In one of my earlier posts, I shared a method for implemeting a Custom SSO Login to the OBIEE instances from 3rd party apps.
You can have a look at that earlier post using the following url:
Today, I m here to give you the method for implementing a custom authentication provider for OBIEE.. This time we are dealing with a customization on Weblogic authentication providers actually. We have implemented this custom authentication provider configuration and tested it.. I must admit that it is challenging, but it works!
In our case, the purpose was to bypass Active Directory interaction during the login and make some https calls to a custom login web service hosted by the client.. That custom login service in turn was designed to authenticate the users by communicating with the Active Directory (AD).. So we should be communicating with the webservice host and instead of us, that webservice host should be communicating with AD..
This requires a new custom authentication in the first place.. In this context, the same Custom Authentication Provider given in the document pointed by the url below can be used.. However; in that document there is database part .. In our case, we use weblogic embedded ldap to store the user information and mappings (if you want to see it that way, or you call it user store), so except that database part, we follow the "Fusion Middleware Developing Security Providers for Oracle WebLogic Server 12c" document pointed by ; https://docs.oracle.com/middleware/12213/wls/DEVSP/atn.htm
In our case, we changed the code (given in the example in the document) and made it call our custom web service during the login. However; this is not sufficient to login a user into OBIEE.. That is, the user info should also be available for OBIEE/Weblogic.
So that's why we changed the example code a little bit more.. We modified it by following the algorithm below;
-First, create the users and groups in Weblogic. (this is a one time action) You can even delete the users after creating the groups and associating them with the groups.. But authorized groups should be there.
-Get the user pass from login page
-Call webservice and try to authenticate the user.
-If the authentication is successful, check the weblogic embedded ldap..
-If the user is not there in the weblogic embedded ldap, create it.
-If the user is already there, don't do anything, just run the rest of the relevant code and exit.
-If the authentication is not sucessful, run the rest of the relevant code and exit.
I won't get into the details of the code and the configuration that we needed to make in the Weblogic to deploy this custom authentication provider.. These are already documented and well known. I mean, we put our jar into the $ORACLE_HOME/wlserver/server/lib/mbeantypes and restart Weblogic and then using the Weblogic console; we go to Security Realms > My Realm > Click on Providers tab > Lock and Edit > Click New > Choose Custom authentication Provider > Give it a name :) > Complete adding the new custom auth and restart Weblogic :)
I said , I just mentioned that I won't get into the details but I couldn't stop myself.. :) Anyways, the thing that I wanted to underline here is not the implementation itself, but the algorithm for implementing such a custom login flow..
It is not only the authentication we need to pay our attention to.. But, the authorization is also important and a custom design should be implemented there as well..
So keep this in mind, if you need to implement some custom authentication providers some day.. In our case, we kept up with Weblogic and used the embedded ldap in conjuction with our custom algorithm to solve the authorization problem, but we could also implement an authorization provider in addition the authentication provider... So all these should be considered when making a customization in OBIEE login flow..
That's it. I hope you find it useful..
That's it. I hope you find it useful..
No comments :
Post a Comment
If you will ask a question, please don't comment here..
For your questions, please create an issue into my forum.
Forum Link: http://ermanarslan.blogspot.com.tr/p/forum.html
Register and create an issue in the related category.
I will support you from there.