How to Implement Single Sign On (SSO) in OBIEE with Microsoft Active Directory ?
OBIEE LDAP authentication using microsoft Active Directory.
Before starting this, I would prefer that you read my article on session variable and initialized block here
SSO can be implemented using Lightweight Directory Access Protocol (LDAP) in OBIEE.
Most popular LDAP implementation for OBIEE is either OID (Oracle internet Directory) or Microsoft Active Directory (AD). And no wonder why LDAP authentication is supported more on OID and not AD (yeah Oracle v/s Microsoft). This does not mean we can not achieve SSO using LDAP for AD. Yes we can. But with little different implementation style and some limitations. (Oracle documentation talks about all OID and nothing at all for AD)
So Here I am going to discuss on how to implement LDAP authentication for AD to achieve SSO.
Below are the implementation step:
Setting up LDAP Server , Initialization Block and Session Variables
Step 1: Create LDAP Connection.
Open OBIEE Administration.
Go to Manage — > Security
Select LDAP Servers : on the right side right click and select New LDAP Server
Step 2: Create initialization block and session variable
Go to Manage — > Variables
Click Session — > Initialization Block right click on the pan select New Initialization Block
Give the name to the Initialization Block e.g initLDAP
As a part of configuring Initialization Block you need to provide
Click on Edit Data Source
Data Source Type : select LDAP then click on Browse and select appropriate LDAP server connection
Click on Edit Data Target
Click on New and you will see the screen like below
Click ok you will and warning message as below. Just ignore it, as it warns that you are using USER session variable and it has special meaning
Here we have just create only one session variable which takes information from LDAP. We can create many such variable like groups( has limitation AD which i am going to discuss in detail) , display name etc etc whatever is available on LDAP.
LDAP admin can help with the name of variable referred in LDAP
Click on Edit Execution Precedence
If you are using multiple Initialization block then this will be use ful in deciding which block should execute first. As we have just once init block we will not do anything here.
Click on Test
Enter LDAP UserId and password, in sAMAccountName it should show the user Id which indicates the LDAP connection and hence authentication with LDAP works.
In the next post I will discuss on how to get group information, limitation of LDAP AD implementaion with OBIEE.