12/26/2019 Document 2348673.

PowerView is Off Switch to Cloud Support Syed (Available) (0) Contact Us Help

Dashboard Knowledge Service Requests Patches & Updates Community

Dashboard >
Give Feedback...

Copyright (c) 2019, Oracle. All rights reserved. Oracle Confidential.

OBIEE 12c : How To Configure SAML SSO on OBIEE 12c With OKTA Identity Provider (IdP) (Doc ID 2348673.1) To Bottom

In this Document Was this document helpful?

Purpose Yes
No
Scope
Details
Document Details
1. Prerequisites
1.1 OKTA Prerequisites
Type:
BULLETIN
1.2 OBIEE 12c Prerequisites Status:
PUBLISHED
2. Configuring BI Domain as a Partner (SP) with OKTA (IdP) Last Major
25-Apr-2019
Update:
3. Configuring BI Domain for SAML Authentication 18-Oct-2019
Last Update:
3.1 Adding OKTA as an Identity Provider Partner
3.2 Configuring managed server ( bi_server1 ) as Service Provider Related Products
4. Enable Analytics Application for SSO Business Intelligence Suite
4.1 Update analytics.ear to include required security role Enterprise Edition

4.2 Redeploy analytics application

Information Centers
5. Enable SSO in EM
No Information Center
6. Setup Authorization available for this document.
7. Restart all the Services
8. Verify the SAML SSO Login Document References

9. Basic Troubleshooting No References available for

this document.
9.1 HTTP 404 on /saml2/sp/acs/post

Recently Viewed
APPLIES TO: OBIEE 12c: How to
Configure SAML 2.0 SSO on
Business Intelligence Suite Enterprise Edition - Version 12.2.1.2.0 and later OBIEE 12c using ADFS -
Single Node [2248571.1]
Information in this document applies to any platform.
OBIEE 12c : How To
Configure SAML SSO on
PURPOSE OBIEE 12c With OKTA
Identity Provider (IdP)
[2348673.1]
The main purpose of the document is to provide the configuration steps to implement Security Assertion Markup Language OBIEE 12c : How To
(SAML) 2.0 Web Single Sign On (SSO) for OBIEE 12c using OKTA as Identity Provider (IdP). If you encounter issues while Configure SAML SSO on
implementing these steps, then they are not necessarily handled by OBIEE product support group. Based the issue, the OBIEE 12c With OKTA
appropriate support team (e.g. - OKTA IdP, HTTP Server, Loadbalancer, webLogic or OBI team may need to be engaged. Identity Provider (IdP)
[2348673.1]
This is a Service Provider (SP) Initiated SSO which means the user directly access the Analytics SP URL that gets re-directed to OBIEE 12c: How to Setup
OKTA for Authentication. SAML 2.0 SSO on OBIEE 12c
using ADFS In A Cluster
Environment [2258128.1]
SCOPE OBIEE 12c: How to
Configure SAML 2.0 SSO on
OBIEE 12c using ADFS -
This document is informational and intended for Administrators and Advanced Users.This document covers very basic and Single Node [2248571.1]
typical SAML 2.0 implementation steps for OBIEE 12c. Show More
This document does not cover all the implementation scenarios.
This document is intended as a "cookbooK" enhancement to the documentation to fill in any gaps, missing or ambiguous
information and to tie multiple documentation together in one location. It is not meant to replace the official
documentation.
The server names , locations and passwords used in this document are for example, should not be copy and paste.
This document does not cover OBIEE Installation and SSL Configuration for OBIEE.
This document assumes having administration login to OKTA.

Before following the steps in this document, ensure:

The OBIEE environment is in working condition.

Verify the users login to Analytics from Default LDAP and|or external LDAP users (if any).
Take a complete domain backup before attempting to implement SAML.

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186asq… 1/15
12/26/2019 Document 2348673.1

DETAILS

1. Prerequisites

1.1 OKTA Prerequisites

Should have Administrator login to OKTA

1.2 OBIEE 12c Prerequisites

Configure all the required alternative Authentication and Authorization providers and SSL prior configuring SAML SSO.

OBIEE 12c should be in working condition.

2. Configuring BI Domain as a Partner (SP) with OKTA (IdP)

Login to OKTA Identity as an Administrator User.

Click on Applications

Click on Create New App

Select "Sign on method" as SAML 2.0 and Click on Create

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186asq… 2/15
12/26/2019 Document 2348673.1

Provide App Name and Optionally change the Logo for the application.

