Saturday, August 25, 2012

How-to: Oracle Internet Directory Authentication with OBIEE 11g - Part 1

6:45 PM

Share it Please
Consider the scenario where you're configuring a proof of concept 11g implementation using Oracle Internet Directory as the authentication provider. Oracle's Fusion Middleware Security Guide for 11g certainly provides you with a bird's eye view of how to configure OBIEE 11g to integrate with web logic's OID LDAP authentication provider but in this how-to I will digress slightly and present a detailed, step by step guide on how to configure your OBIEE 11.1.1.6 system to use OID LDAP authentication for users.

This how-to is a culmination of the countless posts on Oracle Technical Network requesting additional help with implementation and will provide the user answers to the most common OBI and OVD (Oracle Virtual Directory) errors that you typically encounter in this proces, including: OVD-40666, OBI-SEC-00022, OBI-SEC-00015, and LDAP error code 32.

At the end of this how-to, any user within OID will be able to log into OBIEE 11g Answers.

Note that if you're using OID as the authentication provider but storing groups in an external database table, this also serves as a suitable 'step 1' prior to implementing the groups authentication model (to be covered at a later date)


Prequisities:

Your Oracle Internet Directory must have the following users:
  • BISystemUser
  • BIAuthor
  • BIConsumer
  • BIAdministrator

These are out-of-the-box weblogic users that weblogic uses in its defaultauthenticator for users, groups, and application roles.

If you are using Oracle Internet Directory to store groups, then it must include the following weblogic out of the box groups:

  • BIAdministrators
  • BISystemUsers
  • BIAuthors
  • BIConsumers

Step 1: Add Oracle Internet Directory as an Authentication Provider in Weblogic Administration Console

1.a) Navigate to Security Realm -> myRealm -> Providers -> Authentication -> New 
to add an OID Authentication Provider


* Note that at this point, you  will not  see myOIDDirecotory in your Authentication Provider. You will be adding this authentication provider in the next steps. Your only two authentication providers should be: DefaultAuthenticator and DefaultIdentityAsserter

1.b) After Clicking 'New', populate the 'Create a new Authentication Provider' screen as outlined below:




1.c.) After clicking 'Ok' Your myOIDDirectory Authenticator Provider will appear on the Authentication Provider list below: Click 'myOIDDirectory' to begin the configuratin of the Provider Specific information:





Step 2:  Configure the myOIDDirectory Authentication Provider with required connection details

 2.a) After clicking 'myOIDDirectory' navigate to 'Configuration' -> Provider Specific  as seen below:





The correct configuration of Host, Port, Principal, and Credential is required before proceeding to step 2.b.. If you are unfamiliar with Oracle Internet Directory, it is recommended that consult your OID Administrator for assistance. Here is a breakdown of each required field.

Host is the ip address of your company's OID LDAP server.
Port represents the port number that the OID LDAP server utilizes for listening & communication
Principal  represents the distinguished name (DN) or 'orcladmin' account needed to connect the OID LDAP server.  Yes that is correct, you will need a cn=orcladmin or equivilent account for communication to the OID LDAP server.  We have tested leaving the Principal and Credential field blank even if anonymous binding is enabled, with no success.

Your principal  DN should represent the full path to the orcladmin account and not just cn=orcladmin. 

For example: If your cn=orcladmin (or equivilant) account is under :

cn=Users,dc=trusted,dc=oracle,dc=com 

Then the above Principal DN should be : cn=orcladmin,cn=Users,dc=trusted,dc=oracle,dc=com . It is not sufficient to only include cn=orcladmin

Credential/Confirm Credential represents the password of the cn=orcladmin (or equivalent) account.

Failure to correctly configure the host/port/prinicpal settings will most likely result in one of the following errors:

  • OBI-SEC-00004 Unable to initialize oracle.bi.security.service.SecurityWebService
  • OVD-60024 Connection error: [LDAP: error code 49 - Invalid Credentials].
  • OBI-SEC-00028 System User could not be authenticated
  • OBI-SEC-00003 OVD-60143 Unable to create connection to ldap:// 


 2.b)  Configure remaining required settings


 

 User Base DN represents the OID tree branch path that stores the users .

