OBIEE 11.1.1.6 SSO with OAM 11.1.1.5: problem of attribute OID 11.1.1.6
Hello world!I configured an OAM (webgate) + DIO + OBIEE + OHS system.
The OBIEE is protected via OHS(weblogic module) and webgate. It works very well.
The CAO authenticates OID (default user identity store).
The * "User research Base" * is the same (* "cn = Users, dc is mydomain, dc = com" *) in the store of identity and authentication provider OID of OBIEE too.
SSO is enabled in OBIEE and suppliers are:
OID (provider that performs authentication LDAP 1.0) JUST
REQUIRED OAM (Oracle Access Manager identity Asserter 1.0) provider
DefaultAuthenticator (WebLogic Authentication Provider 1.0) SUFFICIENT
DefaultIdentityAsserter
IF the * "User name attribute" * is * '' cn '' * in-store OAM of identity of the users and the provider of the OID of the OBIEE * "user name attribute" * is * "cn" * (by default) also, everything works fine.
But I have to use * "orclSAMAccountName" * instead of * "cn" * (OAM and OID provider). And in this case, I have the problem.
The OID of the OBIEE provider are:
All users filter: (& (orclSAMAccountName = *)(objectclass=person))
The user of the name filter: (&(orclSAMAccountName=%u)(objectclass=person)))
Username attribute: orclSAMAccountName
I did a test user:
CN = test
SN = test_sn
orclsamaccountname = test_sama
UID = test_uid
krbprincipalname = test_krb
I can authenticate with test_sama OAM, but OBIEE say: * "" you are not logged here: Oracle BI Server. "*"
The bi log shows that:
+ By default (self-adjusting)' > < BISystemUser > <>< 00093dFuR ^ HFW7PMye7i6G00052S000Tt7 > < 1345642607333 > < BEA-000000 > < javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: identity [Security: 090300] Assertion failure: test user does not exist +.
+ oracle.security.jps.internal.api.jaas.AssertionException: javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: [Security: 090300] identity Assertion failure: test user does not exist.
Why does search OBIEE the * '' cn '' * and why does not use the * "orclsamaccountname?"
Any idea?
Best regards, Jani
Hello Joseph,.
This is a known issue in OBIEE 11.1.1.6.0, please see: OBIEE 11.1.1.6 Agent failed with error code: IHVF6OM7:OPR4ONWY:U9IM8TAC [nQSError: 13039] the imposter does not exist in the BI [1446877.1 ID] Security Service
We have configured OBIEE 11.1.1.6 on Linux and use Single Sign On (SSO) with authentication Native for Windows (Ondaaah).
Configured authenticator AD, select sAMAccountName instead of CN for the attribute of the user. SSO in MS license. When you try to access the OBIEE presentation services we met the below error.
«You are not logged here: Oracle BI Server.»
When to check the logfile biserver1 found: failure of the Assertion of identity [Security: 090300]: user OracleSystemUser does not exist
After you apply the hotfix 13553428 on top of 11.1.1.6.0 OBIEE we connected in OBIEE presentation services.
It works very well with OBIEE, 11.1.1.5.0 and 11.1.1.6.1
OBIEE fixed in 11.1.1.6.1. Apply Patch 13742915.
If you want to stay in OBIEE 11.1.1.6.0. Apply Patch 13553428.
Let me know if this solves the problem of Asserter.
Pls mark so useful or response.
Thank you
SVS-
Tags: Business Intelligence
Similar Questions
-
Integration of OBIEE 11.1.1.5 with OAM
Hello
I joined OBIEE 11.1.1.5 with OID11g (as part of the integration of the OAM), all users OID translate into obiee. IM able to connect to, in the "analytical", but not able to access reports. Also I am not able to assign groups BI for users of the OID.
Has anyone done this kind of a scenario facing? Can someone help me please?
If someone did obiee 11.1.1.5 integration integration with oam 11 g, please provide me with the document that you have followed.
