Configuring OBIEE to work in Single Sign-On (SSO) Environment on IIS

.

In this entry I will explain how to set up Single Sign-On for OBIEE in IIS environment. For those unfamiliar with the terminology, I'll start with just a quick overview to explain what IIS and OC4J are:

OBI is by default deployed on OC4J (Oracle Containers for Java) web application server. What does it actually mean? It simply means that the core OBI application will run on OC4J platform. This application by default is called “analytics” and the default port for OC4J is 9704 (as in http://hostname:9704/analytics).

Apart from the default installation we have other deployment options. One of the most popular being the IIS deployment – using Microsoft’s Internet Information Services instead of OC4J. Again we will have application called analytics, but the default IIS port will be 80 (as in http://hostname:80/analytics or simply http://hostname/analytics as 80 is the default HTTP port).

It is worth mentioning that from the user's perspective there is virtually no difference – OBI will work and look the same on IIS as on OC4J.

The discussion on advantages and disadvantages of both solutions could easily be material for an additional post, but for now you may be interested in checking out an interesting discussion I started on the Oracle forum some time ago.

Summing it up quickly, it all really comes down to the client’s environment – if the environment is totally  based on IIS and Active Directory authentication (Windows Native Authentication – using Windows login to seamlessly access other applications), IIS may be the best choice. This is due to the compatibility with other systems and the relative simplicity of SSO implementation, which I will explain in more detail below.

In order to run SSO on IIS, first we need OBIEE itself installed on IIS. There is an option with “Basic” installation type of OBI that indicates IIS.
One thing worth mentioning is that if you start from scratch and install OBI straight on IIS, you need to have IIS already installed on the machine hosting OBI Presentation Server. If you don’t, the installation wizard will simply not give you an option to use IIS (which may give you quite a headache).

Another option is to move an existing OBI installation on OC4J to IIS. A great blog entries from John Minkjan explains the process in good detail:
http://obiee101.blogspot.com/2008/11/obiee-presentation-server-on-iis.html

As soon as OBI is working on IIS, you’ll need OBI Presentation Services configured to work in the Single Sign-On environment. Good step-by-step guidelines can be found in the documentation (chapter 8 of the Deployment Guide). We’ll use the “Server Variable” method for IIS web application server. There are  a number of steps to perform (creating Impersonator user, modifying credential store, modifying instanceconfig.xml file, etc.), but they should be quite straightforward when following the documentation.

You should also have your OBI authentication based on the existing Active Directory. That should be quite a natural choice for users’ authentication in IIS/AD dominated environment.

Now, the interesting part is how easy it is to actually enable the Single Sign-On when all the components are in place. We will only need to change the authentication method of our IIS instance hosting analytics application.

Edit properties of your “analytics” application (Virtual Folder in IIS)

Analytics Properties

Go to Directory Security tab and edit “Authentication and access control” section. Disable anonymous access and enable “Integrated Windows Authentication”.

Authentication Methods

And that should be it! Just access http://hostname/analytics and you should be automatically logged in.

Troubleshooting Tips

Just make sure you have your instanceconfig.xml file configured correctly.
It should look like this:

<Auth>
<SSO enabled="true">
<ParamList>
<Param name="IMPERSONATE" source="serverVariable" nameInSource="REMOTE_USER" stripWindowsDomain="true" />
</ParamList>

Also make sure you use serverVariable as a source for SSO authentication – that will indicate using the REMOTE_USER native IIS variable that is populated when a user logs in to a domain.

A common problem may be that the variable will come together with a domain name (i.e. MY_DOMAIN\MY_USER) – this can be overcome by using stripWindowsDomain="true" tag (as shown above).

The process described in this post is really straightforward,which may be considered quite an advantage when comparing it with Windows Native Authentication process for OC4J (or wider for Oracle AS).

We also gain an advantage here as “analytics” application comes with an IIS version by default (you have a choice of an IIS installation while installing OBI). That means “analytics” can be seamlessly run in an IIS environment and no complicated configuration process is needed.

In a future post I will explain how to configure other OBI applications (i.e. BI Publisher, MS Office plug-in) to work with Single Sign-On on IIS platform. In the meantime, feel free to leave comments and questions if you want to know more.

