Setting Up Oracle Single Sign-On

Set up Oracle Single Sign-On in the Identity Store Configuration page.

To set up Oracle Single Sign-On, first configure WebLogic Server using the instructions in Administering Security for Oracle WebLogic Server 12c (12.2.1). BI Publisher must be configured to use Oracle Internet Directory as the default LDAP server.

Note:

When using Oracle SSO, BI Publisher assumes that a login user name can be derived from Osso-User-Dn, which is HTTP Header value. For example, if the Osso-User-Dn on HTTP Header looks like this:

cn=admin,cn=users, dc=us,dc=oracle,dc=com

Then BI Publisher assumes the value of first cn= is the login user name (that is, "admin" in this case).

Therefore if your Osso-User-Dn does not contain a login user name as the first cn value, then select "Other SSO Type" to configure the settings (even if you use Oracle SSO).

Setup Procedure

You set up SSO in the mod_osso.conf file.

To set up SSO:

1. Modify the application server configuration file to protect the xmlpserver. See Securing Applications with Oracle Platform Security Services.
2. In the mod_osso.conf add a new "Location" directive as follows:

   <!-- Protect xmlpserver -->
   <Location /xmlpserver>
         require valid-user
         AuthType Basic
   </Location>
   

3. To allow Web service communication between BI Publisher and its client component (the Template Builder) you must make additional modifications to the mod_osso.conf file. To open up the xmlpserver to allow these Web services, enter the following directives:

   <Location /xmlpserver/services/>
     require valid-user
        AuthType Basic
        Allow from All
        Satisfy any
   </Location>
   
   <Location /xmlpserver/report_service/>
     require valid-user
        AuthType Basic
        Allow from All
        Satisfy any
   </Location>
   
   Location /xmlpserver/ReportTemplateService.xls/>
     require valid-user
        AuthType Basic
        Allow from All
        Satisfy any
   </Location>
   

4. For integration with Oracle BI Presentation Services, you must disable SSO for Web services between the BI Presentation Services server and the BI Publisher server. If you made this entry when performing the previous step, then you do not need to repeat this setup.

   To open up the xmlpserver to allow the Web service, enter the following directive in the mod_osso.conf file:

   <Location /xmlpserver/services/>
    require valid-user
        AuthType Basic
        Allow from All
        Satisfy any
   </Location>
   

   A sample mod_osso.conf file with the entries discussed in this section is shown below:

   LoadModule osso_module libexec/mod_osso.so
    
    <IfModule mod_osso.c>
        OssoIpCheck off
        OssoIdleTimeout off
        OssoConfigFile /home/as1013/ohome/Apache/Apache/conf/osso/osso.conf
    
      <Location /xmlpserver>
        require valid-user
        AuthType Basic
      </Location>
    
    <Location /xmlpserver/services/>
     require valid-user
        AuthType Basic
        Allow from All
        Satisfy any
   </Location>
   
   <Location /xmlpserver/report_service/>
     require valid-user
        AuthType Basic
        Allow from All
        Satisfy any
   </Location>
   
   Location /xmlpserver/ReportTemplateService.xls/>
     require valid-user
        AuthType Basic
        Allow from All
        Satisfy any
   </Location>
   
   <Location /xmlpserver/Guest/>
    require valid-user
        AuthType Basic
        Allow from All
        Satisfy any
   </Location>
    #
    # Insert Protected Resources: (see Notes below for how to protect resources)
    #
    
    
    #______-
    #
    # Notes
    #
    #______-
    #
    # 1. Here's what you need to add to protect a resource,
    #    e.g. <ApacheServerRoot>/htdocs/private:
    #
    #      <Location /private>
    #      require valid-user
    #      AuthType Basic
    #      </Location>
    #
    </IfModule>
    
    #
    # If you would like to have short hostnames redirected to
    # fully qualified hostnames to allow clients that need 
    # authentication through mod_osso to be able to enter short
    # hostnames into their browsers uncomment out the following
    # lines
    #
    #PerlModule Apache::ShortHostnameRedirect
    #PerlHeaderParserHandler Apache::ShortHostnameRedirect
   

5. Restart the HTTP server.
6. In BI Publisher, set up the Single Sign-Off URL on the BI Publisher Security Configuration page.

   On the Administration page, click Security Configuration. In the Authentication region:

   • Select Use Single Sign-On.

   • From the Single Sign-On Type list, select Oracle Single Sign On.

   • Enter the Single Sign-Off URL with the value you wrote down in the preceding step. The remaining fields are not applicable to Oracle SSO.

     A sample BI Publisher Security Configuration page is shown below.

     
     

     
     Description of the illustration GUID-8F80ABDF-6575-4360-A4B2-4CF3100DFA72-default.gif

     
     
7. Create a BI Publisher Local Superuser to ensure access to BI Publisher regardless of your selected security configuration. See Enabling a Local Superuser for more information.
8. Click Apply.
9. Restart the application through the Oracle Fusion Middleware Control page.
10. Enter the URL to access the BI Publisher Enterprise application, and you are redirected to the SSO login page.