Single sign-on (SSO) is a method of access control that enables a user to log-in once and gain access to the resources of multiple software systems without being prompted to log in again.
TECHNICAL FACTORS THAT AFFECTING SSO
Server Variable Method
• Passed from server to server via pre-deο¬ned protocols
• Sending server determines protocol
• Receiving OBI server only knows it's a server variable.
• No conο¬guration on OBI server regarding protocol. OBI knows to decode
the input stream based on limited number of server variable protocols, and does so automatically.
• Most common example:
Windows => IIS
• Secure
Cookie Method
• A cookie is a ο¬le set on the clients machine containing the
variable information.
• It is also considered to be a secure method providing it's a
session cookie.
Header Method
• A header variable is passed as part of a web request.
• Headers are a known security risk
• Hackers intercept, modify and forward
• Microsoft and others have applied code to prevent the interception
and altering of headers
• Consequently the header method is difο¬cult to implement
• Custom code “thread safe”?
• Advantages? / Security?
SETTING UP OBIEEFOR SSO ADD IMPERSONATOR USER STEP - 1
OBIEE can be setup to use Single SignOn so Users are not prompted for their Username or password.Instead, The web server will use the individuals username and password utilized to login to the machine.
In our class, we will
leverage IIS 6.0 as the web server. IIS
will authenticate the user and pass the username to the Oracle BI Presentation
server for authorization. Oracle BI Presentation Services must first be
configured to use the impersonatoradmin user so that it can establish a
connection to the Oracle BI Server on behalf of the authenticated end user that
issued a request to Oracle BI.
1. Login to the Administration tool and add the following user:
username = impersonatoradmin
password = impersonate
2. Add the impersonatoradmin user to the ‘Administrators’ repository group.
Make sure you find out if there’s a minimum password length that
has been setup in the NQSConfig.ini file. Unfortunately, if you don’t set the
password length to the minimum you will not see the error until deep into your troubleshooting!! In class, there’s NO minimum password length.
SSO INSTANCECONFIG.XML STEP - 4
|
1. Oracle BI Presentation Services must be instructed on how to build the SSO connection string. This is done by setting param name attributes for each of the parameters that need to be passed in the connection string in the instanceconfig.xml configuration file. Add the following SSO block to the instanceconfig.xml file: <Auth> <SSO enabled="true"> <ParamList> <Param name="IMPERSONATE"
source="serverVariable“ nameInSource="REMOTE_USER" stripWindowsDomain=“true”/> </ParamList> </SSO> </Auth> 2. In addition, the Presentation Service needs to
authenticate with the BI Server so we add the following entry. The configuration of the credentialstore.xml file will be completed on
Step 6: <CredentialStore> <CredentialStorage
type="file" path=“c:\OracleBIData\web \config\credentialstore.xml"/>
</CredentialStore>
|
STEP 5
3. The bolded text from steps 1 & 2 has been placed in the file (c:\OBIEE Files\Lessons\Day 1\Lesson 5\Excr 5 – SSO InstanceConfig Changes.txt) and should be copied into the instanceconfig.xml file as indicated below.
Credentials and secrets may be stored in a file system store that
is an XML file. The syntax of this file is defined by BI Presentation Services. The XML file contains nodes that point to
files on disk for certificates and private keys. The file may also contain username and
password based credentials, with optional encryption support for passwords. A default XML file store called credentialstore.xml
is provided with BI Presentation Services.
Next, we need to configure the CredentialStore.xml file in order for
the Oracle BI Presentation service to communicate with the Oracle BI Server
service for SSO.
1) Open a command prompt.
2) Enter cd
c:\OracleBIData\web\config
3) Enter cryptotools credstore
–add infile c:\OracleBIData\web \config\credentialstore.xml
4) Enter credentialstore.xml
at the Credential Store File prompt.
5) Enter impersonation
at the Credential Alias prompt.
6) Enter impersonatoradmin
at the Username prompt.
7) Enter impersonate
as the Password prompt.
8) Enter y at the ‘Do
you want to encrypt the password?’ prompt.
9) Enter secret at the
Passphrase for Encryption prompt.
10) Enter y at the ‘Do
you want to write the passphrase to the xml?’ prompt
11) Enter y to
overwrite the credentialstore.xml file
SSO CREDENTIAL STORE.XML STEP 7
1) Open the c:\OracleBIData\web\config\credentialstore.xml file and scroll
to the bottom of the file …(right click the file and Open With…Notepad)
2) Restart the Oracle BI Presentation Server services.
SSO IIS STEPUP - STEP 7
Since IIS will be handling the authentication of each user and passing
the subsequent username to OBI for authorization, we need to setup IIS to
perform the authentication step.
1) Open the IIS Manager (there’s an icon on your desktop) and perform steps 2-6 as indicated below. Click OK twice when completed.
The jdoe (John Doe) user has been added to the repository and has been
setup with a Windows account.
• jdoe will be used to test
SSO.
1. Logoff of your virtual server
2. Select the following option on the Virtual Server Welcome Screen to logon on the virtual server:
3. Open Internet Explorer and you should not need to enter a username and password. If you are not automatically logged in, please continue to the next page for further troubleshooting.
If you receive a picture similar to the one at the bottom of this
page, you’ll need to troubleshoot the SSO configuration.
1. Walk through the previous SSO pages in this manual to make sure
all
steps were followed and are accurate.
2. If you’re stuck and not sure why SSO is not working, please copy and rename the files from the ‘c:\OBIEE Files\Lessons\day 1\Lesson 5\Final’ folder to their respective location. Don’t forget to rename the files.
Comments
Post a Comment