OBIEE - Security Configurations & Custom SSO using a http Header or Cookie

You may remember that I shared a custom SSO solution for OBIEE login.. It was a login wrapper actually.. It was getting the login related info from a 3rd party client (for instance F5 load balancer) and posting all that login data to OBIEE. This was working perfectly. (actually still working properly :)

In this blog post, I will give you some more info about these kinds of implementations. I will give you what can be done using the Oracle documents instead of developing and placing a custom wrapper in front of OBIEE 12C..

Well, the following MOS document satisfies our needs actually.

"OBIEE 11g: Supported Security Options and Configurations (Doc ID 1489438.1)"

It is for OBIEE 11g, but the given link for OBIEE 11.1.1.9 pdf is also applicable to OBIEE 12C, since the security design didn't change since 11.1.1.9 (except lightWeightSSO). 

The 11.1.1.9 link in MOS note 1489438.1 direct us to the Oracle BI 11g Security Configurations document and in that document we find lots of ways to implement Oracle-documented SSO solutions for OBIEE.. The use cases are not only for a custom SSO, but for EBS, Siebel and PeopleSoft security integration as well..  Following use cases are all there - >

• Use Case – Security Integration with  E-Business Suite 
• Use Case – Users in LDAP and Group Membership in Database – FMW Security or Init Block for Authentication
• Use Case – Security Integration with Siebel 
• Use Case – Security Integration with PeopleSoft
• Use Case – BI Mobile
• Use Case – SmartView
• Use Case – Browser SSO integration between BIEE and Hyperion EPM
• Use Case – Authentication and Authorization integration between BIEE and Hyperion EPM 
• Use Case – Security Integration with an Essbase data source
• Use Case – Custom SSO using a http Header or Cookie 

As you may guess, what we need to do is just to think about what we need to do and then choose the right method to follow..

For instance suppose; we have a F5 load balancer in front of our OBIEE 12c. Our clients are using F5 to reach OBIEE. We want our clients to be authenticated from F5, so we want to have a SSO solution for OBIEE. F5 should authenticate the users through this SSO solution and make them reach the OBIEE Home page, without a need to supply OBIEE user and password again. 

For a such a case given above, we follow the instructions given under the title of "Use Case Custom SSO using a http Header or cooke Method 1"..  If we have also BI Mobile users, then we have to check the "Use Case – BI Mobile" as well..

Following additional recommendations and reminders should also be kept in mind while applying this method;

Make sure to have a header variable with username. 

Create an asserter with the same variable, so that the variable value will be used for username

Make sure to have username available under users and groups either on Default Authenticator OR on an external authenticator

Modify weblogic.ear if you want to do anymore principals accepted (weblogic.xml and web.xml modification)

That's it for today :) My next blog post about OBIEE will be about implementing a Custom Authentication Provider.. That tricky subject is currently in my focus, and I will tell you my story once I implement it.