Provide Single Sign On URL : http://obiee_host:port/saml2/sp/acs/post

Check the option "Use this for Recipient and Destination URL"
Provide Audience URI (SP Entity ID) , Make a note of the value provided for Entity ID , this has be used in WebLogic
Configuration.
Leave the other options as default which means the user name used for the OKTA login would also be used for the OBIEE
login.
By default OTKA uses the email for the login so the same attribute value is passed to OBIEE as the user name via SAML
response.
You can change the attribute to be passed from OKTA to OBIEE. In this example, using the default login attribute which
is email.

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186asq… 3/15
12/26/2019 Document 2348673.1

Select the option "I'm an Okta Customer adding an internal app"

Check the option "This is an internal app that we have created"

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186asq… 4/15
12/26/2019 Document 2348673.1

With this step, you have successfully added the OBIEE Analytics as a Partner application to OKTA.

Next, you need to export the metadata and save into a file , Ex: okta_idp_metadata.xml

Grant access on newly created application to Users/Groups

Navigate to: Applications -> Assign Applications
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186asq… 5/15
12/26/2019 Document 2348673.1
Select the application and the corresponding Users/Groups to be granted with the access.

3. Configuring BI Domain for SAML Authentication

3.1 Adding OKTA as an Identity Provider Partner

Login to WebLogic Console as an Administrator User

Click on Lock & Edit
Security Realms -> myrealm -> Providers -> New
Enter Provider Name for the SAML Asserter
Choose "SAML2IdentityAsserter" for Type
Click OK

Click on DefaultAuthenticator
Change "Control Flag" to "SUFFICIENT"
Click Save
Activate Changes
Restart the services
$DOMAIN_HOME/bitools/bin/stop.sh

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186asq… 6/15
12/26/2019 Document 2348673.1
$DOMAIN_HOME/bitools/bin/start.sh
Copy the OKTA IdP metadata file ( okta_idp_metadata.xml ) to OBIEE Server machine, ensure that user has read and
write permissions on the file.
Login to WebLogic Console as an Administrator User
Click on Lock & Edit
Security Realms -> myrealm -> Providers
Click on Newly Created SAML Asserter
Click on Management
Click New for "Identity Provider Partner"
Select "New Web Single Sign-On Identiry Provider Partner"
Provider name for the IdP partner , Ex: WebSSO-IdP-Partner-0
Select the IdP metadata file for import.
Click Save

Click on IdP Partner name "WebSSO-IdP-Partner-0"

Check "Enabled"
Check "Virtual User"
Provide URI for Analytics : /analytics/*
Click Save

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186asq… 7/15
12/26/2019 Document 2348673.1

3.2 Configuring managed server ( bi_server1 ) as Service Provider

Login to WebLogic Console as an Administrator User

Click on Lock & Edit
Click on Servers -> bi_server1 -> Configuration -> Federation Services -> SAML 2.0 General
Provide values for all the fields.
Published Site URL must be in format e.g. SSL : https://obiee_host:9503/saml2 , Non-SSL: http://obiee_host:9502/saml2

If you have a cluster of Managed Servers, this should be the externally visible entry point to all Managed Servers in the
cluster. i.e. the url exposed via a web server (load balancer)in front of the Managed Servers.

like : https://loadbalancer_host/saml2

Ensure the value for Entity ID is same as the one provided in the Application Configuration in OKTA for Audience URI (SP
Entity ID)
Click Save

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186asq… 8/15
12/26/2019 Document 2348673.1

Click on Servers -> bi_server1 -> Configuration -> Federation Services -> SAML 2.0 Service Provider
Check "Enabled"
Check "POST Binding Enabled"
Check "Artifact Binding Enabled"
Preferred Binding : POST
Default URL : URL for Analytics ( http://obiee_host:port/analytics )
Click Save.

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186asq… 9/15
12/26/2019 Document 2348673.1

4. Enable Analytics Application for SSO

4.1 Update analytics.ear to include required security role

Extract weblogic.xml and web,xml files from analytics.ear

Make a back up of exiting analytics.ear file
Copy the analytics.ear into a temporary directory.

$cd /refresh/home/oracle/12c/Oracle_Home/bi/bifoundation/jee/

$mkdir analytics_test

$cp analytics.ear analytics_test

$cd analytics_test/

$ls -lrt
-rw-r----- 1 oracle oracle 92147154 Mar 28 02:35 analytics.ear

$jar xvf analytics.ear analytics.war

inflated: analytics.war

$ls -lrt
-rw-rw-r-- 1 oracle oracle 96878571 Sep 23 2016 analytics.war
-rw-r----- 1 oracle oracle 92147154 Mar 28 02:35 analytics.ear

$jar xvf analytics.war WEB-INF/weblogic.xml

inflated: WEB-INF/weblogic.xml

$jar xvf analytics.war WEB-INF/web.xml

inflated: WEB-INF/web.xml

Update web.xml to include Security Role "SSORole"

