Monday, 21 October 2013


So the last post was completely devoid of any kind of context as I was really writing it in a rush.

Here I will try to give some more details.

I have been spending some time configuring SAML2 SSO for EPM. SAML2 SSO is basically "seamless" single sign on - "one click and you are logged in". No need to type usernames and passwords.

The first thing you should know is that Oracle's documentation on the subject is sometimes confusing and sometimes wrong. That said the documentation is available here, and you should refer to it for the steps in detail. I will try to be as clear as I can when you need to differ from the documentation.

First of all you should patch your environment to the highest possible. If you are on you need to download this patch to solve a bug with Workspace not logging in correctly with SSO:


Also you should know that as soon as you configure SSO, Planning will not start. This is due to a bug in Planning. The fix is in the Windows registry, you need to look for the startup parameters for Planning (under HKLM\Software\Hyperion Solutions\HyS9Planning, usually) and delete these parameters if they exist:


In the example above those options have been overwritten with "-Djaxp.debug=0" - which does nothing.

If you do not Planning will crash as soon as SSO is set in the WebLogic domain.

Now a caveat: EAS Console, Essbase Client, Smart View, Essbase Excel Add-In, FDM Workbench, HFM Client and any of the other "thick" software clients do not support single sign-on of any kind. You will still get a login box.

Seamless SSO for Smart View may be coming in a later release, we will have to see on that one.

Firstly you should try to fully configure the authentication source in WebLogic and Shared Services. These will typically be an LDAP directory, they should both be configured in the same way and (under normal circumstances) use the same authentication source as the Federation Services server.


It is required in WebLogic as the actual SAML2 SSO is done as a WebLogic operation and as such when WebLogic takes the SAML2 response and tries to map the response to a user it will do so in the internal authentication providers of the WebLogic domain. Then it will pass the user to Foundation Services and it will get logged in automatically.

With the authentication providers set up you need to configure the Identity Provider Partner. There are guides on how to do that elsewhere so I won't cover it here.

The Service Provider configuration can be a little tricky, not least because Oracle doesn't tell you the correct URL to use as the for the Published Site URL. It should be http://server1:19000/saml2/ not

The SSO configuration in Shared Services is quite straightforward, those steps are available in the guide.

The SSO Diagnostic application can be handy for diagnosing issues and should be deployed. The OHS configuration is required and should definitely be completed.

With the CustomRolesAndPolicies step - I think this might only be required if you wish to restrict SSO to only certain users. Even though this was not the case for my configuration I did it regardless.

If all these steps have been done then you should be up and running.

One issue we had is that by default WebLogic maps the Subject of the SAML2 response to the WebLogic user. If the user exists in WebLogic then the username is passed back to Foundaton Services to be logged on. This will probably be a required configuration 75% of the time but we wanted to map a specific attribute in the SAML2 response to a WebLogic user. Unfortunately the only way to do this is by writing a couple of custom Java classes to override the default way WebLogic maps SAML2 responses to WebLogic users. That is what the previous post covered.

I may go over the above steps in more detail some other time. Otherwise good luck on getting SSO in EPM :)

1 comment:

  1. This is a great article. Thank you for sharing. Did you ever configured Ping federate SSO with EPM or above?