SSO via RSA – Siebel Analytics – OBIEE


RSA is a third party agent which can be configured and integrated with Siebel Analytics aka OBIEE so that it act as a Single Sign On (SSO) interface and passed through the integrated security mechanism .

RSA Access Manager can be configured to protect Siebel Analytics URIs, thus providing web access management and web single sign on to Siebel users. When a user tries to access a protected Analytics application via a web browser, the RSA Access Manager Web Server Agent intercepts the request, and redirects the user to the Access Manager logon page. After the user has been authenticated, the web server plug-in writes the authenticated username to an HTTP Header variable. The Siebel Analytics Web (SAW) ISAPI plug-in is configured to trust this variable’s value and use it to create a session.
Before continue with this it has been assumed that RSA agent has been installed and configured RSA Access Manager with User ids for all existing Siebel users. If the products’ UIDs don’t match, the integration will not work.

So lets follow the steps :

Create an Analytics Server user for impersonation
Login to Admintool and Select Manage and then Security .Create new user who will be a member of group Administrators .In the example username is : Impersonator and Password is Secret .

RSA-SSO

RSA-SSO2

 Generating a Encrypted Password

Log into Siebel Analytics Web as an administrator, and issue the following URL: http://HostServer/analytics/saw.dll?encryptString&string=secret where secret is the password for the impersonator user created .

The encrypted password will be displayed in the browser. Copy the string and save it to a temporary file.

RSA-SSO3

Configure SAW
Shut Siebel Analytics Web down.
o Open %SiebelAnalyticsDataHOME%\Web\configinstanceconfig.xml and add the following entries inside the <WebConfig><ServerInstance> tag:
a) RPC/PermittedClientList – A comma separated list all of the client IP addresses that will be allowed to communicate directly with SAW
b) Auth/Impersonator – the user created for impersonation in step 1
c) Auth/ImpersonatorPassword – the encrypted password created in step 2
d) Auth/SSOEnabled – y to enable SSO and n to disable it
e) Auth/SSOServerVariable – the name of the HTTP header variable that will contain the Access Manager –authenticated username. REMOTE_USER, for example.
f) Auth/SSOStripWindowsDomain- y to strip out a \ and the preceding domain name from the username and n otherwise .

<?xml version=”1.0”?>
<WebConfig>
<ServerInstance>
<RPC>
<PermittedClientList>127.0.0.1</PermittedClientList>
</RPC>
<Auth>
<Impersonator>Impersonator</Impersonator>
<ImpersonatorPassword>040337e52e23e468d41aca107207e051106c </ImpersonatorPassword>
<SSOEnabled>y</SSOEnabled>
<SSOServerVariable>REMOTE_USER</SSOServerVariable>
<SSOStripWindowsDomain>N</SSOStripWindowsDomain>
</Auth>
</ServerInstance>
</WebConfig> 

End User Login

The user opens a browser and types in a protected Siebel resource (/Analytics in this case).
The user is redirected to the RSA Access Manager login page.(Note that the user should exist in both RSA manager and analytics environment) .

RSA-SSO4

Now the user details should be authenticated and verified against the RSA manager and once that has been passed user would be redirected automatically to the actual Siebel Analytics / OBIEE screen .

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s