1. No category

RSA Via Access SAML Configuration for Oracle Business Intelligence

RSA Via Access SAML Configuration for Oracle Business
Intelligence
Last Modified: June 13, 2016
Oracle Business Intelligence (BI) is a portfolio of technology and applications that provides the
industry's first integrated, end-to-end Enterprise Performance Management System, including BI
foundation and tools - integrated array of query, reporting, analysis, alerting, mobile analytics, data
integration and management, and desktop integration - as well as category-leading financial
performance management applications, operational BI applications, and data warehousing.
Before You Begin
 Acquire an administrator account to both RSA Via Access and ORACLE BI.
 Obtain the Assertion Consumer Service (ACS URL) and Service Provider Entity ID from your
ORACLE BI service provider.
 Configure a target application for your ORACLE BI service provider.
The instructions in this guide use the following ACS URL and entity ID values:
ACS URL
Service Provider Entity ID
http://vmchangeme:9502/saml2/sp/acs/post
biserver1.gslab.com
Procedure
1. Add the Oracle BI Application in RSA Via Access
2. Configure ORACLE BI to Use RSA Via Access as an Identity Provider
Add the Application in RSA Via Access
Procedure
1. Log in to the RSA Via Access Administration Console, click the Applications tab and select
Application Catalog from the Application tab dropdown list.
2. Search for Oracle Business Intelligence in the list of applications and click the +Add button.
1
Copyright © 2016 EMC Corporation. All Rights Reserved.
3.
Enter a name for the application in the Name field on the Basic Information page and click
the Next Step button.
4. Scroll to the SAML Identity Provider (Issuer) section on the Connection Profile page and
copy the auto-generated URL from the Identity Provider URL field.
5. Scroll to the Initiate SAML Workflow section at the top of the page, select the SP-initiated
radio button and paste the identity provider URL in the Connection URL field.
Note: The following SP-initiated configuration works for IDP-initiated Oracle BI connections as well.
6. Select the POST radio button in the Binding Method for SAML Request section.
2
Copyright © 2016 EMC Corporation. All Rights Reserved.
7. You will need to import a private/public key pair to sign and validate SAML assertions. If you
don’t have one readily available, follow the steps to generate a certificate bundle. Otherwise,
continue to step 8.
a. Click the Generate Certificate Bundle button in the SAML Response Signature
section.
b. In the Common Name (CN) field, enter the hostname of the BI service provider’s
HTTPS server that will be sending authentication requests.
c. Click the Generate and Download button, save the certificate bundle ZIP file to a
secure location and extract its contents. The ZIP file will contain a private key, a public
certificate and a certificate signing request.
8. Click the Choose File button the left of the Generate Certificate Bundle button, locate and
select a private key for signing the SAML assertions and click the Open button.
9. Click the Choose File button underneath the Generate Certificate Bundle button, locate and
select your public certificate and click the Open button.
10. Select the Include Certificate in Outgoing Assertion checkbox.
11. Scroll to the Service Provider section and enter your ORACLE BI ACS URL in the Assertion
Consumer Service (ACS) URL field. For example:
http://vmchangeme:9502/saml2/sp/acs/post
12. Enter your ORACLE BI SP Entity ID in the Audience (Service Provider Entity ID) field. For
example: biserver1.gslab.com
3
Copyright © 2016 EMC Corporation. All Rights Reserved.
13. Scroll to the User Identity section and select the format of the SAML assertion NameID from
the Identifier Type dropdown list. In this example, a SAML assertion will present a NameID
value in the form of an email.
14. Select the name of your user identity source from the User Store dropdown list. In this
example, user accounts are stored in an identity source named PE_AD.
15. Select the identity source’s attribute that will be used as the NameID from the Property
dropdown list. In this example, the identity source’s mail attribute will be used to uniquely
identify a user in SAML assertions.
16. Click the Next Step button.
17. On the User Access page, select the access policy the identity router will use to determine
which users can access the BI service provider from the portal. If you want to allow access to
all users who are signed in to the portal, select the Allow All Authenticated Users radio
button. Otherwise, select the Select Custom Policy radio button and select the policy you
want to use from the dropdown list.
