Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Agenda
Secondly, the 10-g style Init Block mechanism for authentication and authorization is
still available.
Authentication is via an Init Block that sets the USER session variable
Authorization is via an Init Block that sets the GROUP (or ROLES) session
variable
For BI 11.1.1.5.0, a FMW security solution for this use case is available via a patch (ARU
14523400). This solution involves an additional Authenticator that will allow authentication
against LDAP and authorization (retrieving Groups) from a database. This is the best-practice
approach for authentication against LDAP and authorization using SQL.
The documented approach for integration with E-Business Suite continues to be based on Init
Block authentication for BI EE 11.1.1.5.0.
Security integration for BI Applications should follow the approaches in the BI Applications
documentation.
This is the only method able to secure data using the current responsibility of the user
This is the only method that allows Action Links back to E-Business Suite
This approach has known limitations with Delivers due to the integration with EBS Responsibilities
This approach has known issues with BI Publisher as this approach does not allow BI Publisher to impersonate a user
This approach does not work with BI Office or BI Mobile
If E-Business Suite is integrated with OID (and optionally OSSO), then BI EE can point to the same OID either via FMW
security or via Init Blocks.
Init Blocks should not rely on the availability of an ICX cookie for the user
Some customers have a separate login for BI and maintain the EBS and BI user populations independently.
Init Blocks should not rely on the availability of an ICX cookie for the user
Method 1
Based on the BIEE 10g approach to SSO.
This approach works with both FMW security or Init Block-based authentication and authorization.
This approach is for BIEE only (i.e. not BI Publisher or RTD). BI Publisher has a similar mechanism.
The steps to configure this approach are:
1. Login to Enterprise Manager Fusion Middleware Control.
Select Business Intelligence and go to the Security tab.
Click Lock and Edit.
In the SSO drop down, select Custom SSO.
Click Apply.
Click Activate changes.
2. Modify instanceconfig.xml file located at
mwhome/instances/instance1/config/OracleBIPresentationServicesComponent/coreapplication_obips1
Add/edit the following entry
Authentication>
<!--This Configuration setting is managed by Oracle Business Intelligence Enterprise Manager-->
<EnabledSchemas>UidPwd,Impersonate,UidPwd-soap,Impersonate-soap,CustomSSO</EnabledSchemas>
</Authentication>
Replace Proxy-Remote-User with the username variable in the HTTPHeader as per your SSO implementation
Please note that modifying the authenticationschemas.xml file is a customization that will be ignored by any
patching or upgrade. There's also a risk that the customization may not be possible in a future release. Like
any customization, you are responsible for testing the solution to make sure it is secure and works as
intended.
Please note that Oracle BI does not support using URL parameters for authentication other than the
standard &NQUSER &NQPASSWORD approach.
Architecture Overview
WebLogic
OPSS
BI Publisher
Identity Store
Policy Store
Analytics
Security
Service
OWSM
Credential Store
LDAP: WLS,
OID, AD etc.
LDAP (OID) or
File-based.
MDS
OBIPS
OBIS
Scheduler
System User Connection
Supported
FMW Security
Init Block
Not Available
BISQLGroupLookup Provider
SiteMinder 6 or OAM as an Authenticator
*3Any Authenticator other than those listed above.
* -
Not tested
*2 -
Unless the user passwords are available in the underlying database to authenticate against, these Authenticators can only be used with an SSO mechanism.
*3 -
Only those Authenticators related to Identity Stores that have an appropriate implementation of the OPSS UserRole API may be used. OBIEE restriction only (BIP and RTD can use
multiple authenticators).
*4 -
Supported
FMW Security
Init Block
Not Available
BISQLGroupLookup Provider
SiteMinder 6 or OAM as an Authenticator
*3Any Authenticator other than those listed above.
* -
Not tested
*2 -
Unless the user passwords are available in the underlying database to authenticate against, these Authenticators can only be used with an SSO mechanism.
*3 -
Only those Authenticators related to Identity Stores that have an appropriate implementation of the OPSS UserRole API may be used. OBIEE restriction only (BIP and RTD can use
multiple authenticators).
*4 -
Supported
FMW Security
10g-Style SSO
This includes:
OAM Asserter (but not Authenticator)
OSSO Asserter
Default Asserter (for Client Certificate Authentication)
NegotiateIdentityAsserter (for Windows Native
Authentication without IIS)
SAML2IdentityAsserter (but not Authenticator)
Not Available
* -
*2
Both BI and E-Business Suite must appear to be in the same Internet Domain.
