Configure SSO in an Oracle Access Manager Environment

Review the overview about how to configure SSO in an Oracle Access Manager environment, and these additional references.

After the Oracle Fusion Middleware environment is configured, you must do the following to configure Oracle Analytics Server:

Configure an OID Authenticator for Oracle WebLogic Server

After installing Oracle Analytics Server, the Oracle WebLogic Server embedded LDAP server is the default authentication source (identity store).

To use a new identity store such as Oracle Internet Directory (OID) as the main authentication source, you must configure the Oracle WebLogic Server domain where Oracle Analytics Server is installed.

For the field details to complete the Provider Specific tab, see Authentication Provider Specific Reference.

  1. Click the newly added authenticator in the authentication providers table.
  2. Navigate to Settings, then select the Configuration\Common tab:
    • Select SUFFICIENT from the Control Flag list.
    • Click Save.
  3. Display the Provider Specific tab and specify the following settings using appropriate values for your environment:
  4. Click Save.
  5. Perform the following steps to set up the default authenticator for use with the Identity Asserter:
    1. At the main Settings for myrealm page, display the Providers tab, then display the Authentication tab, then select DefaultAuthenticator to display its configuration page.
    2. Display the Configuration\Common tab, from the Control Flag list, select SUFFICIENT.
    3. Click Save.
  6. Perform the following steps to reorder providers:
    1. Display the Providers tab.
    2. Click Reorder to display the Reorder Authentication Providers page
    3. Select a provider name and use the arrow buttons to order the list of providers as follows:
      • OID Authenticator (SUFFICIENT)
      • OAM Identity Asserter (REQUIRED)
      • Default Authenticator (SUFFICIENT)
    4. Click OK to save your changes.
  7. In the Change Center, click Activate Changes.
  8. Restart Oracle WebLogic Server.

Authentication Provider Source Reference

This table provides a reference for adding an authentication provider.

Section Name Field Name Description

Connection

Host

The LDAP host name. For example, <localhost>.

Connection

Port

The LDAP host listening port number. For example, 6050.

Connection

Principal

The distinguished name (DN) of the user that connects to the LDAP server. For example, cn=orcladmin.

Connection

Credential

The password for the LDAP administrative user entered as the Principal.

Users

User Base DN

The base distinguished name (DN) of the LDAP server tree that contains users. For example, use the same value as in Oracle Access Manager.

Users

All Users Filter

The LDAP search filter. For example, (&(uid=*) (objectclass=person)). The asterisk (*) filters for all users. Click More Info... for details.

Users

User From Name Filter

The LDAP search filter. Click More Info... for details.

Users

User Name Attribute

The attribute that you want to use to authenticate, for example, cn, uid, or mail. Set as the default attribute for user name in the directory server. For example, uid.

The value that you specify here must match the User Name Attribute that you are using in the authentication provider.

Groups

Group Base DN

The base distinguished name (DN) of the LDAP server tree that contains groups (same as User Base DN).

General

GUID attribute

The attribute used to define object GUIDs in LDAP.

orclguid

You should not change this default value, in most cases the default value here is sufficient.

Configure Oracle Access Manager as a New Identity Asserter for Oracle WebLogic Server

The Oracle WebLogic Server domain in which Oracle Analytics Server is installed must be configured to use an Oracle Access Manager asserter.

  1. Log in to Oracle WebLogic Server Administration Console.

  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring, for example, myrealm.

  3. Select Providers.

  4. Click New. Complete the fields as follows:
    • Name: OAM Provider, or a name of your choosing.
    • Type: OAMIdentityAsserter.
  5. Click OK.
  6. Click Save.
  7. In the Providers tab, perform the following steps to reorder Providers:
    1. Click Reorder
    2. In the Reorder Authentication Providers page, select a provider name, and reorder the list of providers as follows:
      • OID Authenticator (SUFFICIENT)
      • OAM Identity Asserter (REQUIRED)
      • Default Authenticator (SUFFICIENT)
    3. Click OK to save your changes.
  8. In the Change Center, click Activate Changes.
  9. Restart Oracle WebLogic Server.

    You can verify that Oracle Internet Directory is the new identity store (default authenticator) by logging back into Oracle WebLogic Server and verifying the users and groups stored in the LDAP server appear in the console.

  10. Enable SSO authentication.

    .