Everything Oracle                             Home                            Everything Oracle                          

 

 

 

                   Oracle’s   Fusion   Intelligence     
       
          Single Sign-On EBS Authentication  

 

 

 

How Single Sign-On Authentication Works

 

OBIEE reports and dashboards can only be accessed from within the E-Business Suite (EBS).  The authentication mechanism used to validate OBIEE users has been designed to facilitate a single sign-on – the end user logs in once to EBS, not into OBIEE – so that from an end user perspective OBIEE appears to be fully integrated within the EBS application.

 

Authentication works on a “round-robin” basis in which the EBS generates signature data, which it passes to the end user’s browser; the end user’s browser passes this signature data to OBIEE, and OBIEE, in turn, passes it back to EBS:

*
EBS - OBIEE Round Robin Authentication

 

First the end user logs on to EBS in the usual manner (step 1).  An entry for the session is created in table ICX_SESSIONS, with the session identifier acting as the primary key.  This table is used to retain the state of the session.

 

When the end user clicks on a link corresponding to an OBIEE dashboard (step 2), EBS:

 

*  Puts a cookie in the web browser’s cache, and

*  Passes a specially constructed URL to the web browser.

 

The cookie that is sent to the web browser contains an encrypted version of the session identifier.  The URL that is passed to the web browser contains the address of the relevant OBIEE dashboard.  To this URL is added, an additional parameter, “acf”, consisting of a ten digit number generated by EBS.

 

The URL is used by the web browser to access the BI Presentation Services, which has been configured to support external authentication.  With this mode of authentication, OBIEE does not ask for a user name and password, but, instead, obtains certain external data items that are to be used as proxies.  In the present case, the proxy data items are the encrypted session identifier and the “acf” parameter value.

 

The the BI Presentation Services process retrieves the cookie from the web browser (in order for this to be possible both EBS and OBIEE must belong to the same network domain).  Then the BI Presentation Services process assigns the value of the cookie – the encrypted session identifier – to OBIEE session variable "NQ_SESSION.ICX_SESSION_COOKIE”.  The BI Presentation Services extracts the value of parameter “acf” from the URL and assigns it to session variable “NQ_SESSION.ACF”.

 

The values of these session variables are passed to the BI Server process.  The BI Server process connects to the DBI component of EBS using a shared logon which gives it full access to all the DBI data.  However, OBIEE also supports the concept of an “Execute on Connect” script: if this script succeeds the user is authenticated; if not, authentication fails.  OBIEE passes to EBS the values of session variables “NQ_SESSION.ICX_SESSION_COOKIE” and “NQ_SESSION.ACF” as parameters to the connection script.  So EBS can verify that the parameters it has received correspond to parameters it has sent.  In particular, by decrypting the session identifier, and by looking up the session state in table ICX_SESSIONS, EBS can determine the EBS responsibilities of the user.  This information can then be passed back to the BI Server as part of the session initialization process to establish values for additional session variables.  The BI Server will use the values of these session variables to restrict the data it displays based on the user’s EBS responsibilities.

 

 

Configuring the Profile Option Name

 

Navigate to the EBS administration screen used for managing profile options: “Home Page => System Administrator => Profile => System”.  Assign to profile option name “FND: Oracle Business Intelligence Suite EE Base URL” the base address used to communicate with the BI Answers and BI Dashboards components of OBIEE.

 

To determine the base address, navigate to the BI Presentation Services logon screen: “Start => All Programs => Oracle Business Intelligence => Presentation Services”.  The portion of the web address in the browser’s address bar up to and including the port number is the base address.  For example, if the address bar showed:

 

*  http://myobiee.myorg.com:9704/analytics/saw.dll?Dashboard

 

then the base address would be

 

*  http://myobiee.myorg.com:9704

 

 

Configuring External Authentication

 

Navigate to directory “<OracleBIData Home>\web\config” and use a standard text editor to edit file “instanceconfig.xml”.  After the “DSN” tag pair, add the following text:

 

<Auth>
   <ExternalLogon enabled="true">
      <ParamList>
         <Param name="NQ_SESSION.ICX_SESSION_COOKIE"
            source="cookie" nameInSource="<cookie name>"/>
         <Param name="NQ_SESSION.ACF" source="url"
            nameInSource="acf"/>
      </ParamList>
   </ExternalLogon>
</Auth>

 

The element ‘ExternalLogon enabled="true"’ tells the BI Presentation Services process that authentication will take place via externally supplied information – in this case, using a cookie and a parameter named “acf” that is added to the URL used to access OBIEE.

 

The value of “<cookie name>” must match that of the cookie sent by EBS to the end user’s web browser.  To determine the cookie name delete all existing cookies using the facility built into your web browser.  Then navigate to an OBIEE dashboard link within EBS.  Examine the cookie list using your web browser or the file system to determine the cookie name that has just been added to the cookie cache.

 

The BI Presentation Services will have to be restarted for these changes to take effect.

 

 

Configuring the EBS Repository

 

Start the Administration Tool: “Start => All Programs => Oracle Business Intelligence => Administration”.  Open the EBS repository online: “File => Open => Online”, and press “Open” when the pop-up window appears (“Administrator” is a predefined repository user and it has no password).

 

Select “Manage => Variables” from the menu.  Click on the “Static” node, under “Variables” and “Repository” in the left-hand pane.  The screen display should be as follows:

*
EBS Data Source Name and User Name Variables

 

Variable “Static_DSN_OLTP” represents the Data Source Name used to connect to EBS.  Variable “Static_USER_ID” represents the Oracle user name used to connect to EBS.  Edit the values of these variables by double-clicking on each in turn.  The Data Source Name should correspond to the EBS connection name found in file “tnsnames.ora”.  The user name should be one that has sufficient privileges to see all the DBI data needed for the OBIEE reports and dashboards.

 

Expand the node in the Physical layer (the pane on the right):

*
Physical Layer showing Connection Pools

 

Bring up the “EBS_Query_Pool” and “EBS_Authentication_Pool” in turn by double clicking on the nodes:

*
OBIEE - EBS Connection Pool

 

In the “General” tab for each connection pool change the value of the “Password” field to match that of the user name you assigned to variable “Static_USER_ID”.  Click “OK” to exit the editor.

 

When all changes are complete, select “File => Save” from the menu, and press “OK” when asked if you wish to check-in the changes.

 

 

 

                          Everything Oracle                             Home                            Everything Oracle                          

 

Copyright © 2009 PWG Consulting, All Rights Reserved