computers. After launching, return to the source system.
  2. From your Essbase local system, download the ADFS metadata, using the following sample link:
    https://<ADFS_hostname>/federationmetadata/2007-06/federationmetadata.xml
    This metadata is required for WebLogic integration with ADFS.
  3. Edit federationmetadata.xml and remove the following tags, as they're not recognized by WebLogic. Delete the complete tags including the child tags.
    • <ds:Signaturexmlns:ds="http://www.w3.org/2000/09/xmldsig#"> .......... </X509Data></KeyInfo></ds:Signature>
    • <RoleDescriptor xsi:type="fed:ApplicationServiceType" ........... </EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor>
    • <RoleDescriptor xsi:type="fed:SecurityTokenServiceType" ........... </EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor>
    • <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ........... </SPSSODescriptor>

Part B - Configure Service Provider (SP) SSO

  1. Enable SSL:
    1. In WebLogic Administration console, go to myrealm > Providers Summary of Environment > Summary of Servers > essbase_server1 (setting page for your Essbase server.)
    2. In Configuration tab > General tab, select SSL Listen Port Enabled check box.
    3. Specify an SSL Listen port.
    4. Click Save.
    5. Go to Protocols > HTTP tab and specify Front end host, HTTP port, and HTTPS port details.
    6. Save and activate the changes.
  2. Create an Identity Asserter:
    1. Go to Security Realms > myrealm > Providers.
    2. Select Lock and edit.
    3. Click New and create a new SAML2IdentityAsserter, such as saml_IA.
  3. Create a new Authentication Provider:
    1. Enter a new provider by entering provider name, such as saml_IA.
    2. Select new provider type, such as SAMLAuthenticator, and click OK.
    3. Click the newly created provider, and select Control Flag value to change it to SUFFICIENT.
    4. Save the changes.
  4. Under myrealm > Providers, reorder the providers. For example:
    Image of security authentication providers list

  5. Click All Changes to activate and restart WebLogic admin and managed servers.
  6. After WebLogic restarts, log in to WebLogic administration console, and go to Environment > Servers > essbase_server1 > Federation Services > SAML 2.0 Service Provider.
  7. Click Lock and Edit.
  8. Select Enabled.
  9. Specify the default URL as 
    https://<your-essbase-host>:<your Essbase SSL port>/essbase/jet/
    Ensure that Preferred Binding is set to POST, and click Save.
  10. Under Servers > essbase_server1 Federation Services > SAML 2.0 General, specify the following details.
    1. Contact person details. When adding in ADFS, it shouldn't conflict with other registrations.
    2. Published site URL should be 
      https://<Managed_server_host>:<Managed_Server_SSL_Port>/saml2
    3. Entity ID as <wls_sp_for_adfs_hostname>. Make sure to specify a unique name, when adding in ADFS, so it shouldn't conflict with other registrations.
  11. Click Activate changes.
  12. Click Publish Metadata and save the file it to a directory. You must register this file with ADFS. Copy the spd.xml file to the system where ADFS is located.
  13. To register ADFS in WebLogic Server, copy the file downloaded federationmetadata.xml (generated in STEP A) from ADFS machine to WebLogic Server machine. It must be accessible to WebLogic AdminServer, for example: /scratch/user/federationmetadata.xml.
  14. Go to Security Realms myrealm Providers > Authentication > saml_IA Management > New > New Web Single Sign-On Identity Provider Partner.
  15. Click WebSSO-IdP-Partner-0 and enter the following:
    1. Description: enter the same value as for name.
    2. Enter Redirect URIs:
      
/essbase/jet/*
/essbase/smartview
/essbase/smartview/*
/essbase/smartview*
/essbase/ui
  16. Edit ./Oracle/domains/esscs/bin/setDomainEnv.sh and add -DLOGOUT_URL to the JVM arg EXTRA_JAVA_PROPERTIES: EXTRA_JAVA_PROPERTIES="<Extra_Java_Properties> -DLOGOUT_URL=https://MSAD-Host/adfs/ls/?wa=wsignout1.0" export <Extra_Java_Properties>

    Caution:

    The Essbase platform includes scripts in <DOMAIN HOME>/bin that can customize the environment and behaviors of Essbase functionality. However, making changes to these domain environment or startup scripts can have unintended effects, including startup failure. Oracle recommends making changes in a test environment first. Before editing these scripts, always:

    1. Stop the Essbase managed servers, using <DOMAIN HOME>/esstools/bin/stop.sh (on Linux), or <Domain Home>\esstools\bin\stop.cmd (on Windows).

    2. In <DOMAIN HOME>/bin, make a backup copy of the file you want to edit. For example,

      On Linux

      cp setStartupEnv.sh setStartupEnv_bak.sh

      On Windows

      copy setStartupEnv.cmd setStartupEnv_bak.cmd

    3. Edit carefully, using only Oracle’s documented instructions, or working with Oracle Support.

    4. Restart Essbase, using <DOMAIN HOME>/esstools/bin/start.sh (on Linux), or <Domain Home>\esstools\bin\start.cmd (on Windows). Check that startup completed normally.

  17. Restart the WebLogic AdminServer and managed servers after activating the changes.

Part C - Configure ADFS IDP

  1. Go to the ADFS system where ADFS Management interface is running. Under Trust Relationships > Relying Party Trusts, right-click, and launch Add Relying Party Trust....
  2. Click Start.
  3. In the Import data about the relying party from a file option, browse to the Federation metadata file location spd.xml for download from WebLogic and click Next.
  4. Specify a display name and click Next.
  5. Select I do not want to configure multi-factor..., and click Next.
  6. Accept the default option, and click Next.
  7. Select Open the Edit Claim Rules dialog... check box.
  8. In Edit Claim Rules dialog, click Add Rule.
  9. Select rule template Send LDAP Attributes as Claims.
  10. Enter the following:
    1. Enter Claim rule name: Name.
    2. Select Attribute store: Active Directory.
    3. Under LDAP Attribute, select SAM-Account-Name.
    4. Under Outgoing Claim type, select Name ID.
  11. Click Finish.
  12. Similarly, add another rule, Claim rule name: GivenName; Attribute store: Active Directory; Under LDAP Attribute, select Given-Name; and under Outgoing Claim type, select Given Name; and click Finish.
  13. Click Apply in the Edit Claim Rules dialog, and close it.
  14. Double-click the newly added Relaying Party Trust, and go to Advanced tab. Select the Secure hash algorithm: SHA-1.
  15. Click Endpoints > Add SAML, and enter the details shown below.
    1. Endpoint type: SAML Logout
    2. Binding: POST
    3. Trusted URL: (in the format of:) https://host:port/adfs/ls/?wa=wsignout1.0
  16. Record the Entity ID you entered in Part B - Configure Service Provider (SP) SSO above, step 10c. Then open power shell and run the command: 
    set-AdfsRelyingPartyTrust -targetIdentifier <Entity ID> -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None

    The setup is now completed.

Part D - Test MSAD FS Single Sign-On

  1. Launch Essbase at the HTTPS URL, such as https://host:port/essbase/jet.
  2. You should see MSAD user at the top right corner of the Essbase user interface.

    Note:

    If, after logout, the browser session is closed (deleted), then restart the browser to log in as a different user.