Configure Custom SSO Environments

You can use any Weblogic Identity Asserter combined with a supported Weblogic Authenticator to customize SSO for Oracle Analytics Server.

Custom SSO should be based on the development of a custom Weblogic Asserter. See How to Develop a Custom Identity Assertion Provider. The Weblogic Asserter should be paired with a BI-certified Weblogic Authenticator. See Certification - Identity Servers and Access.

In a typical custom SSO configuration, you include a web tier in front of Oracle Analytics Server to protect Oracle Analytics Server's endpoints. This configuration causes a user to authenticate and interact with an identity provider. After authentication, the web tier sends a token to Oracle Analytics Server that the Weblogic Asserter recognizes and processes.

There are many types of SSO tokens, but a basic implementation of a Weblogic Asserter recognizes a particular HTTP header or cookie (the token) that contains the authenticated user's UserID.  The Weblogic Asserter retrieves the UserID from the token and passes it to the chain of Weblogic Authenticators.  After this point, the authentication is the same as regular SSO.

Oracle Analytics Server's support for custom SSO starts where a custom asserter is working correctly to pass the authenticated user's UserID to the Weblogic chain of Oracle Analytics-certified authenticators.

Kerberos and SAML2 WebSSO Support

To configure a fully supported integration of Oracle Analytics Server using Kerberos and SAML2 WebSSO, you can use Oracle Access Manager in front of Oracle Analytics Server. The appropriate Oracle Access Manager license is required for this configuration.

Alternatively, you can use open source components for Kerberos and SAML2 WebSSO. A reference implementation for custom Kerberos and SAML2 WebSSO using open source components is provided.

See SAML 2.0 and Kerberos Single Sign-On Configuration for Oracle Analytics Server.