NOTE: Here is where many people misconfigure their OID Authentication Provider in web logic. Oracle's Fusion Middleware Security Guide does not explicitly state this, but your User Base DN needs to be 1 level higher than the tree branch which stores your user list.

For example:
If your OID that contains your users is:  cn=Users,dc=trusted,dc=oracle,dc=com  , then your User Base DN needs to be: dc=trusted,dc=oracle,dc=com.

Failure to appropriately configure this step will result in OBI-SEC-00022 error:

SecurityService::authenticateUserWithLanguage [OBI-SEC-00022] Identity found <username> but could not be authenticated
 which means that Oracle was able to find the user in the web logic console under 'Users and Groups' but could not complete the authentication against OID.


User Name Attribute  specifies the OID attribute which you want to use to authentication. If you want to use the user's email address, the User Name attribute would be mail. In this example, I will use the common name (cn) .

User Object Class  specifies the tree branch in OID that contains the users. Out of the box OID implementation uses 'person' , but in this example i've used a custom 'Staff tree'.

Group Base DN represents the OID tree branch path that stores the groups. Similar to User Base DN, it should be 1 level higher than the tree branch which stores your groups list. If  you are using an external database table to store groups, than you can disregard this field.


Step 3: Configure the authentication control flag to sufficient

After clicking saving on 'Settings for myOIDDirectory' page, you should be back at:


3.a) Click 'myOIDDirectory'  then Configuration -> Common and change the Control Flag to 'SUFFICIENT'




A SUFFICIENT control flag indicates that if the user successfully authenticates against this provider, then weblogic will release control back to the system. But if the user fails to authenticate with this provider, weblogic will continue down the authentication provider list.


Step 4: Reorganize the authentication provider list

After clicking Save on the 'Common' tab of the Settings for myOIDDirectory, you will be back in the Authentication tab. Click 'reorder' and move myOIDDirectory to the top of the list.


and then...




4.a) After clicking 'OK' you will be taken back to the Authentication tab. Click 'Activate Changes' within the Change Center, then reboot the Admin Server & BI Service.




Step 5:  Validate your OID users are found in the 'Users and Groups' tab

After rebooting the Admin Server and BI Service you should be able to see the Users and Groups of your OID LDAP server within the Users and Groups tab under: Security Realms -> myrealms -> Users and Groups



You should also test Groups by clicking on a user within your OID directory (for example cookjr@c02) and then viewing the groups tab:


Even if you are using an external database table to store groups (and not OID), clicking on groups for a specific user should not return an error

"If your users do not appear on the Users and Groups tab, or viewing the groups of a specific OID user throws an error, do not proceed to step 6 and instead, review your configuration settings with your OID Administrator"

Step 6: Fusion Middleware Changes

At this stage, we are going to move to Fusion Middleware to make the required application role changes. I've decided to seperate that into part 2 which you can find here


keywords: obiee 11g authentication, ldap authentication, weblogic authentication provider, obiee 11g oid authentication, custom authentication provider

15 comments:

  1. Hello -

    Is there a way to integrate/authenticate users present in the dba_users in the oracle system table into OBIEE. I would believe a database table would need to be created for the Group for the Group Authentication.

    Thanks !

    ReplyDelete
    Replies
    1. Yes in that scenario you would use an external database as the primary authentication source and not OID. Here is a guide on authenticating users from an external db table : http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/privileges.htm#BABHFEGB

      Delete
  2. Hello -

    Very good article. But, I have some confusion. I have installed OBIEE 11g on Windowa XP SP3 on my laptop. A default user "weblogic" was created during installation. With this user, I am able to login to Weblogic Console and EM but not on Analytics.

    Keeping in view the aboe scenario, could you please, suggest me the simple steps to configure security in order to use Analytics? Any detailed step-by-step help would be highly appreciated.

