X

Oracle Customer Engineering & Advocacy Lab (CEAL) Blog covers Oracle Analytics Cloud, Oracle Analytics Server and...

How to create OAC instances on OCI Native using multiple stripes or instances of IDCS

Veera Raghavendra Koka
Principal BI Cloud Security Specialist

Integrate Oracle Analytics Cloud with a Secondary Instance of Oracle Identity Cloud Service

Multiple Instances of Oracle Identify Cloud Service (IDCS)

Oracle Identity Cloud Service supports multiple instances (or identity domains). This is useful if you want to set up multiple Oracle Analytics Cloud environments, for example one environment for production and one for development, as you can associate each environment with a different IDCS instance.

Each environment might have different identity and security requirements and you can create separate IDCS instances to meet those criteria. See About Multiple Instances in Administering Oracle Identity Cloud Service.

For example, you can set up an Oracle Identity Cloud Service instance for several different environments:

  • Production: Primary IDCS instance
  • Test: Secondary IDCS instance
  • Development: Secondary IDCS instance

And then create an Oracle Analytics Cloud instance for each environment that is associated with the appropriate Oracle Identity Cloud Service instance. For example:

  • MyAnalytics: Associate your production environment with the primary IDCS instance - Production.
  • MyAnalyticsTest: Associate your test environment with the secondary IDCS instance - Test.
  • MyAnalyticsDevelopment: Associate your development environment with the secondary IDCS instance - Development.

The way you associate an Oracle Analytics Cloud instance with a secondary Oracle Identity Cloud Service instance is different when you deploy Oracle Analytics Cloud on Oracle Cloud Infrastructure Gen 2. This Blog describes what you need to do for Oracle Cloud Infrastructure Gen 2 deployments.

Note: If your subscription started before Oracle Analytics Cloud was available on Oracle Cloud Infrastructure Gen 2 in North America (14th February 2020) or EMEA (2nd March 2020), you select the IDCS instance you want to use from the Identity Domain dropdown list when you set up the service. See Create a Service with Oracle Analytics Cloud.

Federate the Secondary IDCS Instance with Your Oracle Cloud Infrastructure Tenancy

First, you must configure the secondary IDCS instance as an identity provider in your Oracle Cloud tenancy. After you set this up, a user can sign in to Oracle Cloud Infrastructure Console using the secondary IDCS instance, and any Oracle Analytics Cloud instances that they create automatically uses the secondary IDCS instance for security.

The way you set up the identity provider, depends whether your secondary IDCS instance includes a confidential application called COMPUTEBAREMETAL. If a COMPUTEBAREMETAL application doesn’t exist in your tenancy, you must perform some additional steps to set up a confidential application that you can use.

Set Up a Trusted Application in Your Secondary IDCS Instance

  1. Sign in to Oracle Identity Cloud Service Console for the secondary instance, with administrator privileges.
    For example, https://<secondary-idcs>/ui/v1/adminconsole.
  2. Expand the Navigation pane, and then click Applications.
  3. Determine whether the COMPUTEBAREMETAL application is available.
    • COMPUTEBAREMETAL application in the list
      1. Open the application, click the Configuration tab.
      2. Expand General Information and make a note of the Client ID.
      3. Click Show Secret to display and then copy the Client Secret.
      4. Go to the next section Create a Group Named OCI_Administrators.
    • No COMPUTEBAREMETAL application in the list
      Continue from Step 4 and set up a trusted application.
  4. To set up a trusted application, click Add.
  5. In the Add Application page, click Confidential Application.
  6. Enter a name such as Analytics_Token_App, and then click Next.
  7. In Add Confidential Application, click Configure this application as a client now.
  8. From the Allowed Grant Types list, click Resource Owner, Client Credentials, and JWT Assertion.
  9. In Grant the client access to Identity Cloud Service Admin APIs, click Add, and then select Identity Domain Administrator and Me. Click Add.
  10. Click Next, click Next again, and then click Finish.
  11. In Application Added dialog, record the Client ID and Client Secret, and click Close.
  12. Click Activate and then OK to confirm that you want to activate the application.

Create a Group Named OCI_Administrators

Create a group named OCI_Administrators with one or more users who can sign in Oracle Cloud Infrastructure Console and create Oracle Analytics Cloud instances.

  1. Expand the Navigation pane, click Groups, and then click Add.
  2. In Add Group, enter OCI_Administrators in Name. In Description, enter a brief description similar to the following: This group maps to the Administrators group in the Oracle Cloud Infrastructure account.
  3. Click Next, add one or more users configured in the secondary IDCS instance, and then click Finish.

Configure the Secondary IDCS Instance as an Identity Provider

  1. Sign in to the Oracle Cloud Infrastructure Console for your tenancy.
  2. In the Oracle Cloud Infrastructure Console, click the navigation menu, expand Identity, and then click Federation.
  3. In the Federation page, click Add Identity Provider.
  4. In Add Identity Provider, enter a Name for your secondary Oracle Identity Cloud Service instance, for example, OracleIdentityCloudService_Test. In Description, enter a brief note about the identity provider, for example, Oracle IDCS provider for test environments.
  5. In the Type list, click Oracle Identity Cloud Service.
  6. For Base URL, enter the URL for the secondary IDCS instance, for example, https://idcs-<>.identity.oraclecloud.com.
  7. For Client ID and Client Secret, enter the Client ID and Client Secret values of the confidential application that you recorded earlier.
  8. Click Force Authentication.
  9. Click Continue.
  10. Map the Oracle Identity Cloud Service group you created earlier (OCI_Administrators) to the Administrators group in Oracle Cloud Infrastructure.
  11. Click Add Provider.
  12. Repeat Steps 3 to 11 for each IDCS secondary instance as an Identity Provider for Oracle Cloud Infrastructure Console.

Integrate Oracle Analytics Cloud with a Secondary Oracle IDCS Instance

  1. Sign in to the Oracle Cloud Infrastructure Console for your tenancy.
  2. In the login page select the secondary Oracle Identity Cloud Service instance Name from the Identity Provider dropdown for SSO, for example, OracleIdentityCloudService_Test.
  3. Create Oracle Analytics Cloud instance.
  4. The Oracle Analytics Cloud instance created will be automatically integrated with the Identity Provider that is selected while login to Oracle Cloud Infrastructure Console.

Integrate Oracle Analytics Cloud instances with respective Oracle IDCS Instances

  1. Sign in to the Oracle Cloud Infrastructure Console using SSO Identity Provider as Oracle Identity Cloud Service (Primary) and create Oracle Analytics Cloud Production instance.
  2. The created Oracle Analytics Cloud Production instance will be integrated with the primary Oracle Identity Cloud service instance.
  3. Sign in to the Oracle Cloud Infrastructure Console using SSO Identity Provider as Oracle Identity Cloud Service (Development) and create Oracle Analytics Cloud Development instance.
  4. The created Oracle Analytics Cloud Development instance will be integrated with the secondary Oracle Identity Cloud service instance (Development).

Verify respective Oracle IDCS Instance Applications for Oracle Analytics Cloud instances

  1. Sign in to the Oracle Identity Cloud Service (IDCS) adminconsole and check the list of Applications.
  2. Oracle Analytics Cloud Production instance lists in Primary Oracle IDCS instance.