Follow Us on Twitter

Custom Single Sign On with stand-alone BIPublisher 11g

by Laurens van der Starre on March 22, 2012 · 2 comments

Configuring Single Sign On (SSO) using Kerberos within OBIEE 11g is perfectly explained in the Oracle Whitepaper  “OBIEE 11g: Configuring Authentication and SSO with Active Directory and Windows Native Authentication” (DOC ID 1274953.1 on the support website). However, what if you don’t have the complete OBIEE suite, but only BIPublisher? In that case the described approach of the Whitepaper doesn’t work. Getting the SSO to work in a Windows environment in BIPublisher requires some TLC. Custom SSO that is. Also, the term “Auto-logon” is maybe a better term for this SSO solution.

First let’s see what we have/need:

  1. A WebLogic Server runing BIPublisher 11g (xmlpserver.ear)
  2. An IIS server, running the WebLoigc ISAPI proxy plugin.
    Users will browse to BIPublisher through this proxy which takes care of the Windows authentication.

You migh not always have an Oracle SSO solution present, so in that case Custom SSO should suffice. Ideally you would like to authenticate against the LDAP which is configured in BIPublisher, however here some problems arise.

The SSO functionality is in the login.jsp in the xmlpserver.ear. If we follow the path through this JSP you’ll see that it will get the username from the request message as configured in BIPublisher, and will create an user principal based on this username on the following line of code:

XDOPrincipal user = SecurityHandler.getHandler().getPrincipalWithSSO(ssoUsername);

If you have an LDAP configured in BIPublisher, this “user” variable will sadly be null, causing the SSO to fail, and you’ll be presented with the log in form. This means you can’t use the LDAP authentication, and should switch back to BIPublisher Security (“local users”).

Here is where the fun starts. You’ll have to edit the login.jsp that is in de xmlpserver.ear. You can open this EAR file with any ZIP/RAR tool. Within this EAR, is the WAR file which contains the JSPs. This file you can also open with a ZIP-tool. In the root of the WAR, you’ll find the JSP.

In BIPublisher’s Administration console you’re able to setup an LDAP and Enable SSO. Custom SSO that is. The username is found in the “Proxy-Remote-User” of the Header variables which IIS sends. The locale can be found in a COOKIE-variable, but that’s out of scope here. Choose the BIPublisher Security for authentication. The users should be created locally, and are eventually stored in the principals.xml in your domain.

Be aware that IIS will send the Proxy-Remote-User username including the Windows domain, so “DOMAIN\USERNAME”. If you only want to use the USERNAME, excluding the DOMAIN, change the following code in login.jsp:

if (rawSsoUsername != null)
      {
    	try
        {
          ssoUsername = MimeUtility.decodeText(rawSsoUsername);
        }
        catch (UnsupportedEncodingException e)
        {
          ssoUsername = rawSsoUsername;
        }

      }

into:

if (rawSsoUsername != null)
      {
    	try
        {
          ssoUsername = MimeUtility.decodeText(rawSsoUsername);
        }
        catch (UnsupportedEncodingException e)
        {
          ssoUsername = rawSsoUsername;
        }

       // SSO HACK!
      ssoUsername = ssoUsername.substring(ssoUsername.indexOf('\\')+1); 

      }

This will strip the DOMAIN from the ssoUsername.

Save the login.jsp, update it in the WAR, and update this WAR in the EAR and update this EAR deployment in the Weblogic Server. Restart the server afterwards. If you now have a local user configured in BIPublisher, and this user access it through the ISS proxy, he or she will automatically be logged in.

These local users are stored in the principals.xml file. You can imagine that some kind of LDAP export can be created to get the users from the LDAP into BIPublisher. Note however that this auto-logon solution is very susceptible for HTTP header spoofing …

Custom Single Sign On with stand-alone BIPublisher 11g, 4.3 out of 5 based on 4 ratings
Ratings:
VN:F [1.9.22_1171]
Rating: 4.3/5 (4 votes cast)

{ 2 comments… read them below or add one }

VidyaS December 19, 2012 at 5:58 pm

Hello,

Thanks for the wonderful post this is very informative blog. We have configured OBIEE 11.1.1.6.0 using the “Configuring Authentication and SSO with Active Directory and Windows Native Authentication” (DOC ID 1274953.1). OBIEE analytics seems to be works fine and users are able to create and access reports and dashboards. However when it comes to the integrated BI Publisher within OBIEE , I am using the FMW security as the Security model and WNA seems to be working as far logging in without entering credentials, but when it comes to creating a new data model out of an existing answers analysis it seems the BIP SOAP is unable to access the web catalog because of SSO i believe since we have testing in an Non SSO instance and it is working there. So do you know or have any ideas of how to make this BIP access the web catalog .?

Please let me know if you need additional information. Appreciate your time and Thanks in advance.

Regards,
VidyaS

Reply

Sonia Mahendra July 11, 2013 at 10:21 am

Hi,

Wonderful article.
I am trying to integrate BI Publisher 11g Standalone with my custom SSO, which is CAS.

Do you have any experience on how to achieve this?

Thanks in advance,
Sonia

Reply

Leave a Comment

 

Previous post:

Next post:

About Whitehorses
Company profile
Services
Technology

Whitehorses website

Home page
Whitebooks
Jobs

Follow us
Blog post RSS
Comment RSS
Twitter