18. Click the Next Step button.
19. Select the Display in Portal checkbox on the Portal Display page.
4
Copyright © 2016 EMC Corporation. All Rights Reserved.
20. Enter descriptive text about the application in the Application Tooltip field. The portal will
display this text when a user passes the cursor over the application’s icon.
21. Click the Save and Finish button.
Note: Consult your VIA Access documentation for additional configuration options.
22. Click the Publish Changes button in the top left corner of the page.
5
Copyright © 2016 EMC Corporation. All Rights Reserved.
23. Click the Applications tab and select My Applications from the dropdown list.
24. Search for Oracle Business Intelligence in the list of applications and select Export Metadata
from the Edit dropdown list on the right to download an XML file containing your VIA IdP’s
metadata. You will use the Oracle WebLogic Admin Console to import this file when you
configure Oracle BI SAML Federation Services.
6
Copyright © 2016 EMC Corporation. All Rights Reserved.
Configure ORACLE BI to Use RSA Via Access as an Identity Provider
Follow below steps to configure ORACLE Business Intelligence as service provider.
Create a SAML Identity Asserter
1. Log in to the Weblogic Admin console on the BI Domain (https://hostname:port/console) and
click the Security Realms link in the Domain Structure pane on the left.
2. Click the Lock and Edit button in the Change Center pane on the top-left corner of the page.
3. Go to the Realms table on the right and click name of the security realm you want to
configure. The realm name in this example is myrealm.
7
Copyright © 2016 EMC Corporation. All Rights Reserved.
4. Select the Providers Authentication tab and click the New button in the Authentication
Providers section.
5. Select SAML2IdentityAsserter from the Type dropdown list.
6. Enter a name for the identity asserter in the Name field and click the OK button.
8
Copyright © 2016 EMC Corporation. All Rights Reserved.
7. Click the Activate Changes button in the Change Center pane and restart your Oracle BI
Managed WebLogic server instance.
Enable SSL on the Managed Oracle BI Server
1. Log in to the Weblogic Admin console on the BI Domain, expand the Environment node in the
Domain Structure pane and click the Servers link.
2. Click the Lock and Edit button in the Change Center pane.
3. Go to the Servers table on the right and click the name your BI managed server. In this
example, the server’s name is bi_server1.
9
Copyright © 2016 EMC Corporation. All Rights Reserved.
4. Select the ConfigurationGeneral tab, check the SSL Listen Port Enabled checkbox and
enter an SSL port number in the SSL Listen Port field.
5. Click the Save button.
Note: This example assumes that you are using WebLogic’s demo keystore to sign documents. If you wish to
use another keystore, you can configure it on this page. Consult your Oracle Business Intelligence documentation
for details and additional configuration options.
6. Click the Activate Changes button in the Change Center pane and restart your Oracle BI
Managed WebLogic server instance.
Configure the Oracle BI Domain as a SAML 2.0 Service Provider
1. Log in to the Weblogic Admin console on the BI Domain, expand the Environment node in the
Domain Structure pane and click the Servers link.
2. Go to the Servers table on the right and click the name your BI managed server.
3. Select the ConfigurationFederation ServicesSAML 2.0 Service Provider tab, and click
the Enabled checkbox.
10
Copyright © 2016 EMC Corporation. All Rights Reserved.
3. Check the POST Binding Enabled checkbox and select POST from the Preferred Binding
dropdown list.
4. Enter your Oracle BI Service Provider URL in the Default URL field and click the Save button.
Note: Consult your Oracle Business Intelligence documentation for additional configuration options.
5. Click the Activate Changes button in the Change Center pane and restart your Oracle BI
Managed WebLogic server instance.
Configure SAML 2.0 Federation Properties for the Oracle BI Server
1. Log in to the Weblogic Admin console on the BI Domain, expand the Environment node in the
Domain Structure pane and click the Servers link.