$cd /refresh/home/oracle/12c/Oracle_Home/bi/bifoundation/jee/analytics_temp/WEB-INF

$vi web.xml

look for

<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>

and replace with below

<security-constraint>
<web-resource-collection>
<web-resource-name>BI Analytics</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SSORole</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>

<security-role>
<role-name>SSORole</role-name>
</security-role>

Update weblogic.xml to add members to the role "SSORole"

Edit the file and add the role entries below.
In this example, we are using BIUsers and BIAdmins

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186as… 10/15
12/26/2019 Document 2348673.1

$cd /refresh/home/oracle/12c/Oracle_Home/bi/bifoundation/jee/analytics_temp/WEB-INF

$vi weblogic.xml

<?xml version = '1.0' encoding = 'US-ASCII'?>

<weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app">

<session-descriptor>
<cookie-path>/</cookie-path>
</session-descriptor>

<security-role-assignment>
<role-name>SSORole</role-name>
<principal-name>BIUsers</principal-name>
<principal-name>BIAdmins</principal-name>
</security-role-assignment>
</weblogic-web-app>

Repackage analytics.ear file.

$cd /refresh/home/oracle/12c/Oracle_Home/bi/bifoundation/jee/analytics_temp

$ ls -lrt

-rw-rw-r-- 1 oracle oracle 96878571 Sep 23 2016 analytics.war

-rw-r----- 1 oracle oracle 92147154 Mar 28 02:35 analytics.ear
drwxrwxr-x 2 oracle oracle 4096 Mar 28 03:05 WEB-INF

$jar uvf analytics.war WEB-INF/web.xml

adding: WEB-INF/web.xml(in = 8312) (out= 1582)(deflated 80%)

$jar uvf analytics.war WEB-INF/weblogic.xml

adding: WEB-INF/weblogic.xml(in = 506) (out= 222)(deflated 56%)

$jar uvf analytics.ear analytics.war

adding: analytics.war(in = 97205967) (out= 91945650)(deflated 5%)

$cp analytics.ear ../analytics.ear

4.2 Redeploy analytics application

Login to WebLogic Console

Click Lock & Edit
Click on deployments
Select the analytics application
Click on Update
Proceed with the next steps and Click Finish.

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186as… 11/15
12/26/2019 Document 2348673.1

5. Enable SSO in EM

Login to EM as an Administrator User

Lock & Edit
Navigate to Business Intelligence -> biinstance ->Security
Check "Enable SSO"
Activate Changes.

6. Setup Authorization

Once Authentication has been completed at the IdP side.

In order to access Analytics application, the Authenticated user should be a member of the any one of the groups defined in
weblogic.xml file

The groups defined in weblogic.xml for this example are:

BIUsers
BIAdmins

In order to test the SSO Integration , here we are creating BIAdmins, BIUsers groups and the OKTA admin user in default LDAP.

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186as… 12/15
12/26/2019 Document 2348673.1

Granted BIAdmins Group to the User.

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186as… 13/15
12/26/2019 Document 2348673.1

Granted BI Administrator Role to BIAdmins Group.

7. Restart all the Services

$DOMAIN_HOME/bitools/bin

$./stop.sh

$./start.sh

8. Verify the SAML SSO Login

Invoke Analytics URL in the browser.

Redirected to the OKTA SSO Login page

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186as… 14/15
12/26/2019 Document 2348673.1

The same user has been logged to OBIEE.

9. Basic Troubleshooting

This section assumes that all the above steps are completed without any mistakes.
We are not covering the issues that are caused due to the misconfiguration.

You may face below issues even if you have competed all the steps correctly

9.1 HTTP 404 on /saml2/sp/acs/post

This is due to the bug

Bug 24654834 : HTTP 404 CONTEXT NOT FOUND FOR URI /SAML2/SP/ACS/POST FROM OBIEE BASED SP

As per the bug WebLogic 12.2.1+ onwards, saml2 servlet would not be deployed on bi_cluster if virtual host was defined within
weblogic domain.
By default OBIEE 12c domain has a virtual host named bi_internal_virtualhost1 which is configured to listen on channel
bi_internal_channel1 (Port: 9505)

Workaround >

Leave listen address as blank for bi_server1

Didn't find what you are looking for? Ask in Community...

Related
Products

Enterprise Performance Management and Business Intelligence > Business Intelligence > Business Intelligence Suite Enterprise Edition > Business Intelligence Suite Enterprise
Edition > Analytics > Security/Access Control

Back to Top
Copyright (c) 2019, Oracle. All rights reserved. Legal Notices and Terms of Use Privacy Statement

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=433804686376781&id=2348673.1&_afrWindowMode=0&_adf.ctrl-state=186as… 15/15