Maintaining Security with Oracle BI Discoverer 13-15 section Servers: Configuration: General in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help at: http:download.oracle.comdocscdE14571_ 01apirefs.1111e13952coreindex.html .

13.8 Using Discoverer with Oracle Identity Management Infrastructure

Note : This section applies only if the Discoverer installation is associated with the Oracle Internet Directory and the Discoverer schemas. For more information, see Section 1.3, About Oracle BI Discoverer installations. Oracle Identity Management Infrastructure provides several services, including: ■ Oracle Single Sign-On ■ Oracle Access Manager ■ Oracle Certificate Authority ■ Oracle Internet Directory ■ Oracle Delegated Administration Services ■ Oracle Directory Integration and Provisioning ■ LDAP Developer Kit You can specify that Discoverer uses Oracle Single Sign-On to enable users to access Discoverer using the same user name and password as other Web applications. For more information, see: ■ Section 13.8.1, Using Discoverer with Oracle Single Sign-On ■ Section 13.8.2, Using Discoverer with Oracle Access Manager ■ Section 13.8.3, Using Discoverer without Oracle Single Sign-On or Oracle Access Manager For more information about Oracle Identity Management Infrastructure, see Oracle Fusion Middleware Getting Started with Oracle Identity Management.

13.8.1 Using Discoverer with Oracle Single Sign-On

This section describes Oracle Single Sign-On and how to use it with Discoverer.

13.8.1.1 About Oracle Single Sign-On and Discoverer

Oracle Single Sign-On is a component of Oracle Fusion Middleware that enables users to access multiple Web applications for example, Oracle BI Discoverer and Oracle Portal using a single user name and password that is entered once. Note : Oracle Single Sign-On is implemented using Oracle Single Sign-On Server. When you install Oracle, the Oracle Single Sign-On service is installed automatically, but it is not enabled by default for Discoverer. For information about how to enable Oracle Single Sign-On, see Section 13.8.1.2, How to enable and disable Single Sign-On for Discoverer . Discoverer connections work in both Single Sign-On and non-Single Sign-On environments. In an Oracle Single Sign-On environment, if a Discoverer end user starts Discoverer without having been authenticated by Oracle Single Sign-On, the user is challenged for Single Sign-On details user name and password. Having 13-16 Oracle Fusion Middleware Configuration Guide for Oracle Business Intelligence Discoverer provided Single Sign-On details, the user can display the Discoverer connections page and start Discoverer without having to enter a user name or password again. For more information about how Oracle BI Discoverer works with Oracle Portal and Single Sign-On, see Section 13.8.1.3, An example showing how Discoverer works with Oracle Portal and Single Sign-On . Notes ■ Oracle Single Sign-On does not work within BIS, EDW, or DBI Web pages. ■ Oracle Single Sign-On, can be enabled for both Discoverer Plus and Discoverer Viewer, but not for a single Discoverer component. For example, you cannot enable Oracle Single-Sign-On for Discoverer Plus only. When you install Oracle, the Oracle Single Sign-On service is installed automatically, but it is not enabled by default for Discoverer. For information about how to enable Oracle Single Sign-On, see Section 13.8.1.2, How to enable and disable Single Sign-On for Discoverer .

13.8.1.2 How to enable and disable Single Sign-On for Discoverer

You enable and disable Single Sign-On on the Oracle BI Discoverer instance. To enable and disable Single Sign-On, do the following: 1. Open the mod_osso.conf file in a text editor for more information about the location of configuration files, see Section A.1, Discoverer file locations . 2. To enable Single Sign-On for Discoverer, add the following text to the end of the file: Location discovererplus require valid-user AuthType Osso Location Location discovererviewer require valid-user AuthType Osso Location Location discovererapp require valid-user AuthType Osso Location 3. To disable single sign-on for Discoverer, remove the following text from the file: Location discovererplus require valid-user AuthType Osso Location Location discovererviewer require valid-user AuthType Osso Location Location discovererapp require valid-user AuthType Osso Location 4. Save the mod_osso.conf file. 5. Restart Oracle HTTP Server by running the following opmnctl command located at ORACLE_INSTANCE\bin directory: Maintaining Security with Oracle BI Discoverer 13-17 opmnctl stopall opmnctl startall Notes ■ Do not enable Oracle Single Sign-On for the URL discovererportletprovider. Discoverer relies on Oracle Portal to protect the discovererportletprovider URL. In other words, do not specify the Location value as discoverer, as follows: Discoverer relies on Oracle Portal to protect the discovererportletprovider URL. In other words, do not specify the Location value as discoverer, as follows: Location discovererportletprovider require valid-user AuthType Osso Location ■ Do not enable Oracle Single Sign-On for the URL discovererwsi. Discoverer relies on Oracle Bi Publisher to protect the discovererwsi URL. In other words, do not specify the Location value as discoverer, as follows: Location discovererwsi require valid-user AuthType Osso Location ■ Ensure that the OssoIPCheck parameter value in the mod_osso.conf file is set to off. ■ If you use Oracle Web Cache to cache Discoverer Viewer pages, note that caching for Discoverer does not work if Single Sign-On is enabled.

13.8.1.3 An example showing how Discoverer works with Oracle Portal and Single Sign-On

When you publish Discoverer content in a portlet on an Oracle Portal page, you give portal users access to the Discoverer workbooks and worksheets. However, portal users accessing Discoverer workbooks only see data to which they have database access. In other words, two different users accessing the same workbook might see different data, depending on their database privileges. For more information, see Oracle Fusion Middleware Guide to Publishing Oracle Business Intelligence Discoverer Portlets. To illustrate how Oracle BI Discoverer works with Oracle Portal, consider the following example: Imagine that there are two Single Sign-On users: ■ User SSO-A has a private connection Conn-A pointing to DBUSER-Adiscodb, EUL-Marketing. ■ User SSO-B has a private connection Conn-B pointing to DBUSER-Bdiscodb, EUL-Marketing. User SSO-A using connection Conn-A creates two workbooks Workbook 1 and Workbook 2 in the Marketing EUL. User SSO-A uses Discoverer Plus to share Workbook 2 with DBUSER-B. 13-18 Oracle Fusion Middleware Configuration Guide for Oracle Business Intelligence Discoverer User SSO-B using connection Conn-B creates two workbooks Workbook 3 and Workbook 4 in the Marketing EUL. User SSO-B uses Discoverer Plus to share Workbook 4 with DBUSER-A. This situation is shown in the figure below: Figure 13–1 Single Sign-On users creating workbooks Now imagine that user SSO-A creates a List of Worksheets portlet using Conn-A, and chooses the Use users database connection option in the Logged In users section that is, in the Select Database Connections page in the Discoverer Portlet Provider. When user SSO-A accesses the List of Worksheets portlet, worksheets in the following workbooks are available: ■ Workbook 1 ■ Workbook 2 ■ DBUSER-B.Workbook 4 When user SSO-B accesses the same List of Worksheets portlet, worksheets in the following workbooks are available: ■ Workbook 3 ■ Workbook 4 ■ DBUSER-A.Workbook 2 This situation is shown in the figure below: Maintaining Security with Oracle BI Discoverer 13-19 Figure 13–2 Single Sign-On users accessing Discoverer portlets

13.8.2 Using Discoverer with Oracle Access Manager