My Oracle Support Banner

How To Configure SAML 2.0 SSO on OBIEE 12c Using ADFS - Single Node (Doc ID 2248571.1)

Last updated on DECEMBER 18, 2023

Applies to:

Business Intelligence Suite Enterprise Edition - Version to [Release 12c to 12g]
Information in this document applies to any platform.


To Provide End to End steps to be performed to implement SAML 2.0 Web SSO for OBIEE 12c using ADFS as Identity Provider ( IdP )

This is a Service Provider Initiated SSO which means the user directly access the Analytics (SP ) URL that gets re-directed to ADFS for Authentication.

This document is based on the following example environment:


Service Provider (SP) : OBIEE on Linux - spbi.<domain>

Identity Provider (IdP) : ADFS 2012 on Windows 2012- idpadfs.<domain>


The main purpose of the document is to provide complete end to end steps involved in configuring SAML 2.0 SSO for OBIEE 12c using ADFS, Any issues while implementing these steps are not necessarily handled by OBIEE product support Group. Based the issue the appropriate support team to be involved like Microsoft AD, ADFS, WebLogic or OBIEE.

This document is informational and intended for Administrators and Advanced Users.

This document covers very basic and typical SAML 2.0 implementation steps for OBIEE 12c.

This document does not cover all the implementation scenarios.

Before following the steps in this document , Ensure that the OBIEE environment is in working status. Check the user logins to Analytics from Default LDAP and External LDAP users (if any).

Please take complete domain backup before attempting to implement SAML.

This document is intended as a "cookbooK" enhancement to the documentation to fill in any gaps, missing or ambiguous information and to tie multiple documentation together in one location. It is not meant to replace the official documentation.

The server names , locations and passwords used in this document are for example, should not be copy and paste.

This document does not cover OBIEE Installation and SSL Configuration for OBIEE.

This document assumes the Windows 2012 Server already has Active Directory configured with proper Domain.

For Oracle Analytics Server (OAS), please use the approach documented in:
SAML 2.0 and Kerberos Single Sign-On Configuration for Oracle Analytics Server (Doc ID 2761678.1)



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 1. Prerequisites
 1.1 ADFS Prerequisites 
 1.2 OBIEE 12c Prerequisites
 2. Install ADFS and IIS
 3. Configure SSL for IIS
 4. Configuration of ADFS as an IdP
 4.1 Setup a Service Account
 4.2 Configure the Federation Server
 4.3 Generate Federation Metadata
 5. Configure BI Domain as a Service Provider (SP)
 5.1 Enable SSL for OBIEE 12c
 5.2 Create SAML2.0 Asserter
 5.3 Configure Federation Services in WebLogic Server ( bi_server1 ) & Publish Metadata
 6. Configuring BI as a Partner (SP) with ADFS (IdP) 
 7. Configuring Identity Provider Metadata on the BI Domain 
 8. Configure BI Analytics Application for SSO
 8.1 set Control Flag to SUFFCIENT
 8.2 Update analytics.ear to include required security role.
 8.3 Redeploy repackaged analytics.ear
 9. Enable SSO in EM
 10. Setup Authorization
 11. Restart all the Services
 12. Verify the SAML SSO Login
 13. Configuring Logout URL
 13.1 Obtain and Apply patch for appropriate OBIEE version and Platform
 13.2 Configure Logout End Point at ADFS
 13.3 Configure Logoff URL at OBIEE
 14. Enabling SSO for BI Publisher ( Optional )
 14.1 Update xmlpserver.ear to include required Security Role
 14.2 Redeploy BI Publisher
 14.3 Update xmlpserver under Redirected URI
 15. Basic Troubleshooting
 15.1 HTTP 403-Forbidden 
 15.2 HTTP 404 on /saml2/sp/acs/post
 16. Configure Visual Analyzer/ Data Visualization Application for SSO

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.