Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AD SSO with Oracle Analytics Cloud - Oracle Open World 18

215 views

Published on

Active Directory and Single Sign-On with Oracle Analytics Cloud (OAC)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

AD SSO with Oracle Analytics Cloud - Oracle Open World 18

  1. 1. Becky Wagner, Sr BI Architect E: bwagner@us-analytics.com T: @Bec_Wagner Active Directory and Single Sign-On with Oracle Analytics Cloud (OAC) October 24th, 2018 Oracle Open World Marquis Nob Hill C/D https://www.us-analytics.com/oac-active-directory-single-sign-on
  2. 2. 2 AGENDA OAC Options – Customer Case1 AD Bridge2 SAML 2.0 ADFS3 Direct SSO vs Link4 Trouble Spots5
  3. 3. 3 BECKY WAGNER WHO AM I? § Wife; Mother of 3 (ages 16, 13, and 9); § 2nd degree black belt in Tae Kwon Do § Red Cross Blood Drive Coordinator § ODTUG BI Community Leader § Oracle ACE Associate § Sr BI Architect at US-Analytics § 14 years in IT § Email: bwagner@us-analytics.com § Twitter: @Bec_Wagner § LinkedIn: https://www.linkedin.com/in/rebecca-wagner-bb356924/ § IRC Channel (Telegram): #obihackers
  4. 4. 3 Membership Tiers • Oracle ACE Director • Oracle ACE • Oracle ACE Associate bit.ly/OracleACEProgram 500+ Technical Experts Helping Peers Globally Connect: Nominate yourself or someone you know: acenomination.oracle.com @oracleace Facebook.com/oracleaces oracle-ace_ww@oracle.com
  5. 5. 7 Who is US-Analytics? 80+ EPM and BI professionals with 12+ years of experience. BY THE NUMBERS 19+years in business with continued growth >600clients 1,500+engagements with
  6. 6. 8 TECHNOLOGYENERGY FINANCIAL RETAIILHEALTHCARE Sampling of EPM Clients (Project and Support) Approx. 100 Projects Annually
  7. 7. 9 AGENDA OAC Options – Customer Case1 SAML 2.0 ADFS3 Direct SSO vs Link4 Trouble Spots5 AD Bridge2
  8. 8. 10 • Security is highest priority • Waited to start Project until AD integration • VPNaaS to Palo Alto NextGen Firewalls • Private IP Ranges • Access from within network only • OAC with IDCS (Identity Cloud) • Migrating from OBIEE 11g to OAC • AD integration required (8000+ users, 14000+ groups) • SSO was highly desirable Large Financial Management Customer US-Analytics: Customer Case – Enterprise worthy OAC
  9. 9. 11 AGENDA OAC Options – Customer Case1 AD Bridge2 SAML 2.0 ADFS3 Direct SSO vs Link4 Trouble Spots5
  10. 10. 12 AD Bridge Besides following the tutorial, what you need: • Must install on Server joined to AD Domain • User with rights to install software • User with the following AD rights • Read for all users and groups in the domain • Read for all OUs • If you are using an AD user specifically setup for this AD Bridge, specific permissions can be found here: • https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/creating- bridge.html • Tutorial for AD Bridge • https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs _idbridge_obe/idbridge.html
  11. 11. 13 AD Bridge - Roadmap 1. Download From IDCS 2. Install On Domain-Joined Server 3. Configure Users and Groups 4. Import in IDCS 5. Verify *Note: OAC comes with IDCS Foundation. AD Bridge is in IDCS Basic.
  12. 12. 14 AD Bridge – Detailed Steps Part 1 • Browser - IDCS, navigate to Directory Integration and click Add • Copy the URL, Client ID and Client Secret • Click Download • Click Run and Next, Next, Next • Enter the URL, ID and Secret and Test • If successful, click Next • Enter AD Domain User and Password and Test • If successful, click Next 1:07 1:15 1:52 1:55 2:12 2:21 2:27 2:31
  13. 13. 15 AD Bridge – Detailed Steps Part 2 • Browser – IDCS Directory Integration partially configured • Expand OU’s and check appropriate OU for Users • Repeat for groups • Click Attribute Mappings, delete all non-needed, don’t change • Save, Refresh, Import • Verify by clicking on Users tab in left menu 3:07 3:17 3:25 3:32 4:17 5:01
  14. 14. 16 AD Bridge, Video Walk-Through https://youtu.be/QbQV-riohVI
  15. 15. 17 AD Bridge – The More You Know • Becomes a service. Note that this service is running and starts automatically • Find the AD Bridge Config Utility in C:Program FilesIDBridgeIDBridgeUI.exe • Click on View Logs – Highly important to note log locations • Sync has a limit, will continue at the frequency until fully sync’d • Errors will have details in the logs, like missing email or some other attribute issue