*3 -
OBIEE restriction only (BIP and RTD can use additional authenticators)
10g-Style SSO
Not Available
FMW Security
Supported
* -
*2
Both BI and E-Business Suite must appear to be in the same Internet Domain.
*3 -
OBIEE restriction only (BIP and RTD can use additional authenticators)
Application Server
(Weblogic domain)
Security Realm
Policy
Embedded
LDAP
Store
(system-jazn-data.xml)
Web
OPSS
Browser
8
user
Enter UserID
and
Password to
/analytics
Login Form
BI Session
returned to
browser
cookie
bimiddleware
1
Managed Server
12
analytics
11
BI Session returned
Oracle BI
Server
4
Oracle BI
Presentation
Services
3
UserID and
Password
used in
Connection
string to BI
Server
(ODBC)
10
Session and
Session
Variables for
User & Roles
returned to
Presentation
Services
Application Server
(Weblogic domain)
Security Realm
5b
Policy
Embedded
6b
LDAP
5c
6c
Web
Store
(system-jazn-data.xml)
7b
5d
OPSS
Browser
8
user
6a
Enter UserID
and
Password to
/analytics
Login Form
BI Session
returned to
browser
cookie
5a
bimiddleware
1
Managed Server
12
7a
analytics
11
BI Session returned
Oracle BI
Server
4
Oracle BI
Presentation
Services
3
UserID and
Password
used in
Connection
string to BI
Server
(ODBC)
10
Session and
Session
Variables for
User & Roles
returned to
Presentation
Services
Application Server
(Weblogic domain)
Security Realm
5b
Policy
Embedded
6b
LDAP
5c
6c
Web
Security Service
calls OPSS API
to retrieve
User/Role
information
Store
(system-jazn-data.xml)
7b
5d
user
BI Session
returned to
browser
cookie
6a
5a
7a
bimiddleware
1
Managed Server
12
OPSS
Browser
Enter UserID
and
Password to
/analytics
Login Form
analytics
11
BI Session returned
Oracle BI
Server
4
Oracle BI
Presentation
Services
3
UserID and
Password
used in
Connection
string to BI
Server
(ODBC)
10
Session and
Session
Variables for
User & Roles
returned to
Presentation
Services
Virtualization
Follow 7.3.2.2 Configuring the Service for Multiple LDAP using Fusion Middleware Control
in this doc:
http://download.oracle.com/docs/cd/E21764_01/core.1111/e10043/idstoreadm.htm#CIAIDIFI
Application Server
(Weblogic domain)
OPSS retrieves Permissions for the Subject from the Policy Store
Security Realm
7b
Embedded
6b
LDAP
7c
6c
Web
Policy
Store
Security Service calls OPSS API to Assert the User
(system-jazn-data.xml)
10
8b
6d
OPSS
Browser
9
user
6a
Security Service
calls OPSS API
to retrieve
User/Role
information
BI Session
returned to
browser
cookie
13
User navigates
to /analytics
having
1
previously
authenticated
against a
supported SSO
mechanism
Security Service
returns an object to
BI Server with
attributes for user
profile data,
application roles and
permissions. The BI
Session is now
authenticated
7a
8a
bimiddleware
Managed Server
analytics
Oracle BI
Server
5
3
12
BI Session returned
Oracle BI
Presentation
Services
4
UserID and
Impersonator ID
(BISytemUser)
used in
Connection
string to BI
Server (ODBC)
11
Session and
Session
Variables for
User & Roles
returned to
Presentation
Services
System Users
BISystemUser
OracleSystemUser
Used by OWSM
By default called OracleSystemUser and a member of the OracleSystemGroup
User name can be changed, but need to follow FMW documentation
By default created in the native Weblogic LDAP and referenced via the Default
Authenticator. This can be changed.
Doc ID 1359798.1
Or
BI Security Guide
Types of Security
SSL
J2EE Perimeter
App Roles for Authorization
Web Groups for Authorization
Data Level Security
SSL Everywhere
SSL Configuration in Oracle Business Intelligence
One-way SSL easy to configure.
Perimeter Security
J2EE Security
Authenticate (and authorization) into the J2EE container can
be inherited by the J2EE applications within that container
Weblogic container uses Asserters and Authenticators
Business
Intelligence
Roles
Users
Oracle
LDAP
Groups
Users
Identity
Store
Data-level Security
The same as 10g
Plus new Essbase functionality