Hyperion & stuff

Stuff about Hyperion and stuff

Tag Archives: OBIEE Security

OBIEE Authentication with Multiple Providers (MSAD + Default)

The challenge of the week was to bring in MSAD users in addition to the existing native OBIEE users.  The process is actually pretty simple, but it took me a while to figure out.  I found most of the steps in the admin guide which I simplified.  The OBIEE version is

The high level steps are as follows:

  • Add the MSAD provider to Console
  • Modify the Default Authenticator to work with multiple authentication providers
  • Add a custom property to the Identity Store Configuration in EM
  • Restart both Admin Server and BI Server

Add the MSAD Provider

  • From the Admin Console (http://servername:7001/console), select Security Realms->Providers tab
  • Lock & Edit before making any changes and click New.
  • Name: unique name of the MSAD provider.
  • Type: ActiveDirectoryAuthenticator
  • Once the provider is created, click on the provider to make Provider Specific configuration.
  • Important: Under the Common tab, set Control Flag to SUFFICIENT.  This will allow the usage of other configured authentication providers in case authentication fails.
  • Switch to Provider Specific tab to specify MSAD configuration
  • Host: AD server name or IP address
  • Port: the default is 389 for MSAD
  • Principal: AD user with admin/read access to users and groups information.  An example is CN=admin,OU=Service Accounts,DN=Company,DN=com
  • Credential: password for the Principal user specified above.
  • User Base DN: typically OU where all users exist.  An example is OU=Users,DN=Company,DN=com
  • All Users Filter: (&(sAMAccountName=*)(objectclass=user))
  • User From Name Filter: (&(sAMAccountName=%u)(objectclass=user))
  • User Name Attribute: sAMAccountName
  • Group Base DN: typically OU where all groups exist.  An example is OU=Groups,DN=Company,DN=com
  • All Groups Filter: (&(sAMAccountName=*)(objectclass=group))
  • Group From Name Filter: (&(sAMAccountName=%g)(objectclass=group))
  • Save and select Activate Changes.

Modify the Default Authenticator

  • Select Security Realms->my realm->Providers tab.
  • The new provider created in the above steps will show up at the bottom.  Do not change the order.
  • Select the Default Authenticator and select Lock & Edit to modify.
  • Change Control Flag to SUFFICIENT.
  • Save and select Activate Changes.

Add Custom Property to Identity Store Configuration

  • From Enterprise Manager (http://servername:7001/em)
  • Expand Web Logic Domain, right click on bifoundation_domain and select Security->Security Provider Configuration from the menu.
  • Under Identity Store Provider, select Configure.
  • Click Add to add a new custom property
  • Property Name: virtualize
  • Value: true
  • The above property will enable multiple authentication providers.
  • Save all changes.

Once all the changes have been made, restart both Admin Server and BI Server.  The good thing about this is OBIEE assign these external users the “authenticated-role” which belongs to the BI Consumer role.  Thus, external users can login to OBIEE by default.
Hope this helps.