Thanks in advance,
Faye farsatha.
Published by: 927873 on July 16, 2012 12:11 AMHello
Please try to access the Web analytics services using 'Analytics-ws' instead of just 'analytical' in the URL like below,
http://
: /analytics-ws/saw.dll? WSDL Do a test with link below it may help you...
http://onlineappsdba.com/index.php/2011/12/05/integrate-OBIEE-11g-with-OAM-11g-for-single-sign-on-in-13-steps/
http://fusionsecurity.blogspot.com/2012/06/integrating-OBIEE-11g-into-weblogics.html
http://docs.Oracle.com/CD/E23943_01/bi.1111/e10543/SSO.htm#CEGJBAEDThank you
Deva -
Hello
Has anyone use SSO with OBIEE? We have restricted MSAD/Windows with OBIEE SSO.
Let us know that it is possible to do with the authentication of the RPD?
Thank you!Yes, as long as you're not on the v.3 version where the roles session variable cannot be initialized the. If you're on v.5, Yes, it's quite possible.
-
Hi gurus,
(1) I have configured instance SSO with windows Active Directory and OBIEE.
(2) I also have another instance (without configured SSO) with table external authentication (verification of name and password of the user) and authorization (groups, that populate the session for the filtering of data variables).
Now my question is, I want a combination of scenario 1 and scenario 2. I want OBIEE SSO with Active directory
and the groups in the external table.
The reason being, my groups are custom in the outer table groups, I do not want to keep users in the repository.
can you please give me some pointers if the scenario is possible. Thanks in advance
Thanks and greetings
SatyaNow my question is, I want a combination of scenario 1 and scenario 2. I want OBIEE SSO with Active directory and the groups in the external table.
I don't have what is your question? Just do SSO with AD, and then load the groups in the GROUP through SQL init block. What is your real problem?
To filter the report data, you must have the same structure of Group at Web cat I guess (correct me if I'm wrong).
Yes, even if you do not need to use the same workgroup name. Is MNI names I'd rather have completely separate groups, some for safety to the RPD for Web security catalog. As long as the groups exist in the appropriate location (RPD or Web catalog) and they are assigned in the block GROUP init then OBIEE will be happy, they do not need to exist in both places.
(2) No SSO will fill the Remote_User variable rather than the default USER variable.
No, you say OBIEE where to put the REMOTE_USER value. "You can simply select ': USER"FROM DUAL or if you have your users defined in a table, you can also authenticate the user exist in this table, SELECT": 'FROM USER_TABLE WHERE USER_ID =' USER: USER" which adds another layer of authentication to your SSO solution.
-
Hello
Oracle has not been able to help me to do this job; 2 open of SR for weeks and no good answer. They referred me to the people of onlinappsdba and various other public Internet sites. We run EBS 12.1.3 and Disco 11.1.1.7.0 with 10g SSO and Ondaaah and SSL. That works very well, users, identity is established through Ondaaah on our corporate network, with zero sign - on. I'm replacing 10gSSO by OAM 11.1.2. OAM/OID works very well for EBS and OBIEE, always zero sign - on with the OID 11.1.1.7.0 and AccessGate piece (and a webgate for both). (Too many servers to SSO support in my view, if something goes wrong, too many places to look.) For Disco, I created the osso.conf in OAM 11.1.2 installed in a folder on the Disco and bounced of Disco. This works OK if in OAM authentication method is based authentication forms, with OAM inviting the user to signon, OID and then passes the user name and password through the OID in Active Directory, and connect on Disco invites to indicate the user name, and then gives access to workbooks. No prompt for password clubbing. But when I try to activate Ondaaah as an authentication method in the OAM, discoverer invite first the "Oracle Applications" connection for a user name and the EUL. But Disco then prompts the user a password, that no longer exists in fnd_user. because authentication is external. Connections fail. I am also unable to create a private connection; This dialog box Disco also invites a user password. At the login page of Disco, the user session went to OAM and fact authentication successful via Ondaaah. I can tell from follow-up to the session through Fiddler. Transmitted to the disco but Disco missing something and password prompts. Support OAM at Oracle seems to think that OAM is not send the cookie to Discoverer, although I'm not sure.
