1. Essbase Independent Deployment
  2. Select Identity Provider
  3. WebLogic Authentication
  4. Single Sign-On Using Oracle Access Management Identity Federation Services

Single Sign-On Using Oracle Access Management Identity Federation Services

You can enable Essbase On-Premise to use single sign-on (SSO) from Oracle Access Management Identity Federation Services (FS). This describes how to configure Oracle Access Management Identity Federation as an Identity Provider (IDP) to be used with WebLogic as the Service Provider (SP).

  • You must have an Oracle Access Manager (OAM) environment with Federation Services enabled. OAM is integrated with an LDAP directory, such as OUD, OID, or AD. Here, OID is integrated with OAM.
  • You must have Essbase installed.
  • The following tasks, to enable Essbase to use Single Sign-On using Oracle Access Management Identity Federation Services, must be performed in the order presented.

PART A - Obtain the IDP metadata for SP configuration

  1. Log in to the OAM console and navigate to Configuration > Available Services.
  2. Confirm that Identity Federation is enabled, or enable it.
  3. Go to Configuration > Settings > View > Federation.
  4. Click Export SAML 2.0 Metadata to download IDP metadata.
  5. Save metadata file as oam_fed_idp_metadata.xml to use this file to register OAM as IDP in WebLogic.
  6. Edit oam_fed_idp_metadata.xml, remove <md:RoleDescriptor ... </md:RoleDescriptor tag, and save the file. This tag isn't supported by WebLogic.

PART B - Configure WebLogic service provider (SP)

  1. Enable SSL.
    1. In WebLogic console, under domain structure, go to Environment > Servers > essbase_server1 > configuration > General. Select Listen Port Enabled check box and provide a port number for Managed Server.
    2. Enable SSL for Protocol HTTP on Managed server. Under domain structure, go to Environment > Servers > essbase_server1 Protocol > HTTP. Select SSL Listen Port Enabled check box and provide a port number.
    3. Go to Security Realms > myrealm > Configuration > general Tab. Set Security Model to Advanced.
  2. Create an Identity Asserter using WebLogic Admin console.
    1. Log in to WebLogic console.
    2. Go to Home > Summary of Security realms > myrealm > Providers.
    3. Click Create a New Authentication Provider.
    4. Click OK.
    5. Enter the provider name as SAML-IA and select type SAML2IdentityAsserter.
    6. Click OK.
  3. Create a new SAMLAuthenticator provider.
    1. Go to: Home > Summary of Security realms > myrealm > Providers.
    2. Click Create a New Authentication Provider.
    3. Click OK.
    4. Enter the provider name as SAML-auth and select type SAMLAuthenticator.
    5. Click OK.
  4. Change Control Flag value to SUFFICIENT for authenticator created in above step.
    1. Go to: Home > Summary of Security realms > myrealm > Providers > SAML-auth.
    2. Under Configuration > Common, set the Control Flag to SUFFICIENT.
    3. Click Save.
  5. Create a new oid-auth provider.
    1. Go to: Home > Summary of Security realms > myrealm > Providers.
    2. Click Create a New Authentication Provider.
    3. Click OK.
    4. Enter the provider name as oid-auth and select type OracleInternetDirectoryAuthenticator.
    5. Click OK.
    6. Change Control Flag to SUFFICIENT for the oid-auth Provider added and click Save.
  6. Select the Provider Specific tab and enter your OID server details. Take OID server details from OAM console > User Identity Store section.
    1. From OAM Console configuration > User Identity Store, click OID store.
    2. In Provider Specific section of oid-auth Provider, update the following sections with appropriate values.
      • Connection section:
        • Enter Host: hostname of OID server
        • Principal: cn=orcladmin,cn=users,dc=us,dc=oracle,dc=com
        • Credential Confirm Credential: provide the credentials
      • Users: User Base DN: cn=users,dc=us,dc=oracle,dc=com
      • Groups: Group Base DN: cn=groups,dc=us,dc=oracle,dc=com
      • Use Retrieved User Name as Principal: check
    3. Accept the other fields' default values, and save all changes.
  7. Enable Federation for managed server.
    1. Go to Home > Environment Servers > essbase_server1 > configuration > Federation Services.
    2. In SAML 2.0 Service Provider tab, select Enabled option and provide Default URL as 
      https://Essbase-Host:Essbase-Managed Server-SSL-Port/essbase/jet
      Accept the remaining fields as default and save.
    3. Obtain the SP metadata for IDP configuration: In SAML 2.0 General tab, provide appropriate values and save.
    4. Once changes are saved, export SP metadata into an XML file, such as: sp_metadata.xml.
    5. Click Publish Meta Data.
  8. Create IDP partner on WebLogic using oam_fed_idp_metadata.xml file, copied from OAM box.
    1. Go to Security Realms > myrealm > Providers > Authentication > saml_IA > Management > New > New Web Single Sign-On Identity Provider Partner, such as: WebSSO-IdP-Partner-oam.
    2. Select oam_fed_idp_metadata.xml file and click OK.
    3. To enable IDP partner, click WebSSO-IdP-Partner-oam. select Enabled check box, and provide redirect urls.
  9. Configure IDP on OAM console.
    1. Go to Federation > Identity Provider Management.
    2. Click Create Service Provider Partner.
    3. Enter the name.
    4. Ensure Enable Partner is selected.
    5. Accept SAML 2.0 as the protocol (default).
    6. Select metadata file downloaded from WebLogic (SP).
    7. Specify NameID Format Settings.
    8. Select Unspecified as the NameID format.
    9. Select User ID Store Attribute as the NameID Value.
    10. Enter User Attribute in the LDAP user record containing the user's identifier. Oracle Internet Directory is the User Data Store, the attribute is uid.

PART C - Assign roles

After OID integration, embedded LDAP users, such as WebLogic, can't log into Essbase interface. Only REST/MaxL operations are allowed. Use embedded LDAP admin user to assign Essbase roles to OID users using REST. OID users can log into Essbase only after role assignment.

Once a role is assigned to at least one OID user (admin), that OID user can log into Essbase and assign roles to other users directly through the interface.

REST-based assignment example as shown here: curl --insecure -X PUT -u weblogic:samplepass "http://host:9000/essbase/rest/v1/permissions/user1" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"links\": [ { \"rel\": \"string\", \"href\": \"string\", \"method\": \"string\", \"type\": \"string\" } ], \"id\": \"user1\", \"name\": \"user1\", \"role\": \"service_administrator\", \"group\": false}"

Part D: Test OAM FS Single Sign-On

Open Essbase and run 
https://<essbase_vm>:<sslportno>/essbase/jet
The request is redirected to OAM Federation login page.

Note:

If there is a logout issue, then in order to complete the logout action, close the browser.