RSA is a third party agent which can be configured and integrated with Siebel Analytics aka OBIEE so that it act as a Single Sign On (SSO) interface and passed through the integrated security mechanism .
RSA Access Manager can be configured to protect Siebel Analytics URIs, thus providing web access management and web single sign on to Siebel users. When a user tries to access a protected Analytics application via a web browser, the RSA Access Manager Web Server Agent intercepts the request, and redirects the user to the Access Manager logon page. After the user has been authenticated, the web server plug-in writes the authenticated username to an HTTP Header variable. The Siebel Analytics Web (SAW) ISAPI plug-in is configured to trust this variable’s value and use it to create a session.
Before continue with this it has been assumed that RSA agent has been installed and configured RSA Access Manager with User ids for all existing Siebel users. If the products’ UIDs don’t match, the integration will not work.
Before continue with this it has been assumed that RSA agent has been installed and configured RSA Access Manager with User ids for all existing Siebel users. If the products’ UIDs don’t match, the integration will not work.
So lets follow the steps :
Create an Analytics Server user for impersonation
Login to Admintool and Select Manage and then Security .Create new user who will be a member of group Administrators .In the example username is : Impersonator and Password is Secret .
Generating a Encrypted Password
Log into Siebel Analytics Web as an administrator, and issue the following URL:http://HostServer/analytics/saw.dll?encryptString&string=secret where secret is the password for the impersonator user created .
The encrypted password will be displayed in the browser. Copy the string and save it to a temporary file.
Configure SAWShut Siebel Analytics Web down.
o Open %SiebelAnalyticsDataHOME%\Web\configinstanceconfig.xml and add the following entries inside the <WebConfig><ServerInstance> tag:
a) RPC/PermittedClientList – A comma separated list all of the client IP addresses that will be allowed to communicate directly with SAW
b) Auth/Impersonator – the user created for impersonation in step 1
c) Auth/ImpersonatorPassword – the encrypted password created in step 2
d) Auth/SSOEnabled – y to enable SSO and n to disable it
e) Auth/SSOServerVariable – the name of the HTTP header variable that will contain the Access Manager –authenticated username. REMOTE_USER, for example.
f) Auth/SSOStripWindowsDomain- y to strip out a \ and the preceding domain name from the username and n otherwise .
o Open %SiebelAnalyticsDataHOME%\Web\configinstanceconfig.xml and add the following entries inside the <WebConfig><ServerInstance> tag:
a) RPC/PermittedClientList – A comma separated list all of the client IP addresses that will be allowed to communicate directly with SAW
b) Auth/Impersonator – the user created for impersonation in step 1
c) Auth/ImpersonatorPassword – the encrypted password created in step 2
d) Auth/SSOEnabled – y to enable SSO and n to disable it
e) Auth/SSOServerVariable – the name of the HTTP header variable that will contain the Access Manager –authenticated username. REMOTE_USER, for example.
f) Auth/SSOStripWindowsDomain- y to strip out a \ and the preceding domain name from the username and n otherwise .
<?xml version=”1.0”?>
<WebConfig>
<ServerInstance>
<RPC>
<PermittedClientList>127.0.0.1</PermittedClientList>
</RPC>
<Auth>
<Impersonator>Impersonator</Impersonator>
<ImpersonatorPassword>040337e52e23e468d41aca107207e051106c </ImpersonatorPassword>
<SSOEnabled>y</SSOEnabled>
<SSOServerVariable>REMOTE_USER</SSOServerVariable>
<SSOStripWindowsDomain>N</SSOStripWindowsDomain>
</Auth>
</ServerInstance>
</WebConfig>
<WebConfig>
<ServerInstance>
<RPC>
<PermittedClientList>127.0.0.1</PermittedClientList>
</RPC>
<Auth>
<Impersonator>Impersonator</Impersonator>
<ImpersonatorPassword>040337e52e23e468d41aca107207e051106c </ImpersonatorPassword>
<SSOEnabled>y</SSOEnabled>
<SSOServerVariable>REMOTE_USER</SSOServerVariable>
<SSOStripWindowsDomain>N</SSOStripWindowsDomain>
</Auth>
</ServerInstance>
</WebConfig>
End User Login
The user opens a browser and types in a protected Siebel resource (/Analytics in this case).
The user is redirected to the RSA Access Manager login page.(Note that the user should exist in both RSA manager and analytics environment) .
The user is redirected to the RSA Access Manager login page.(Note that the user should exist in both RSA manager and analytics environment) .
Now the user details should be authenticated and verified against the RSA manager and once that has been passed user would be redirected automatically to the actual Siebel Analytics / OBIEE screen .