First of all, Ondaaah with Disco should work with OAM, right? Any thoughts on what might be missing? I went through the MOS notes a few times, closely followed the tutorial onlinappsdba on it.
Thank you very much.
Tom
The hotfix is described in Note 1616228.1 problem with mod_osso and custom authentication plugins. Disco can work very well, with zero sign - we and OAM.
-
Software needed to achieve SSO with Webcenter Suite 11.1.1.2
Hi all
I installed Web center suite 11.1.1.2 on my Machine. Can someone suggest, what software I need to install in order to achieve
Oracle SSO with E-Business Suite and OBIEE.
Concerning
Nanfack marzolf
Published by: user11965597 on 15 Sep 2011 03:58Using these business applications with WebCenter spaces? If you start a new project, why don't you use WebCenter 11 G PS3 or PS4 because there are a number of new features? Also the Oracle Access Manager (OAM) is the recommended method to achieve the goal of SSO.
Although Oracle SSO (OSSO) is the main solution for Oracle 10 G Infrastructure but Weblogic also support OSSO. Anyway, if you want to use Oracle SSO (OSSO) in WebCenter 11.1.1.2, you need after 2 software: -.
1 oracle HTTP Server (OHS)
2 oracle Internet Directory (OID)You can find the configuration details in http://download.oracle.com/docs/cd/E15523_01/webcenter.1111/e12405/wcadm_security.htm#BGBDADFE.
You don't need additional software for E-business Suite as well.
-
Headers with OAM 11 GR 2 PS3 question
Hello
We are migrating OAM 11 GR 2-OAM 11 GR 2 PS3 from windows to linux. We installed the new configuration of the PS3 and migrated all the OAM configuration details. We have the user profile of authorization policies for applications protected by OAM.
But while testing the SSO with applications, I found below questions
1. If any attribute is null in LDAP to the user, R2 returns NOT_FOUND. But in the PS3 display headers as null. Enforcement team has a logic based on NOT_FOUND only. It's a lot of changes on the changes of app to check the value of the attribute of null NOT_FOUND. Is there a workaround for this?
2. we have values multiple attributes for users in LDAP, in R2, these multivalued attribute values are separated by a colon(:), mais dans la PS3, elle est séparée par une virgule.) I read the doc - id in metalink 1935703.1 , but it allows to change the comma separator. How this can be changed to the colon?
Enjoy your entries.
1. that is a very simple change in coding. Any decent programmer should be able to do this fairly easily.
2. just follow the instruction and where it says ',' replace with ': '.
-
Hello world
I have configured single sign-on with OAM to guarantee a non fusion web application. But she cannot lead to the OAM sso login page. Could you please say nowhere I need to check?
The web application deployed in a weblogic domain, the console already be configured for authentication sso OAM successfully. But the deployed web application does not can be redirected to sso login page when go to a secure page.
The web.xml file is
<>login-config < Auth-method >CLIENT-CERT< / auth-method > < domain name > myRealm < / realm-name > < / login-config > Thank you.
Hello
Assuming that you go directly to the port of the Weblogic Server and not through a web server, acting as a proxy, try to add the url of your application as a resource in the Application domain 'IAM Suite' in the /oamconsole, which gives it an authentication strategy of 'Protected level policy' to see if this changes the behavior. This is a test - if it works, it's best to create your own application domain for your resources so that they can be managed without interfering with internal policies used by OAM.
Kind regards
Colin
-
SSO with Cloud-based deployments hybrid
Hello
I m wondering, how SSO works with the Hybrid Cloud-Based deployments.
I want to use Jabber for Windows with WebEx Connect and unified with Cisco WebEx Communications integration.
