A previous blog, SSO Configuration for OAS with IDCS using Apache HTTP Server and OpenID Module, described how to set up Single Sign-On (SSO) for Oracle Analytics Server (OAS) using Apache HTTP Server and the OpenID Module, either with Oracle Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure (OCI) IAM Domain.

This blog explores Oracle Analytics mobile app configuration specifically for OAS.

Architecture

When an unauthenticated user tries to access an application protected by App Gateway, the user is redirected to the IDCS or OCI IAM Domain sign-in page for authentication.

Prerequisites

Before proceeding, ensure you’ve completed the SSO configuration steps for OAS with IDCS or IAM Domain using Apache HTTP Server and OpenID module, as outlined in the blog SSO Configuration for OAS with IDCS using Apache HTTP Server and OpenID Module.

NOTE: Configure Oracle Identity Cloud Integrator as an authentication provider in the OAS WebLogic administration console. For details, refer to the section Oracle Identity Cloud Integrator in the blog, Integrate OAS with IAM App Gateway for SSO.

When complete, access the OAS URL to test the SSO functionality. For example, the OAS URL: https://analytics.cealoracle.com/dv.

Download the Oracle Analytics Mobile App

Download the Oracle Analytics mobile app from: https://www.oracle.com/in/business-analytics/analytics-mobile

Configure the Confidential Application

The confidential application created for SSO configuration (for example, OASMP_oas1), doesn’t have a Resource and Resource Scope configured, which the mobile app requires.

1. Edit the confidential application (for example, OASMP_oas1) and expand Resources.
2. Select Register Resources.
3. Check Is Refresh Token Allowed.
4. For Primary Audience, enter the application name. For example: OASMP_oas1
5. For Secondary Audience, enter the load balancer base URL. For example: https://analytics.cealoracle.com
6. Create a Scope and set Requires Consent to True.

Configure Oracle Analytics Server for Mobile Access

Run the below scripts as an Oracle user on the OAS compute instance.

Stop Oracle Analytics Server services

/u01/data/domains/bi/bitools/bin/stop.sh

Display help for the mobile configuration script (setMobileConfiguration)

Use the setMobileConfiguration script to configure OAS for mobile use cases.

/u01/data/domains/bi/bitools/bin/setMobileConfiguration.sh –help

Usage: setMobileConfiguration.sh [-d DomainHome] [-s SIkey] [-p IdentityServicePort] -a PermanentServiceUri -u TokenServiceUrl -h IdentityServiceHostDomain -t TenantStripe -i ClientId

-d: Domain home (including final domainName dir). Defaults to ‘/u01/data/domains/bi’ if not specified

-s: Service instance key. Defaults to ‘ssi’ if not specified

-p: Port number of the Identity cloud service. Defaults to 443 if not specified

-a: Permanent service URI. Use ‘Primary Audience’ value configured in the OAuth Configuration tab of the Identity cloud service enterprise app. Eg., https://analytics.mycompany.com or OASEnterpriseApp

-u: Token service URL of Identity cloud service instance. Eg., https://idcs-12121212121212121212121212121212.identity.oraclecloud.com/oauth2/v1/token

-h: Domain portion of Identity cloud service host. Eg., identity.oraclecloud.com

-t: Identity cloud service Tenant stripe. Eg., idcs-12121212121212121212121212121212

-i: OAuth Client Id. This is the Client ID of the Confidential App used for Oracle Identity Cloud Integrator configuration in the WLS Administration Console

Run the mobile configuration script

Important: You can’t re-execute this script.

Make a note of all required values before running the script.

The script will prompt you to enter the Client Secret for the Client ID that you specify.

Run the script, for example:

/u01/data/domains/bi/bitools/bin/setMobileConfiguration.sh -d /u01/data/domains/bi -s ssi -p 443 -a OASMP_oas1 -u https://idcs-f5e26bxxxxxxxxxxxxxxxxxxxxxxxxx00403.identity.oraclecloud.com/oauth2/v1/token -h identity.oraclecloud.com -t idcs-f5e26bxxxxxxxxxxxxxxxxxxxxxxxxx00403 -i 0982xxxxxxxxxxxxxxxxxxxxxxxxx95529

When prompted, enter the Client Secret for the Client ID of the confidential application that you specified.

Start Oracle Analytics Server services

/u01/data/domains/bi/bitools/bin/start.sh

Create a mobile application

Create and configure a mobile application. Either use the IDCS Administration Console or the IAM Domain Integrated Applications page in the OCI Console.

1. Sign in to IDCS Administration Console and navigate to Applications. Or sign in to OCI Console, and navigate to the IAM Domain, then Integrated Applications.
2. Create a Mobile Application.
3. On the Client Configuration step:
   1. Check Refresh Token, Authorization Code, and Implicit for Allowed Grant Types.
   2. Check Allow non-HTTPS URLs.
   3. Enter Redirect URL: dopplermobileapp://nodata
   4. Enter Post Logout Redirect URL: dopplermobileapp://logout
   5. Enable Bypass Consent.
   6. Add Scope: Select the Confidential Application, for example, OASMP_oas1.
4. Note the Client ID value.
5. Activate the mobile application.

For Scope, select the application OASMP_oas1 from the list of applications available.

Note the Client ID value and use it to construct a Magic URL.

Activate the mobile application and note the Client ID value.

Create a Magic URL

A Magic URL contains all the required information to access IDCS using SSO and can be shared across your organization. It contains five elements as shown in the following sample data.

Sample Data

• Mobile app code name: oracleanalytics
• Client ID: Value of the mobile application that you configured for SSO in OAS. For example, 875f734r32yut27474sa55uye14c7a
• Oracle Analytics Server URL. For example: https://analytics.cealoracle.com
• Oracle Analytics Server Scope URL: Available in the Resources section of the mobile application that you configured for SSO in OAS. For example: OASMP_oas1/
• Oracle Identity Cloud Service URL. For example: https://idcs-f5hjsgerf76r345rt7832ry45872403.identity.oraclecloud.com

A Magic URL with these values looks like this:

oracleanalytics://oauth?clientID=875f734r32yut27474sa55uye14c7a&friendlyURL=https://analytics.cealoracle.com&scope=openid%20OASMP_oas1/&idcsURL=https://idcs-f5hjsgerf76r345rt7832ry45872403.identity.oraclecloud.com

Alternatively, you can use the MagicURL Generator.

Oracle Analytics Magic URL Generator

Available at: https://download.oracle.com/ocomdocs/global/paas_docs/analytics/magicurl.html

Access the Magic URL

Open the Magic URL on any Android or iOS device with the Oracle Analytics mobile app installed.

Call to Action

Now you have the steps to set up the Oracle Analytics mobile app for your Oracle Analytics Server which is integrated with either Oracle Identity Cloud Service or OCI IAM Domain for authentication using Apache HTTP Server and OpenID module. Experiment with the configuration yourself, and post your results and questions in the Oracle Analytics Community.