2. Go to the Servers table on the right and click the name your BI managed server.
3. Select the ConfigurationFederation ServicesSAML 2.0 General tab.
11
Copyright © 2016 EMC Corporation. All Rights Reserved.
1. Enter the first and last name of the site’s contact in the Contact Person Given Name and
Contact Person Surname fields, respectively, and select administrative from the Contact
Person Type dropdown list.
2. Enter contact’s company, phone number, email address and organization in the Contact
Person Company, Contact Person Telephone Number, Contact Person Email Address,
and Contact Person Organization Name fields, respectively.
3. Enter the organization’s URL in the Organization URL field and the published site’s URL in the
Published Site URL filed. Use following format for the published site URL:
http://<BI_Domain_Server_Name>:<Managed Server Port>/saml2. In this example, the
site’s URL is: http://vmchangeme:9502/saml2.
Note: Your site’s ACS URL will be <PUBLISHED_SITE_URL>/sp/acs/post
4. Enter a string that uniquely identifies the site in the Entity ID field.
5. If you are using the WebLogic demo keystore, enter DemoIdentity in the Single Sign-on
Signing Key Alias field. If you are using a different keystore, enter the keystore’s alias for the
key that will be used to sign documents.
6. If you are using the WebLogic demo keystore, enter DemoIdentityPassPhrase in the Single
Sign-on Signing Key Pass Phrase and Confirm Single Sign-on Signing Key Pass Phrase
fields. Otherwise, enter the passphrase that used to retrieve the local site’s SSO signing key
from your keystore.
12
Copyright © 2016 EMC Corporation. All Rights Reserved.
7. Click the Save button.
Note: Consult your Oracle Business Intelligence documentation for additional configuration options.
8. Click the Activate Changes button in the Change Center pane and restart your Oracle BI
Managed WebLogic server instance.
9. Log in to the Weblogic Admin console on the BI Domain, expand the Environment node in the
Domain Structure pane and click the Servers link.
10. Go to the Servers table on the right and click the name your BI managed server.
11. Select the ConfigurationFederation ServicesSAML 2.0 General tab and click the
Publish Meta Data button.
12. Restart your Oracle BI Managed WebLogic server instance.
Configure the VIA Access Identity Provider Metadata on the Oracle BI domain
1. Log in to the Weblogic Admin console on the BI Domain and click the Security Realms link in
the Domain Structure pane on the left.
2. Click the Lock and Edit button in the Change Center pane on the top-left corner of the page.
3. Go to the Realms table click name of the security realm you want to configure.
13
Copyright © 2016 EMC Corporation. All Rights Reserved.
4. Select the Providers Authentication tab and click the link for the SAML2IdentityAsserter
you created earlier.
5. Select the Management tab and select New Web Single Sign-On Identity Provider Partner from
the New dropdown list.
6. Enter a name for the partner in the Name field in the Partner Properties section.
14
Copyright © 2016 EMC Corporation. All Rights Reserved.
7. Enter the path and filename of the Identity Provider metadata file in the Path field and click the
OK button.
8. Click the name of the new partner in the Identity Provider Partners table and select the
General tab.
9. Check the Enabled and Virtual User checkboxes.
10. Enter /analytics/* in the Redirect URIs textbox and click the Save button.
Note: Consult your Oracle Business Intelligence documentation for additional configuration options.
15
Copyright © 2016 EMC Corporation. All Rights Reserved.
Configure Oracle BI for Single Sign-On
1. Go to the %ORACLE_HOME%/%BI_DOMAIN%/bifoundation/jee/ directory (for example:
C:\Oracle\Middleware\Oracle_Home\bi\bifoundation\jee) and copy the analytics.ear file to a
temporary folder. This folder is referred to as tmp1 below.