Issues related to the:
- How can I configure Jabber for Windows to use SSO with WebEx Connect after Installation of the Client?
- I ve read, that the SSO with WebEx Connect username will be [email protected] / * /. Fix?
- I ve read, that I need to create a jabber - config.xml with a following to apply Jabber for Windows to use the connection information Webex-Connect also for telephone Services. Fix?
presence - If this is correct, Jabber for Windows will use [email protected] / * / to authenticate with CUCM, but CUCM would need only the name without the domain name user. From my point of view, Jabber for Windows will not be able to authenticate with CUCM Telephony Services.
Any thoughts?
Thank you
Tino
Hi Tino,
You can use the command line arguments to specify the SSO with WebEx presence server. There is no real soloution SSO at present for hybrid mode (CUCM, unit Cxn). See the answer online for other issues.
- I ve read, that the SSO with WebEx Connect username will be [email protected] / * /. Fix?
>> Fix
- I ve read, that I need to create a jabber - config.xml with a following to apply Jabber for Windows to use the connection information Webex-Connect also for telephone Services. Fix?
>> Attribute 'PhoneService_UseCredentialsFrom' can only be used in the deployment prem No.. Check the section plan for authentication of the administration of Jabber for Windows for more information guide.
Thank you
Ménard
-
Hello
I use SSO with HTTP POST parameters for SINGLE sign-on for web applications behind my ASA.
I am currently playing with cactus.
My settings are:
action = login
login_username = CSCO_WEBVPN_USERNAME
login_password = CSCO_WEBVPN_PASSWORD
Realm = ldap
The connection works fine, but after the post OFFICE, the Web server sends a HTTP "302 OK code." Normally, it should be "302 moved" or "200 OK".
The ASA does not include what to do, to do nothing and replies with an error "Server
is not available >. When I press the 'Home' button and click again on the bookmark of cactus, I'm connected to cactus. It seems that there is a cookie or something missing.
When I do exactly the same with a browser, it sends after the "302 OK" normal GET and I am connected.
Me seems a mistake in cactus, but I'm not also sure if ASA does not respond properly?
Also, when I change the type of bookmark of https to post, it works! BUT: post plugin only supports http and not https, so my connections has send in clear on the internal network.
Any ideas?
Thank you
MB
configure the POST plugin for HTTPS by using the csco_proto=https parameter
in the Post-Plugin URL -
BEEP 11.1.1.5 Oracle compatibility with OAM/OIM 11 g 2
Hi Experts,
I tried searching in the matrix certification BI for compatibility support of BEEP with OAM/OIM 11 g 2, but could not find everything concerning 11.1.1.5. All I could see is 11.1.1.7.
Can someone let me know if BI Publisher version 11.1.1.5 is supported with OAM/OAM 11.1.1.2 BP05 (GR 11, 2)?
Please share any related information.
Thank you.
Shivam
You specify the exact version of OIM/OAM, IE 11 GR 2 PSx?
BP5 for 11 GR 2 PS2 I guess?
PS3 comes with BEEP automatically installed 11.1.1.7
PS2 requires you to install + 11.1.1.6
Ps1 requires 11.1.1.5 +
Anyway, the integration is very loose. OAM/IOM are delivered with some reports and what is required is that BEEP can open and process these reports. I do not in anyway format of relationship between versions changes.
-
Hello experts
need for an overview on the work of the Ondaaah with OAM. We have a scenario where the domain controllers are located at geographically different locations in different data centers. Suppose that the OAM is installed in DC 1. Now, when a user in DC 2, she is authenticated by DC in DC 2. When the user tries to access a web resource, the request is routed to OAM in DC 1.
At this stage, OAM is able to authenticate the user through DC 1 DC? as I am confused which will be so KDC runs in DC 2, DC 1 being able to authenticate domain controller?
I really appreciate your response.
Yes, your example would work. Ondaaah installation allows you to specify several KDC in the krb5.conf so file.
