Configuring SSO in an Oracle Access Manager Environment

Configure Oracle Access Manager as the SSO authentication provider for Oracle Fusion Middleware with WebLogic Server.

For more information, see Securing Applications with Oracle Platform Security Services. For more information about managing Oracle Access Manager, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

After the Oracle Fusion Middleware environment is configured, in general the following must be done to configure BI Publisher:

• Configure the SSO provider to protect the BI Publisher URL entry points.

• Configure the web server to forward requests from BI Publisher to the SSO provider.

• Configure the new identity store as the main authentication source for the Oracle WebLogic Server domain in which BI Publisher has been installed. For more information, see Configuring a New Authenticator for Oracle WebLogic Server.

• Configure the Oracle Access Manager domain in which BI Publisher is installed to use an Oracle Access Manager asserter. For more information, see Configuring OAM as a New Identity Asserter for Oracle WebLogic Server.

• After configuration of the SSO environment is complete, enable SSO authentication for BI Publisher. For more information, see Configuring BI Publisher for Oracle Fusion Middleware Security.

Configuring a New Authenticator for Oracle WebLogic Server

After installing BI Publisher, the Oracle WebLogic Server embedded LDAP server is the default authentication source (identity store). To use a new identity store (for example, OID), as the main authentication source, you must configure the Oracle WebLogic Server domain (where BI Publisher is installed).

For more information about configuring authentication providers in Oracle WebLogic Server, see Administering Security for Oracle WebLogic Server 12c (12.2.1).

To configure a new authenticator in Oracle WebLogic Server:

1. Log in to Oracle WebLogic Server Administration Console and click Lock & Edit in the Change Center.

2. Select Security Realms from the left pane and click myrealm.

   The default Security Realm is named myrealm.

3. Display the Providers tab, then display the Authentication sub-tab.

4. Click New to launch the Create a New Authentication Provider page.

   Complete the fields as follows:

   • Name: OID Provider, or a name of your choosing.

   • Type: OracleInternetDirectoryAuthenticator

   • Click OK to save the changes and display the authentication providers list updated with the new authentication provider.

5. Click the newly added authenticator in the authentication providers table.

6. Navigate to Settings, then select the Configuration\Commontab:

   • Select SUFFICIENT from the Control Flag list.

   • Click Save.

7. Display the Provider Specific tab and specify the following settings using appropriate values for your environment:

   ---

   Section Name	Field Name	Description
   Connection	Host	The LDAP host name. For example, <localhost>.
   Connection	Port	The LDAP host listening port number. For example, 6050.
   Connection	Principal	The distinguished name (DN) of the user that connects to the LDAP server. For example, cn=orcladmin.
   Connection	Credential	The password for the LDAP administrative user entered as the Principal.
   Users	User Base DN	The base distinguished name (DN) of the LDAP server tree that contains users. For example, use the same value as in Oracle Access Manager.
   Users	All Users Filter	The LDAP search filter. For example, (&(uid=*) (objectclass=person)). The asterisk (*) filters for all users. Click More Info... for details.
   Users	User From Name Filter	The LDAP search filter. Click More Info... for details.
   Users	User Name Attribute	The attribute that you want to use to authenticate (for example, cn, uid, or mail). Set as the default attribute for user name in the directory server. For example, uid. Note: The value that you specify here must match the User Name Attribute that you are using in the authentication provider.
   Groups	Group Base DN	The base distinguished name (DN) of the LDAP server tree that contains groups (same as User Base DN).
   General	GUID attribute	The attribute used to define object GUIDs in LDAP. orclguid

   ---

   For more information about configuring authentication providers in Oracle WebLogic Server, see Administering Security for Oracle WebLogic Server 12c (12.2.1).

8. Click Save.

9. Perform the following steps to set up the default authenticator for use with the Identity Asserter:

   1. At the main Settings for myrealm page, display the Providers tab, then display the Authentication sub-tab, and then select DefaultAuthenticator to display its configuration page.

   2. Display the Configuration\Common tab and select 'SUFFICIENT' from the Control Flag list.

   3. Click Save.

10. Perform the following steps to reorder Providers:

    1. Display the Providers tab.

    2. Click Reorder to display the Reorder Authentication Providers page

    3. Select a provider name and use the arrow buttons to order the list of providers as follows:

       • OID Authenticator (SUFFICIENT)

       • OAM Identity Asserter (REQUIRED)

       • Default Authenticator (SUFFICIENT)

    4. Click OK to save your changes.

11. In the Change Center, click Activate Changes.

12. Restart Oracle WebLogic Server.

Configuring OAM as a New Identity Asserter for Oracle WebLogic Server

The Oracle WebLogic Server domain in which BI Publisher is installed must be configured to use an Oracle Access Manager asserter.

For more information about creating a new asserter in Oracle WebLogic Server, see Oracle WebLogic Server Administration Console Online Help.

To configure Oracle Access Manager as the new asserter for Oracle WebLogic Server:

1. Log in to Oracle WebLogic Server Administration Console.

2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm. Select Providers.

3. Click New. Complete the fields as follows:

   • Name: OAM Provider, or a name of your choosing.

   • Type: OAMIdentityAsserter.

4. Click OK.

5. Click Save.

6. In the Providers tab, perform the following steps to reorder Providers:

   1. Click Reorder

   2. In the Reorder Authentication Providers page, select a provider name, and use the arrows beside the list to order the providers as follows:

      • OID Authenticator (SUFFICIENT)

      • OAM Identity Asserter (REQUIRED)

      • Default Authenticator (SUFFICIENT)

   3. Click OK to save your changes.

7. In the Change Center, click Activate Changes.

8. Restart Oracle WebLogic Server.

   You can verify that Oracle Internet Directory is the new identity store (default authenticator) by logging back into Oracle WebLogic Server and verifying the users and groups stored in the LDAP server appear in the console.

9. Use Fusion Middleware Control to enable SSO authentication.

Configuring BI Publisher for Oracle Fusion Middleware Security

After Oracle WebLogic Server has been configured, navigate to the BI Publisher Administration Security Configuration page. In the Authorization region, select Oracle Fusion Middleware as the Security Model.

Description of the illustration GUID-A722ED5B-E709-4E9E-996F-2C075407BA1F-default.gif