This document discusses setting up single sign-on (SSO) for Oracle Analytics Cloud using Active Directory and Security Assertion Markup Language (SAML). It provides an overview of direct SSO versus linking accounts, common trouble spots when implementing SSO, and resources for setting up Active Directory Federation Services (ADFS) and Identity Bridge for SSO. The presenter provides a full presentation deck online along with blog posts and tutorials on setting up ADFS and Identity Bridge for SSO with Oracle Analytics Cloud.
8. Resources
• Full deck with videos –
https://www.slideshare.net/secret/qERdzGtv9SZTpj
• Blog about ADFS lab setup –
http://bec-wagner.com/2018-10-26-ADFS-and-OAC-lab/
• AD Bridge Tutorial –
https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_idbridge_obe/idbridge.html
• ADFS/SSO Tutorial –
https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/adfs.html
• Direct Access Oracle Doc –
Oracle Support Doc ID 2438952.1
Security is highest priority
Waited to start Project until AD integration
VPNaaS to Palo Alto NextGen Firewalls
Private IP Ranges
Access from within network only
OAC with IDCS (Identity Cloud)
Migrating from OBIEE 11g to OAC
AD integration required (8000+ users, 14000+ groups)
SSO was highly desirable
Precheck -
Must install on Server joined to AD Domain
User with rights to install software
User with the following AD rights
Read for all users and groups in the domain
Read for all OUs
Download From IDCS
Install On Domain-Joined Server
Configure Users and Groups
Import in IDCS
Verify
Becomes a service. Note that this service is running and starts automatically
Find the AD Bridge Config Utility in C:\Program Files\IDBridge\IDBridgeUI.exe
Click on View Logs – Highly important to note log locations
Sync has a limit, will continue at the frequency until fully sync’d
Errors will have details in the logs, like missing email or some other attribute issue
You will have noticed the Sign On page with both options - Local login and ADFS login. You may want to remove the local login option.
Oracle Support Doc ID 2438952.1
OAC/OAAC: How To Disable IDCS Chooser Login Page and Get Redirected to Custom SSO
Login Page Directly in Oracle Analytics Cloud(OAC)
Other issues – don’t restart the bi server stack in linux as root
Login in as sAMAccountName
AD Bridge –
Sometimes logs stop while still showing Active in IDCS and service shows running in Windows
Logs path not in documentation, use ADBridge Application and View Logs.
While checking OUs, be sure to expand and check lower levels (Default now)
Username - Email
ADFS –
IDCS uses SAML 2.0, for Win 2016 we had to get a different ADFS xml file
Don’t download the Export IDCS metadata. ADFS needs a special format. Can get from URL:
https://DOMAIN.oraclecloud.com/fed/v1/metadata?adfsmode=true
Direct SSO –
Security wants users to be authenticated by AD only
EM, RPD Admin Tool, Weblogic Console, still direct login – Can’t use AD users
Configure IDP Policy
Sign Out redirects to OAC DV, still signed in. Can configure ADFS global sign-out then IDCS sign out URL