    Thanks,

    ReplyDelete
    Replies
    1. Hi Abdul, check to see if your weblogic user is a member of the BIAdministrator application role.

      As for security, out of the box obiee 11g security uses weblogic ldap as the method of authentication. You create/manage your users in weblogic and assign them to specific groups, which in turn are assigned to specific application roles. Those application roles will then determine the object/data level of the user.

      Delete
  3. Hi,

    I have done all the steps as u mentioned but iam not able to login into analytics with any of my OID users


    We are not managing the groups in OID

    we have only users
    and whom ever the user authenticated can have default role

    ReplyDelete
  4. Hi
    http://pc11044:7001/analytics is runnig its good ---
    but http://pc11044.gasco.com.sa:7001/em is not runnig

    and give the massage
    --------------------------------------
    Network Error (tcp_error)
    A communication error occurred: "Operation timed out"
    The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
    For assistance, contact your network support team.
    -----------------------------------
    obi-sec-00022 identity found weblogic but could not be authenticated

    ReplyDelete
  5. Thank you . It works brilliant with this guidence.

    ReplyDelete
  6. Hi,

    I am getting below errors.

    Security Web Service could not be initialised: oracle.bi.security.service.SecurityServiceException: SecurityService:: – oracle.security.jps.service.idstore.IdentityStoreException: JPS-01520: Cannot initialize identity store.

    Security Service initialisation failed – could not initialise Identity Store: oracle.security.jps.service.idstore.IdentityStoreException: JPS-01520: Cannot initialize identity store.

    [13026] Error in getting roles from BI Security Service: ‘Error Message From BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService:: – oracle.security.jps.service.idstore.IdentityStoreException: JPS-01520: Cannot initialize identity store.’

    Thanks,
    Sunil

    ReplyDelete
  7. John,
    Great article! Thanks for posting.
    We have the scenario you describe where users are maintained in OID, but groups are in external tables so this step-by-step procedure is great to have.
    One area I'm confused on...you mention that you have to create BISystemUser, etc. in OID. If the OID authenticator is set as "sufficient" wouldn't the system just "fall through" to use the WebLogic DefaultAuthenticator to log in with these other system accounts?

    Thanks again,
    Marc

    ReplyDelete
  8. We had configured the OBI Analitycs with LDAP Windows Active Directiry
    and worked perfectly, but last Monday stopped working, now we can not access OBI-analytics from Windows Active Directory LDAP users.
    Please urgently your help

    ReplyDelete
  9. Hi ,

    My requirement is show dashboard on my adf screen based on user role .
    For this I created three dashboards

    Dashboard1- assigned to role1
    Dashboard2- assigned to role2
    Dashboard3- assigned to role3 .

    I created a adf page which contains the three Obiee dashboards( using )

    Now whenever a user with roles(role1 and role2) logs into my adf application ,he should be shown only Dashboard1 and Dashboard2.
    I achieved this by setting permission to dashboard in obiee, but the problem is that " Access denied for Dashboard3" message is shown for the Dashboard3 .

    How can i overcome it or is there any way where i can render only those dashboards which are assigned to the logged in user.
    Is there any API exposed by obiee which gives me the dashboard assigned to a particular user.

    Can anyone help me onthis.

    ReplyDelete
  10. This is such an interesting blog. You are very knowledgeable about this subject. Please check out my site.
    Email list providers

    ReplyDelete
    Replies
    1. Another business service https://newoldstamp.com/ . It's only for your email, but have a lot of features for your signature. It can design it as you want. Give it a try

      Delete
  11. Nice information. I was searching for the same. It helped me alot and saved my time. Thanks alot. obiee training in hyderabad

    ReplyDelete
  12. Thanks for sharing the interesting information about the oracle and good points were mentioned in the blog which are very helpful to oracle lovers for the further information about the oracle visit
    Oracle Fusion Financials Training

    ReplyDelete