Setting up Essbase SSO with JumpCloud (Example) and Essbase Impersonation

This document outlines the steps for configuring Dodeca and Essbase for SAML SSO using JumpCloud as an example identity provider.

Configuring the Application for SSO

Follow these steps within Dodeca for each application needing SSO:

  1. Go to Metadata → Applications and select the target application.

  2. Scroll to the Security section, find AuthenticationProviderObjectTypeID, and choose SamlAuthentication from the dropdown, then click the Export Service Provider Metadata button that appears to the left.

  3. Reach out to your security team (e.g., Azure/JumpCloud admins) and give them the exported Service Provider metadata for each application.

  4. The SSO security team should provide Identity Provider metadata files (one .xml per Dodeca application) in return.

  5. Click the "Import Identity Provider Metadata" button in the Applications Metadata Editor and locate the XML file for the Dodeca Application. Note that the button is sometimes hidden and can be revealed by making the pane bigger.

  6. Commit the changes in the Applications Metadata Editor.

  7. Click the "Test Authentication Provider" button. Make sure to have commited your SAML security work before testing, or you will get an error.

  8. Attempt to launch the DSMS application. You will know if the login dialog is out dated if OTP is the only option in the SSO prompt.

Debug mode can be enabled in the Application Metadata Editor to help troubleshoot issues.

The WebView 2 available here should be considered a prerequisite as it provides more informational error messages.

Configuring Essbase Impersonation via JNDI

These steps configure the Dodeca-Essbase server environment.

Use the following dshell commands to configure the tenant:

dshell/:> connect <metadata_repository>
dshell/:> use <tenant>
dshell/<tenant>:> generate-encryption-keys
dshell/<tenant>:> set-tenant-option logical-id <logical_server_id>
# Example: dshell/<tenant>:> set-tenant-option logical-id <server>.<tenant>.<domain_name>.<com or net>
# (Optional) Use the print-artifact command to see if a duration has been set: dshell/<tenant>:> print-artifact __TENANT_CONFIG__
dshell/<tenant>:> set-tenant-option token-duration-seconds 86400
dshell/<tenant>:> export-certificate <logical_server_id>.cer --days 3650
dshell/<tenant>:> exit

Use keytool to import the .cer file into the cacerts file in use by Tomcat or a .p12 keystore (either new or existing).

    keytool -import -trustcacerts -alias <logical_server_id> \
            -file "<logical_server_id>.cer" \
            -keystore "<keystore_name>" \
            -storepass <keystore_password> \
            -storetype PKCS12

Replace placeholders with your actual logical server ID, keystore name, and chosen keystore password.

Add the following parameters in Tomcat’s Configuration Utility.

    -Ddodeca.trusted-servers.keyStore=<path_to_keystore>\<keystore_name>
    -Ddodeca.trusted-servers.keyStorePassword=<keystore_password>

Use the full path to the keystore. Do not use quotes around the path or password values here.

Add the Essbase JNDI connection to Tomcat’s context xml.

    <Resource adminPassword="<password>"
              adminUsername="<username>"
              encrypted="false"
              apsServer="embedded"
              server="MyServer"
              singleton="true"
              factory="com.appliedolap.dodeca.essbase.server.connection.EssConnectionFactory"
              type="com.appliedolap.dodeca.essbase.server.connection.EssConnection"
              auth="Container"
              name="essbase/DEFAULT" />

The Essbase connection for the view that uses the SSO Impersonation must be set to ImpersonationViaAuthenticationProvider

Restart the Tomcat service for changes to take effect, then test the connection.