2. Open a command prompt, navigate to the tmp1 directory, enter the following command to
extract the contents of the analytics.ear file and delete the analytics.ear file afterwards:
jar -xvf analytics.ear
3. Open the MANIFEST.MF file in the META-INF folder and add the following line to the end of the
file. Replace 11.1.1.7.0.130303.2025 your WebLogic server version:
Weblogic-Application-Version: 11.1.1.7.0.130303.2025
4. Move the analytics.war file to a new temporary folder. This folder is referred to as tmp2 below.
5. Navigate to the tmp2 directory in the command prompt and enter the following command to
extract the contents WAR file:
jar -xvf analytics.war
6. Open the web.xml in the WEB-INF folder and replace these lines:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
with the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>BI Analytics</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SSORole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>SSORole</role-name>
</security-role>
16
Copyright © 2016 EMC Corporation. All Rights Reserved.
7. Replace the contents of the WEB-INF folder’s weblogic.xml file with the following XML.
Important: Each <principal-name> element below grants a user or group access to the analytics
application. There are four entries below: weblogic, BIUsers, BIAdmins and BISystemUser. You may
remove and/or add principal-name elements as required.
<?xml version = '1.0' encoding = 'US-ASCII'?>
<weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app">
<session-descriptor>
<cookie-path>/</cookie-path>
<!—Note: keep cookie path value as “/”-->
</session-descriptor>
<context-root>analytics</context-root>
<security-role-assignment>
<role-name>SSORole</role-name>
<principal-name>weblogic</principal-name>
<!—Note: Only usernames/groups specified in principle-name tag will get access to the
analytics application-->
<principal-name>BIUsers</principal-name>
<principal-name>BIAdmins</principal-name>
<principal-name>BISystemUser</principal-name>
</security-role-assignment>
<!-- Bug 14659820. The oracle.bibopmn library would pull in a version of the sautils.jar which
do not accessto a mad.jar with appropriate codegrants. Due to updgrade restrictions we need to
keep using the war's jars.
-->
<container-descriptor>
<prefer-web-inf-classes>true</prefer-web-inf-classes>
</container-descriptor>
</weblogic-web-app>
8. Enter the following command in the tmp2 directory to generate a new a WAR file:
jar -cvf analytics.war*
9. Copy the new analytics.war file to the tmp1 folder and delete the tmp2 folder.
10. Navigate to the tmp1 directory in the command prompt and enter the following command to
generate a new a EAR file:
jar cvfM analytics.ear analytics.war analyticsws.war META-INF/ deployment.xml
17
Copyright © 2016 EMC Corporation. All Rights Reserved.
11. Log in to the Weblogic Admin console and click the Deployments link in the Domain
Structure pane on the left.
12. Select the Control tab, check the checkbox for the analytics service and click the Stop button.
18
Copyright © 2016 EMC Corporation. All Rights Reserved.
13. Select the Configuration tab, check the checkbox for the analytics service and click the
Delete button at the top left of the Deployments table.
14. When the analytics service has been deleted, click the Install button in the top left corner of
the Deployments table to install the new analytics.ear file.
15. In the Install Application Assistant page’s Path field, enter the path and filename of the
analytics.ear file you created in the tmp1 folder and click the Next button.
16. Select the Install this deployment as an application radio button and click the Next button.
19
Copyright © 2016 EMC Corporation. All Rights Reserved.
17. Select the checkbox for your Oracle BI Managed WebLogic server instance in the Clusters
section, click the Next button and click the Finish button.
Enable SSO for Oracle BI
1. Log in to the Oracle Enterprise Manager console (http://hostname:port/em/console/home) as a
WebLogic administrator.
2. Click the Weblogic_Domain dropdown menu and select the SecuritySecurity Provider
Configuration menu item.
3. Click the Identity Store Provider node and click the Configure button.
20
Copyright © 2016 EMC Corporation. All Rights Reserved.
4. Check the Use Weblogic Authentication Provider Configuration checkbox and click the
tree icon in the upper left corner of the screen.
5. Expand the Business Intelligence node and click the biinstance icon.
6. Select the Security tab, check the Enable SSO checkbox and click the Apply button.
21
Copyright © 2016 EMC Corporation. All Rights Reserved.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz