Oracle Customer Engineering & Advocacy Lab (CEAL) Blog covers Oracle Analytics Cloud, Oracle Analytics Server and...


The intent of this document is to provide a step by step guide for the configuration and installation of a passive claims-based authentication application. A simple passive claims-based mechanism is illustrated in the below list:
1. User accesses a website (https://obiee-server.us.oracle.com:9804/analytics) to consume its services via a web browser. Such websites are called relying parties.
2. If the user is not authorized to use the relying party, the web application redirects the user to a token issuer / Identity provider (AD FS 2.0 – https://adfs -server.us.oracle.com/adfs/ls). 
3. The token issuer prompts the user to enter his credentials.
4. The identity provider uses these credentials to query one claim (such as Name, Common Name, email, sAMAccountName, etc.) from an attribute store (Active Directory).
5. Following this step, the issuer produces a signed SAML2.0 token with these claims and sends this token to the browser.
6. The browser then sends this signed token to the relying party, subsequently the latter validates this token, authorizes the user to consume its services and sends a cookie (to be used for single sign-on) and the required data back to the user.

Download the document here:  //cdn.app.compendium.com/uploads/user/e7c690e8-6ff9-102a-ac6d-e4aebca50425/f4a5b21d-66fa-4885-92bf-c4e81c06d916/File/82cfa14f8f5617c24e5ad41f66a82779/adfs_idp_saml_2_0_web_sso_implementation_for_obiee_single_node.pdf describes step by step how to configure ADFS Saml v2 identity provider, with OBIEE service provider for Web SSO.

Join the discussion

Comments ( 12 )
  • guest Saturday, July 6, 2013

    nice timely post!

    We have an obiee cluster, and planning to configure it as SAML2.0 service provider. It seems attached document covers the configuration of SAML2.0 SP in clustered environment, but it says "Separate document available for cluster mode, requiring Enterprise Manager patch."

    Where can I find the additional information for cluster mode and patches?


  • user809526 Monday, July 8, 2013

    For the cluster, you have to patch Enterprise manager with patch 14092316.

    You must install weblogic 10.3.5 on first node (same version as obiee installer), then create a domain with a RDBMS security store through weblogic wizard(for SAML provider in cluster, to replicate assertions across nodes), then patch. Then install obiee.

    You cannot convert from a file based to RDBMS security store after the domain is created, this is too complex.

  • Yoshi Tuesday, July 9, 2013

    Unfortunately I already have a file based security store installed. In production, I will create a new domain with RDBMS security store. Thanks a lot for this information.

    Before that, can I test SAML2.0-SP on clustered environment?

    In fact, I already configured SAML2.0-SP on a cluster, before reading your article. In this environemnt, redirect loop happens when I access to analytics/* after a successful authentication at IdP, even if there is only one active server available. (others are shut-ed down). It seems, weblogic is initiating a new SP session, after receiving a valid authn response...

    With a user who does not belong to principal (Group) written in weblogic.xml, weblogic returns 403 (it seems ok).

    I'd like to make sure if this is just a configuration issue or cluster issue.


  • user809526 Tuesday, July 9, 2013

    The saml cluster doc will be posted next week on this blog.

    For the loop you mention, you should try to comment this in weblogic proxy plugin in ohs. mod_wl_ohs.conf

    #RedirectMatch 301 /analytics$ /analytics/

    Note that with a cluster you need a load balanced url configured, with for instance OHS. The ohs load balanced url will be used in the saml configuration, rather than the obiee servername.

  • Yoshi Thursday, July 11, 2013

    The saml cluster doc will be very helpful!

    My cluster without RDBMS security store partially worked after following configuration.

    - comment "Redirect Match 301 /analytics$ /analytics/"

    - access to /anaytics/saw.dll?bieehome instead of /analytics

    Now I can login to the first node (AdminServer + obiee01) behind a load balancer with saml, but the second node(obiee02) not.

    As they have identical saml SP configuration, so this would be the issue of RDBMS security store...

  • guest Tuesday, June 3, 2014


    Can you please tell me what are the prerequisites for SAML 2.0 to integrate with obiee

    We are now using MSAD for authentication now we are planning to go for SSO Integration with SAML.

    It's bit urgent hence i would appreciate the quick response

    Please help me some one

  • Himanshu Anil Gupta Saturday, November 8, 2014
  • guest Thursday, February 19, 2015

    Can you use IDP initiated logins with this setup?

  • User809526-Oracle Thursday, February 19, 2015

    Possibly use https://adfs.oracle.com/adfs/ls/IdpInitiatedSignon.aspx?logintorp=yourserver.oracle.com

    in federationmetadata.xml

    initial tests shows it works.

  • BC Friday, February 27, 2015

    Does SAML work with the Oracle Business Intelligence Mobile HD app?

  • guest Friday, February 27, 2015

    Yes, saml works also with bi mobile. However if the adfs authentication mechanism (like wna) is not configured/supported on the mobile, this will not work. If adfs saml authentication is something simple like form based auth, this has been tested and works.

  • Nikhil Monday, October 10, 2016


    Does OBIEE 11g support SAML authentication on ADFS 3 on Windows Server 2012 R2.

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.