FYI: Enabling Virtualization (virtualize=true) and OBI-SEC-00015

Many OBIEE blogs that discuss external authentication with obiee 11g (including my recent post on OID integration ) specify that a virtualize=true parameter is required for the configuration of Fusion Middleware's Identity Store. Even Oracle's own technical documentation specify this as a required parameter when dealing with multiple authentication sources.

Here is an example of a common Identity Store configuration w/ OID and a default authenticator:

Yet a quick google search will tell you that many practitioners have encountered problems (or so they think) with the virtualize = true parameter during their external authentication implementation.

What does the virtualize=true parameter mean?

If you are implementing multiple authentication providers, you need to 'enable' Fusion Middleware applications to see all the users, groups, and roles within the Weblogic Administration Console.   This is accomplished with Oracle Virtual Directory (OVD). Oracle Virtual Directory is an LDAP service that provides virtualized abstraction of multiple data sources into a single view.  By specifying virtualize=true, Fusion Middleware utilizes the OVD service as the mechanism for identifying, storing, and accessing users and groups across multiple authentication systems.


Does DefaultAuthenticator count as an authentication source?

When implementing weblogic 11g/obiee out of the box, a weblogic defaultAuthenticator is provided with 3 system accounts : BISystemUser, OracleSystemUser, and weblogic. Multiple posts have been created on Oracle Technical Network questioning the need to count the default authenticator as an authentication source.

What happens we do not count Default Authenticator as an authentication source, there by eliminating the need for virtualize=true?

If you're encountering a scenario where you have an external LDAP authentication (OID, ADUC) as well as the default authenticator for system users, and you remove the virtualize=true paramater in the Identity Store, you will still be able to log into OBIEE 11g Answers w/ your OID/ADUC users.

But try logging in with a System User (e.g. weblogic or OracleSystemUser): You will encounter OBI-SEC-00015 error:

Error Message From BI Security Service: SecurityService::authenticateUserWithLanguage [OBI-SEC-00015] Unable to find user in identity store

An examination of your bi_server1-diagnostic.log will confirm the error:

 Conclusion?

• The DefaultAuthenticator does count as an authentication source
• If you are going to implement an external authentication provider and use the DefaultAuthenticator, virtualize=true is needed for the DefaultAuthenticator system users

If you are unable to log into Answers 11g with your OID/ADUC users, the problem is most likely not the virtualize=true flag.   Review your configuration settings, search OTN, and remember - virtualize=true is needed!



keywords : OBIEE 11g authentication, ldap authentication, weblogic authentication provider, OBI-SEC-00015, virtualization, external groups authentication