OBIEE web SSO with ADFS IdP SAMLv2

The intent of this document is to provide a step by step guide for the configuration and installation of a passive claims-based authentication application. A simple passive claims-based mechanism is illustrated in the below list:
1. User accesses a website (https://obiee-server.us.oracle.com:9804/analytics) to consume its services via a web browser. Such websites are called relying parties.
2. If the user is not authorized to use the relying party, the web application redirects the user to a token issuer / Identity provider (AD FS 2.0 – https://adfs -server.us.oracle.com/adfs/ls). 
3. The token issuer prompts the user to enter his credentials.
4. The identity provider uses these credentials to query one claim (such as Name, Common Name, email, sAMAccountName, etc.) from an attribute store (Active Directory).
5. Following this step, the issuer produces a signed SAML2.0 token with these claims and sends this token to the browser.
6. The browser then sends this signed token to the relying party, subsequently the latter validates this token, authorizes the user to consume its services and sends a cookie (to be used for single sign-on) and the required data back to the user.


Download the document here:  https://blogs.oracle.com/pa/resource/ADFS_Idp_SAML_2.0_Web_SSO_Implementation_for_OBIEE_Single_Node.pdf describes step by step how to configure ADFS Saml v2 identity provider, with OBIEE service provider for Web SSO.

Comments:

nice timely post!

We have an obiee cluster, and planning to configure it as SAML2.0 service provider. It seems attached document covers the configuration of SAML2.0 SP in clustered environment, but it says "Separate document available for cluster mode, requiring Enterprise Manager patch."

Where can I find the additional information for cluster mode and patches?

Yoshi

Posted by guest on July 06, 2013 at 10:46 AM PDT #

For the cluster, you have to patch Enterprise manager with patch 14092316.
You must install weblogic 10.3.5 on first node (same version as obiee installer), then create a domain with a RDBMS security store through weblogic wizard(for SAML provider in cluster, to replicate assertions across nodes), then patch. Then install obiee.
You cannot convert from a file based to RDBMS security store after the domain is created, this is too complex.

Posted by user809526 on July 08, 2013 at 10:25 AM PDT #

Unfortunately I already have a file based security store installed. In production, I will create a new domain with RDBMS security store. Thanks a lot for this information.

Before that, can I test SAML2.0-SP on clustered environment?
In fact, I already configured SAML2.0-SP on a cluster, before reading your article. In this environemnt, redirect loop happens when I access to analytics/* after a successful authentication at IdP, even if there is only one active server available. (others are shut-ed down). It seems, weblogic is initiating a new SP session, after receiving a valid authn response...
With a user who does not belong to principal (Group) written in weblogic.xml, weblogic returns 403 (it seems ok).

I'd like to make sure if this is just a configuration issue or cluster issue.

Yoshi

Posted by Yoshi on July 09, 2013 at 02:01 AM PDT #

The saml cluster doc will be posted next week on this blog.
For the loop you mention, you should try to comment this in weblogic proxy plugin in ohs. mod_wl_ohs.conf
#RedirectMatch 301 /analytics$ /analytics/

Note that with a cluster you need a load balanced url configured, with for instance OHS. The ohs load balanced url will be used in the saml configuration, rather than the obiee servername.

Posted by user809526 on July 09, 2013 at 08:46 AM PDT #

The saml cluster doc will be very helpful!

My cluster without RDBMS security store partially worked after following configuration.
- comment "Redirect Match 301 /analytics$ /analytics/"
- access to /anaytics/saw.dll?bieehome instead of /analytics

Now I can login to the first node (AdminServer + obiee01) behind a load balancer with saml, but the second node(obiee02) not.
As they have identical saml SP configuration, so this would be the issue of RDBMS security store...

Posted by Yoshi on July 10, 2013 at 06:43 PM PDT #

Hi,

Can you please tell me what are the prerequisites for SAML 2.0 to integrate with obiee 11.1.1.7.0.
We are now using MSAD for authentication now we are planning to go for SSO Integration with SAML.

It's bit urgent hence i would appreciate the quick response
Please help me some one

Posted by guest on June 03, 2014 at 09:31 AM PDT #

https://blogs.oracle.com/pa/entry/obiee_cluster_web_sso_adfs

check this for cluster documents.

Posted by Himanshu Anil Gupta on November 08, 2014 at 11:26 AM PST #

Can you use IDP initiated logins with this setup?

Posted by guest on February 19, 2015 at 07:34 AM PST #

Possibly use https://adfs.oracle.com/adfs/ls/IdpInitiatedSignon.aspx?logintorp=yourserver.oracle.com
in federationmetadata.xml

initial tests shows it works.

Posted by User809526-Oracle on February 19, 2015 at 07:42 AM PST #

Does SAML work with the Oracle Business Intelligence Mobile HD app?

Posted by BC on February 27, 2015 at 01:11 AM PST #

Yes, saml works also with bi mobile. However if the adfs authentication mechanism (like wna) is not configured/supported on the mobile, this will not work. If adfs saml authentication is something simple like form based auth, this has been tested and works.

Posted by guest on February 27, 2015 at 02:17 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed