OBIEE with both SSO and LDAP
645617Nov 29 2009 — edited Nov 30 2009I need to be able to run OBIEE using SSO with LDAP to 'reauthenticate' the user and then provide information as to which user groups they are in.
The overall idea is that the user logs in to the 'system' as a whole and is then provided a hyperlink to OBIEE. Behind the scenes, the system login process will set a cookie holding the users name, thus allowing SSO to be used with OBIEE. When the user logs in, LDAP will then be used to determine which groups the user is a member of.
I can get SSO working (on its own) and I can get LDAP authentication working (on its own), but when I try to combine the two I just get user authentication errors.
I suspect that what is happening is that the OBIEE login process is passing the correct username to LDAP (i.e. the one from the cookie), but the IMPERSONATOR password rather than the user one (at this point OBIEE does not know the user password).
Is there any way of getting around this? as far as I can tell the LDAP authentication mechanism requires both a username and password to be passed to it, but since we are using SSO, we only have the username.
Note: is it not considered secure enough to hold the user password as a cookie or as part of a 'GO' URL, which is why we wish to use SSO.
Many thanks,
Chris