12 Responses to “Configuring OBIEE to work in Single Sign-On (SSO) Environment on IIS”

  1. venkat says:

    Hi I have a question. For configuring IIS OBIEE SSO, do we need to install OBIEE in Advanced mode or Basic Mode. Which way they are going to effect. Please do let me know. Thanks in advance

  2. nagporeddy says:

    where can i find the first screen shot of the above explained topic “Configuring OBIEE to work in Single Sign-On (SSO) Environment on IIS”

  3. nitesh says:

    We have followed the steps in chapter 11 of Oracle Edition deployment guide in order to configure SSO But once we do the entire configuration and try to log in to the presentation services we were suppose to get directly get into the answers without entering any credentials but we are getting an error “You are not currently logged into BI server” we have also configured LDAP server in the OBIEE admin too and when we test for a userl its working fine with Domain:NTid format but when we enter into the server (sandbox server) where we have installed OBIEE we enter the format as Domain\NTid we have also enabled integrated windows authentication in the IIS manager But still its not working for us .Meanwhile we have raised a request with our client LDAP admin team in order whether they can accept the request in the format Domain\NTid@password So that it will match with the NT authentication We are not much sure whther even if our said request is changed from the LDAP side will we be able to access the presentation services without entering any credentials or not ?
    We have installed OBIEE on IIS and BI publisher in OC4J on our sandbox server
    The OBIEE in our sandbox server is Windows NT authenticated and our client application is authenticated by employee id from where user enter credntials in order to get directly in to OBIEE in sandbox server .
    Our main concern is inspite of trying all the ways for configuring sso using the oracle standard documents and the information in the web we were not able to get into obiee presentation services without entering any credentials

  4. Alankar says:

    Hi,
    I want integrate my .net application with obiee so we required SSO for this. please guide me to how can i configured SSO.

    what we put in source variable in instanceconfig.xml

  5. Michal Binder says:

    Thanks to all of you for your comments. Some hints below:

    @venkat
    As mentioned in the original entry you should use “Basic” installation type. The “Advanced” type is only for installation on Oracle Application Server.

    @nagporeddy
    Not sure which screenshot you are referring to, if it is about OBI authentication based on the existing Active Directory you can find the details here: http://download.oracle.com/docs/cd/E12096_01/books/AnyDeploy/AnyDeployAuthent.html

    @nitesh
    The “You are not currently logged into BI server” message tells you the server cannot find the user that has privileges to authenticate.
    What you may want to take a look at is the format you specify the Base DN and Bind DN in the LDAP Servers configuration in OBIEE. It should be in “CN=xxx,OU=xxx,DC=yourdomain,DC=com” format.
    To test I would disable SSO in instanceconfig.xml and just login with your AD credentials (insert username and password). If it does not work, you should troubleshoot the way you configured your LDAP server in OBIEE. If it works it means that the problem may be somewhere in instanceconfig or IIS.

    @Ankar
    It all depends if you are using AD SSO to login to your .net application. If so, using standard REMOTE_USER variable should work. If not you may need to take a look at a different way of authenticating your user, for example an encripted cookie method.

    Michal Binder

  6. […] recently posted an article on how to set up OBIEE on IIS with SSO; this article is a continuation on this topic. OBI and its “analytics” application can be […]

  7. Karthik says:

    Nice article, while most of the setup guide covers all the aspect. This one bit was critical and helped me to get through the SSO implementation. Thanks heaps

  8. Sabrina says:

    Dear Karthik,
    Thanks for your feedback! We are happy to know that our article helped.

  9. chandra says:

    Hi,

    I want to know who will take care of OBIEE installation process?. OBIEE Administrator or OBIEE Developer?.

  10. Michal says:

    Hi chandra,

    Who should take care of the installation process will depend on customer resources.
    If there is a permanent team (i.e. system administrator) they should have their hands on the installation as they will probably maintain the system from the infrastructure perspective. Developers may just make sure any appearing issues are fixed.
    Otherwise it will be developers to do the job.

    Hope that helps,

    Thanks,
    Michal

  11. arjun says:

    Hi – We implemented SSO with OBI and we have a security model based on the source system. Basically, SSO ID is compared with ID’s in source system to get the permissions /roles for access on BI. But the problem here is when a user has a lower case id in LDAP, its throwing an error with permissions denied. Tried changing the id to upper case before sending it to Source system and still doesnt work. Any help??

  12. Michal says:

    Dear arjun,

    In order to help I would need to know more details. I.e. which LDAP platform are you using? Which source system are you retrieving the user ID from? Which version of OBI are you on?
    Please don’t hesitate to contact us directly by email.

Leave a Comment

privacy policy - Copyright © 2000-2010 ClearPeaks

topnav