  16. 16. 18 AGENDA OAC Options1 Direct SSO vs Link4 Trouble Spots5 SAML 2.0 ADFS3 AD Bridge2
  17. 17. 19 ADFS & Single Sign-On – SAML 101 Img from - https://developers.onelogin.com/assets/img/pages/saml/sso-diagram.svg
  18. 18. 20 ADFS & Single Sign-On – Detailed Steps Part 1 1. Download ADFS Metadata File • https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetatdata.xml • XML files have tags, if browser doesn’t show them, right click and view source, then save 2. IDCS Identity Provider Setup • Add SAML IDP • Name, Next, Upload FederationMetadata.xml, Requested NameID – Email Addr, Next, Finish • Don’t click Export – Use the following URL to download IDCS metadata XML • https://MYTENANT.identity.oraclecloud.com/fed/v1/metadata?adfsmode=true Tutorial: https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/adfs.html 0:23 1:40
  19. 19. 21 ADFS & Single Sign-On – Detailed Steps Part 2 3. In AD FS management console add a Relying Party Trust • Import Metadata.xml, Next, Name, Next Next Next Next, Finish • Add Claim Rules 1. Send LDAP Attributes as Claims, Name - Email, Attribute Store - Active Directory, LDAP Attribute - Email Addresses and Outgoing Claim Type – Email Address 2. Transform an Incoming Claim, Name – Name ID, Incoming – Email Address, Outgoing claim – Name ID, Outgoing format – Email 4. IDCS Configuration • Drop down – select Activate, Drop down again – select Show on Login Page • IDP Policies – Click Default and then Assign new ADFS Tutorial: https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/adfs.html 2:43 4:20
  20. 20. 22 ADFS & Single Sign-On, Video Walk-Through https://youtu.be/FcULyV0mgFs
  21. 21. 23 AGENDA OAC Options1 SAML 2.0 ADFS3 Direct SSO vs Link4 Trouble Spots5 2 AD Bridge
  22. 22. 24 Removing Local Logins Oracle Support Doc ID 2438952.1 OAC/OAAC: How To Disable IDCS Chooser Login Page and Get Redirected to Custom SSO Login Page Directly in Oracle Analytics Cloud(OAC) Once everything has been confirmed working for SSO link on login page: • IDP Policies • Remove ADFS from ‘Default Identity Provider Policy’ • Create new IDP Policy • Assign ADFS to Policy • Assign OAC Application(s) • Configure Application for Redirect URL • Can be any URL (www.oracle.com), and doesn’t actually affect behavior 0:12 0:26 1:05
  23. 23. 25 Removing Local Logins, Video Walk-Through https://youtu.be/Hg5EKV2nmnM
  24. 24. 26 AGENDA OAC Options1 SAML 2.0 ADFS3 Direct SSO vs Link4 Trouble Spots5 2 AD Bridge
  25. 25. 27 Things to be on the lookout for Trouble Spots and Lessons Learned ADFS Direct SSOAD Bridge • Sometimes logs stop while still showing Active in IDCS and service shows running in Windows • Logs path not in documentation, use ADBridge Application and View Logs. • While checking OUs, be sure to expand and check lower levels (Default now) • Username - Email • IDCS uses SAML 2.0, for Win 2016 we had to get a different ADFS xml file • Don’t download the Export IDCS metadata. ADFS needs a special format. Can get from URL: • https://DOMAIN.oracle cloud.com/fed/v1/met adata?adfsmode=true • Security wants users to be authenticated by AD only • EM, RPD Admin Tool, Weblogic Console, still direct login – Can’t use AD users • Configure IDP Policy • Sign Out redirects to OAC DV, still signed in. Can configure ADFS global sign-out then IDCS sign out URL
  26. 26. 28 11g Migration User Folder name change Account Rename
  27. 27. 29 § Remove IDCS Chooser Page § Still need local login for EM and Weblogic Console and RPD Admin Tool RECAP OAC Options AD Bridge SAML 2.0 ADFS Direct SSO or Link § Security Sensitive § IDCS Private IP § Allows for AD and SSO integration § Local AD Domain joined Server § Find your logs § Find your ADFS buddy § Sign Out – redirects to DV § Claim Rules only worked with Email Getting Fancy: HA AD Bridge – Docker style https://www.oracle.com/technetwork/articles/idm/gutierrez-idcs-idbridge-3960710.html
  28. 28. Becky Wagner, Sr BI Architect E: bwagner@us-analytics.com T: @Bec_Wagner Questions? October 24th, 2018 Marquis Nob Hill C/DOracle Open World https://www.us-analytics.com/oac-active-directory-single-sign-on

×