-
implementation of SSO with r12
Hello Experts,
I must apply sso with our installation r12.
the details are:
Operating system: HP-UX Itanium
EBS: 12.1.3
DB: 11.2.0.2
Next Note: Integration Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On [376811.1 ID]
According to the note, need to install 10 g AS (10.1.4.0.1)
can it go to 10.1.4.0.3
I am facing problem to download s/w for 10g As.
http://www.Oracle.com/technetwork/middleware/IAS/downloads/101401-099957.html
but not able to understand which I take download to do the first installation. (10.1.4.0.1)
Please suggest.
Thanks in ADV!
Hello
The issue is discussed previously and answered in the forum, please visit:
https://forums.Oracle.com/message/10403374
HTH!
Thank you &
Best regards
-
How to reconfigure the OHS 11 g WebGate with OAM 11 g?
Hi all
Can you please let me know your opinion on below scenario?
1. I set up a SST 11 g WebGate in OAM 11 g with main server with unique. WebGate works very well.
2. in the future, I created a new OAM server with different proxy port and want to add as a secondary server to OHS 11 g webgate. To do this, my thoughts are: Goto OAM admin console and change the profile of the agent to add the secondary server. Is this all enough to make the complete work? By the way, ObAccessClient.xml no is not updated in the folder RREG_HOME/output of artifacts. If it is updated automatically after changing details in the OAM console so I can just copy to WebGate instance.
The same question arises for 10g WebGate with OAM 11 g. Is it also possible to reconfigure the webgate as in the case of OAM 10 g and 10 g webgates?
-MangoHi Manon,.
You only need to make the change in the oamconsole (change the agent profile as you suggest) and you do not need to re - copy the file ObAccessClient.xml. You may need to wait a few minutes for the change must be executed by the WebGate, or I expect a restart of the web server in order to acquire the new settings. Using the url of diagnosis webgate will tell you which servers OAM the WebGate is connected to (http://server:port/ohs/modules/webgate.cgi?progid=1 mfor 11 g WebGate).
Kind regards
Colin -
Informatica Application with OAM 11g Setup
Hello
Could someone help me to protect Informatica application with OAM 11 g.
Thank you
Sony-First thing you can do is ask Oracle (support.oracle.com) if they have no documentation for the integration of OAM with Informatica.
- Alternatively, you can check out the link here, which has steps of OAM integration with various third-party applications
http://docs.Oracle.com/CD/B28196_01/idmanage.1014/b25347/Siebel.htm#SiebelYou must have the location of the repository informatica, portnumbers etc. Try configurations by seeing examples in above link.
Kind regards
GP
Maybe you are looking for
-
Cannot start start Recovery on iMac
Greetings! I have a few questions on my iMac 27' (end of 2009). Problems began when I decided to remove the OS X El Capitan and install OS X Lion of factory since the recovery partition. My actions: -reboot iMac -you press Command + Option + R -selec
-
The user migrated but not up-to-date on the NAS
Hello, I've migrated 3 accounts but the last of them was not updated on the NAS. When I check the actions, he stills appears the username and not e-mail as those migrated. I tried to delete the e-mail for this user shared folders on the portal readyc
-
SL 410 Upgrade ram and hard drive
Hi all I have been using the 410-2842-rk1 model Lenovo thinkpad SL for a year and a half. No problems until now I want to upgrade the RAM and hard drive of this machine. At the time of purchase, I had seen that I could improve up to 1 TB of hard driv
-
Download firefox 5 and did not appear on the desktop do not know how to open firefox 5 now
I recently downloaded the new version of firefox 5, uninstalled because I had problems with Silverlight and reinstalled firefox 5 and the icon does not appear on my desktop. Now I don't know how to open firefox 5! Help, please! Thank you!
-
* Original title: updates When I try to check the updates of windows on windows 8 I get this code... WindowsUpdate_8024a000 Thank you in advance for your help! Rick