Using Alternative Authentication Providers 3-35 authentication, they should consider auditing the RPD for the follow alternative methods of authentication. To Stop All Initialization Block Authentication Access: Stopping access through initialization blocks is a relatively simple process. This is done using the Administration Tool. In order for successful authentication to happen a user name is required. Initialization blocks do this by populating the special System Session Variable called USER. To stop all initialization block authentications you need to do the following. 1. Remove the System Variable USER from the RPD. 2. Ensure that initialization blocks in the RPD do not have the check box Required for authentication enabled. 3. Check that initialization blocks in the RPD that set the system session variables PROXY and especially PROXYLEVEL are not allowing users to bypass security. The system variables PROXY and PROXYLEVEL will allow users once connected to impersonate other users with their security profile. This is fine if the person Proxies to an account that has less privileges, but if they proxy to an account that has more privileges then this can be seen as a security issue. Caution: If you disable any initialization blocks, then any dependant initialization blocks will also be disabled. You can now be sure that any attempted access by using initialization block authentication will no longer be successful. However, you need to check all your initialization blocks.

3.4.2 Troubleshooting

If there is the error: Critical WebLogicServer BEA-000386 Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: User oidweblogic is not permitted to boot the server. The server policy may have changed in such a way that the user is no longer able to boot the server. Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions. Solutions: When you re-started your system did you start it as the new WebLogic administrator OID user oidweblogic? If you did and become locked out it is because that user weblogic in OID did not have the correct permission - It needs the Admin global role so ensure it has membership of a group in OID that is, Administrators that will have default membership to this role. Also ensure the BIAdministrators group, or its equivalent in OID, is added to the Admin global role. Note: If you are now locked out. To go back to a previous working configuration all you need to do is to restore the config.xml file. Therefore, to switch your configuration you just need to backup the file before changing the configuration then to switch back, you just restore one file for more information, see Task 1, Backup and Recovery . To restore the config.xml file, restart Oracle Business Intelligence as the original WebLogic admin user rather than the OID user. 3-36 Security Guide for Oracle Business Intelligence Enterprise Edition 4 Enabling SSO Authentication 4-1 4 Enabling SSO Authentication This chapter provides some general guidelines for configuring single sign-on SSO authentication for Oracle Business Intelligence. This chapter contains the following topics: ■ Section 4.1, SSO Configuration Tasks for Oracle Business Intelligence ■ Section 4.2, Understanding SSO Authentication and Oracle Business Intelligence ■ Section 4.3, SSO Implementation Considerations ■ Section 4.4, Configuring SSO in an Oracle Access Manager Environment ■ Section 4.5, Configuring Custom SSO Environments ■ Section 4.6, Using Fusion Middleware Control to Enable SSO Authentication

4.1 SSO Configuration Tasks for Oracle Business Intelligence

Table 4–1 contains SSO authentication configuration tasks and provides links for obtaining more information. Note: For a detailed list of security setup steps, see Section 1.8, Detailed List of Steps for Setting Up Security In Oracle Business Intelligence . Note: Oracle recommends using Oracle Access Manager as an enterprise-level SSO authentication provider with Oracle Fusion Middleware 11g. Sections 4.2, 4.3, and 4.4 assume that Oracle Access Manager is the SSO authentication provider. Section 4.5 references alternative authentication providers in custom SSO environment solutions. For more information about configuring and managing Oracle Access Manager with Oracle Fusion Middleware, see Configuring Single Sign-On in Oracle Fusion Middleware in Oracle Fusion Middleware Application Security Guide. For more information about supported SSO providers, see System Requirements and Certification .