Connecting an On-Premises Oracle Analytics Server to an IAM Domain for Single Sign-On Using the IAM App Gateway

March 22, 2024 | 4 minute read
Veera Raghavendra Rao Koka
Consulting Member of Technical Staff
Text Size 100%:

REDWOOD

A previous blog describes how to set up single sign-on (SSO) for Oracle Analytics Server (OAS) on Oracle Cloud Infrastructure (OCI) using IAM App Gateway.

Building on that foundation, this blog focuses on how to implement SSO for OAS deployed in an on-premises environment, leveraging the OCI IAM App Gateway. It will explore the requirements and provide insights to help ensure a smooth implementation process.

Architecture

Request Flow

This diagram shows the interaction between applications during initialization and when users attempt to access the application.

The initial steps (1-3) illustrate the communication between the OCI IAM App Gateway and the OCI IAM Domain on App Gateway initialization.

Steps 4-9 illustrate the communication flow between the browser, load balancer, App Gateway, and OAS when users request access to OAS resources.

Observations

As you explore the setup for App Gateway SSO, consider the following:.

  1. App Gateway isn't configured with details such as the designated port and the backend server information.
  2. The port number for the App Gateway is stored within the registered app gateway in the OCI IAM Domain.
  3. The details of the origin server, which is the backend of the App Gateway, are stored within the enterprise application that's added to the registered App Gateway in the OCI IAM Domain.
  4. During the start of App Gateway services, the environment variables file is used to establish connections with the OCI IAM Domain and obtain the necessary details mentioned above.
  5. The App Gateway serves as the front end for the backend OAS (origin server).
  6. The load balancer serves as the front end for the App Gateway, the backend for the load balancer.

pas_sso_gateway3

oasssogateway4

Key Considerations

In grasping the configuration for the App Gateway SSO, consider the following 3 points, which inform how you plan and implement each configuration:

  1. App Gateway’s capability to access the OCI IAM Domain is crucial for obtaining its port and origin server details.
  2. App Gateway must establish connectivity with the backend origin server (that is, OAS), including the necessary port and protocol.
  3. In the presence of a load balancer, it’s imperative that it can access its backend, which is the App Gateway.

Scenario 1: OAS, App Gateway, and Load Balancer Running On Premises

Consider the insights shared in the Key Considerations section. In this scenario, all components (OAS, load balancer, App Gateway) operate on premises and must establish connectivity with their respective backends. For example, the communication flow follows: Load Balancer → App Gateway → OAS

Given that App Gateway retrieves its port and origin server details from the OCI IAM Domain, it requires Internet connectivity to connect to the OCI IAM Domain. If App Gateway resides on a virtual machine or within a docker container, a NAT gateway becomes essential.

Scenario 2: OAS and App Gateway Running On Premises, Load Balancer Running on Oracle Cloud

Consider the insights shared in the Key Considerations section. In this scenario, App Gateway must establish connections with OAS, and the load balancer in Oracle Cloud must access App Gateway. Hence, App Gateway needs to be accessible from the Internet or through the firewall allow-listing for the load balancer.

Similar to Scenario 1, since App Gateway retrieves its port and origin server details from the OCI IAM Domain, it must connect to the OCI IAM Domain over the internet. If App Gateway resides on a virtual machine or within a Docker container, a NAT gateway is imperative.

Scenario 3: OAS Running On Premises, App Gateway and Load Balancer Running on Oracle Cloud

In this scenario, all components except OAS reside on Oracle Cloud. The load balancer establishes connections with App Gateway, which accesses the OCI IAM Domain, facilitated by their co-location on Oracle Cloud.

As OAS operates on premises and the App Gateway on Oracle Cloud needs to reach it, OAS must be accessible from the internet or allow-listed in the on-premises firewall.

Summary

When configuring SSO for Oracle Analytics Server using OCI IAM Domain and OCI IAM App Gateway, whether you're operating on-premises or within Oracle Cloud, it's crucial that you consistently meet the three points outlined in the Key Considerations section.

REDWOOD

 

Veera Raghavendra Rao Koka

Consulting Member of Technical Staff

Oracle Analytics Service Excellence, CEAL Team


Previous Post

Oracle Analytics Server is Available on Oracle Cloud Marketplace

Adrienne Howard | 4 min read

Next Post


Highlighting data with conditional decorations in Oracle Analytics Cloud

Abhinav Chaurasia | 5 min read