Integrate Oracle Analytics Server with Oracle Identity Cloud Service or IAM Identity Domain for Single Sign-On using App Gateway

February 15, 2023 | 5 minute read
Veera Raghavendra Rao Koka
Consulting Member of Technical Staff
Text Size 100%:

REDWOOD

Introduction

App Gateway is a software appliance enabling you to integrate applications hosted either on a compute instance in Oracle Cloud or in an on-premises server with Oracle Identity Cloud Service (IDCS) or IAM Identity Domain for Single Sign-On (SSO) purposes.

Using the App Gateway, you can integrate Oracle Analytics Server (OAS) with IDCS and IAM Identity Domain for SSO purposes.

App Gateway acts as a reverse proxy protecting OAS resources by restricting unauthorized network access. App Gateway intercepts any HTTP request to OAS and ensures that the users are authenticated with IDCS or IAM Identity Domain before forwarding the request to OAS. App Gateway propagates the authenticated user's identity to OAS.

If the user isn't authenticated with IDCS or IAM Identity Domain, then App Gateway redirects the user to the IDCS Sign-In page for credential validation.

This article describes the configuration of SSO for a single node OAS instance running on Oracle Cloud Infrastructure using the App Gateway docker image on the same compute instance as the OAS instance.

The subsequent sections of this article discuss the prerequisites and limitations concerning the configuration of SSO for OAS with App Gateway.

Download the White Paper

Download >  OAS SSO using IDCS or IAM App Gateway.pdf

How App Gateway Works

AppGateway1

Refer to the documentation to understand How IDCS App Gateway Works and How IAM App Gateway Works.

References

App Gateway is available for IDCS and IAM Identity Domain. The functionality is the same in each case, except for the way you navigate, the user interface, and its download.

Understand App Gateway

See IDCS App Gateway documentation and IAM App Gateway documentation.

Prerequisites

  • Oracle Analytics Server (5.9 and higher)
  • OCI Compute Instance for App Gateway
  • OCI Load Balancer (optional if App Gateway is running on a separate compute instance)

Configuration

SSO configuration of OAS delegates authentication to IDCS or IAM Identity Domain using App Gateway. For the authorization, OAS requires the users and groups from the IDCS or IAM Identity Domain to be available in OAS for application role management.

For OAS to read the users and groups from IDCS or IAM Identity Domain and list them in OAS, you need to configure Oracle Identity Cloud Integrator as an authentication provider in the Oracle WebLogic Server of the OAS instance.

Optional Configuration

Configuring OCI Load Balancer is an optional step. To deploy the App Gateway docker image on the OAS compute instance, it's recommended to have a load balancer in a public subnet and OAS compute on a private subnet.

Also block the direct access to the OAS instance and ports when using OCI load balancer.

When the App Gateway docker image is deployed on a separate compute than the OAS instance, you can avoid the use of a load balancer and block direct access to the OAS instance and ports.

Oracle Identity Cloud Integrator

OAS is certified to use Oracle Identity Cloud Integrator to list Users and Groups from IDCS to OAS. Refer to Configure Oracle Identity Cloud Integrator as the Authentication Provider.

Oracle Identity Cloud Service App Gateway

OAS is certified for the use of IDCS App Gateway for Single Sign-On. Refer to Configure SSO with Oracle Identity Cloud Service and App Gateway.

Install IDCS App Gateway Server using one of three approaches:

  1. Install App Gateway on Oracle Cloud Infrastructure.
  2. Install App Gateway using Oracle VM Virtual Box Software.
  3. Deploy the Oracle App Gateway Docker Container.

Install App Gateway on OCI Compute or Oracle VM Virtual Box, refer to Configuring SSO for OBIEE12c/OAS Running On On-Premise or On OCI Compute with IDCS Using App Gateway (Doc ID 2611016.1).

The following section describes the deployment of the IDCS App Gateway docker container.

App Gateway Docker Image

Reference: https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/manage-oracle-identity-cloud-service-app-gateways1.html.

This approach uses the IDCS App Gateway Docker Image

  1. Log in to the Oracle Identity Cloud Service (IDCS) administration console.
  2. Navigate to Settings, then Downloads, and download the App Gateway Docker Image for Identity Cloud Service.
  3. Download the App Gateway Wallet Tool.

AppGateway2

Register the App Gateway

Before installing the binary file for App Gateway that appears on the Downloads page, you must register your App Gateway using the Identity Cloud Service console.

Assign an Enterprise Application to an App Gateway

Update the App Gateway registration in the Oracle Identity Cloud Service console and add an enterprise application that interacts with App Gateway.

Create an Enterprise Application

An enterprise application enables you to secure web applications that are protected by the Oracle App Gateway. See its documentation.

Add Resources

For Protected, Public, and Excluded list of Resources for OAS, see the OAS Documentation:

Protect Oracle Analytics Server URLs or Make Them Public.

Add the Enterprise Application to the Registered App Gateway

Update the App Gateway registration in Oracle Identity Cloud Service console and assign an enterprise application.

Configuring the OAS Instance for SSO

To configure SSO for an on-premises OAS instance with IDCS or IAM Domain, be the following in mind.

Observations

  • Generally, the on-premises application servers are disabled for internet connections.

Requirements

  • You need a license to use IDCS or IAM Identity Domain.
  • You need App Gateway running on the on-premises server.
  • You need the App Gateway server to be able to connect IDCS or IAM Domain from the on-premises network.

Limitations

  • When you start the App Gateway server, App Gateway contacts Oracle Identity Cloud Service to retrieve the port number you configured during the App Gateway registration in Oracle Identity Cloud Service console. The App Gateway server starts using this port number.
  • The App Gateway agent is responsible for synchronizing the App Gateway configuration (hosts and applications) from Oracle Identity Cloud Service to the App Gateway server.
  • Internet access from the App Gateway server is required.

Call to Action

This article described how to the Single Sign-On configuration of Oracle Analytics Server on Oracle Cloud Infrastructure using IDCS App Gateway for a Single Node OAS. Try out the configuration for yourself.

 

Veera Raghavendra Rao Koka

Consulting Member of Technical Staff

Oracle Analytics Service Excellence, CEAL Team


Previous Post

Visualize Oracle Analytics Cloud data using Power BI

Alan Lee | 4 min read

Next Post


'Memory Saver' feature in Google Chrome may affect active usage of Oracle Analytics

Tanya Heise | 1 min read