Many organizations implement Single Sign-On (SSO) protocols to streamline application access and enforce strict compliance among their users.
In these situations, you must adhere to certain guidelines in Oracle Analytics Cloud (OAC).
Oracle Analytics Client Tools
Connecting to Your Semantic Model in the Cloud Using Model Administration Tool
When you use the Model Administration Tool to connect to your semantic model (RPD file) in cloud mode, you must enter the username and password of a user with the BI Service Administrator role.
If users attempt to log in with their SSO credentials, they’re unsuccessful because Model Administration Tool doesn’t function as a web browser; that is, the tool can’t authenticate their credentials with an external SSO identity provider.
Instead, the Model Administration Tool authenticates through OAC’s own identity management system: Oracle Identity Cloud Services (IDCS) or Oracle Cloud Infrastructure (OCI) IAM domain.
Consequently, the Model Administration Tool requires native user credentials for IDCS or OCI IAM domain. It’s crucial that you relay this to your security team so they can create an account tailored for this purpose in IDCS or OCI IAM domain.
Connecting to Catalog Manager CLI
The principle is the same if you want to manage the OAC catalog. That is, you must use a native IDCS or OCI IAM domain username and password to access OAC through Catalog Manager CLI.
Oracle Analytics Cloud Connection Dialogs
In OAC, you can connect to a wide range of data sources through a connection dialog. For example, data sources such as Oracle Applications, Oracle Essbase, and Oracle EPM Cloud, as shown here.
NOTE: In the Oracle Applications connection dialog, for Host, don’t enter the URL of the Oracle Analytics Cloud you’re currently logged in to. If you want to visualize the data used in a local analysis, create a dataset based on the analysis (local subject area). See Create a Dataset from a Subject Area in Your Instance.
Under Authentication, you specify how you’d like to authenticate the connection:
- Always use these credentials – OAC always uses the login name and password you provide for the connection. Users aren’t prompted to log in.
- Require users to enter their own credentials – OAC prompts users to enter their own username and password for the data source. Users can only access the data for which they have the permissions, privileges, and role assignments.
- Use the active user’s credentials – OAC doesn’t prompt users to sign in to access the data. The same credentials they used to sign in to Oracle Analytics are also used to access this data source. See Configure Impersonate User for the Use Active User Credentials Option. Make sure that the Oracle Analytics user exists in the data source you want to connect to.
In the connection dialog for all these data sources, you must provide the username and password for a native user in the target data source.
When you use the “Always use these credentials” option to connect to Oracle Fusion Cloud Applications Suite, Oracle Transactional Business Intelligence (OTBI), Oracle BI Enterprise Edition (OBIEE), Oracle Analytics Server (OAS), Oracle Essbase, Oracle EPM Cloud, or another Oracle Analytics Cloud, you must provide the username and password for a native administrator in the target data source. SSO credentials aren’t allowed. OAC always uses native user credentials to connect to the data source without prompting the OAC user using the data connection to enter the credentials. The data is retrieved as the given administrator in the reports.
When you use the “Require users to enter their own credentials” option to connect to Oracle Fusion Cloud Applications Suite, OTBI, OBIEE, Oracle Analytics Server, Oracle Essbase, Oracle EPM Cloud, or another Oracle Analytics Cloud, OAC prompts users using the data connection to enter their native username and password in the target data source. SSO credentials aren’t allowed. Users can only access data according to their privileges in the target data source.
When you use the “Use the active user’s credentials” option to connect to Oracle Fusion Cloud Applications Suite, OTBI, OBIEE, Oracle Analytics Server, Oracle Essbase, Oracle EPM Cloud, or another Oracle Analytics Cloud, OAC connects to the target data source using the given administrator’s native username and password and impersonates the active OAC user using the data connection. Administrator’s SSO credentials aren’t allowed. OAC doesn’t prompt for authentication during this process. The active OAC username and the target data source username must be identical. The password doesn’t need to be the same for both applications.
This approach also applies to data connections you create in the Model Administration Tool.
Oracle Analytics Cloud REST APIs
Authentication and authorization in OAC is managed by IDCS or the OCI IAM domain. To access OAC REST APIs, you need an OAuth 2.0 access token from IDCS to use for authorization. For more details, see Oracle Analytics Cloud REST API – Authenticate.
You can obtain an access token in various ways, depending on the grant type chosen in the confidential application. For more details, read the blog Unlocking Oracle Analytics Cloud with OAuth 2.0.
The Resource Owner grant type requires that you include the native IDCS username and password in the payload of the IDCS REST API call. SSO user credentials aren’t allowed.
Data Migration Utility
In OAC, you can create datasets from a range of files, including comma-separated values (CSV), text (TXT), and spreadsheets. When you migrate to a new OAC environment in a different OCI region, network connectivity or storage access issues might sometimes prevent you from migrating the data files in the snapshot. For such cases, OAC offers a CLI utility that enables you to move your data files to the new location.
When you use the data migration utility, you must enter the OAC administrator’s IDCS native username and password in the properties file. SSO user credentials aren’t allowed.
Summary
To effectively utilize Oracle Analytics Cloud (OAC), it’s essential that you understand how to use native credentials across various features and tools in OAC. This blog describes a range of scenarios, from connecting to data sources and applications to accessing OAC’s advanced features and utilities.
Reference, OAC : How to Connect to Oracle Fusion HCM-OTBI from OAC DV Dataset with SSO. (Doc ID 2607450.1)