1. Security Configuration Guide
  2. Enabling SSO with Security Agents
  3. Header-based SSO with Identity Management Products

Header-based SSO with Identity Management Products

Prerequisites

  • A fully configured Oracle Enterprise Performance Management System. The directory server of the identity management product must be configured in EPM System as a user directory to authorize users.
  • A fully configured identity management product (Microsoft Azure AD, Okta, and so on) that supports header-based authentication.

The following generic processes are involved in configuring EPM System for header-based SSO with a compatible identity management product. Because the specific steps involved depend on the product that you are using, consult your identity management product manuals for detailed steps.

For detailed steps on configuring header-based authentication with Oracle Identity Cloud Services, see Configuring EPM System for Header-based SSO with Oracle Identity Cloud Services.

  1. Register EPM System as an enterprise application in the identity management product. This step allows the identity management administrator to configure authentication on the enterprise application including supported features like multi-factor authentication.

    Use the Fully-Qualified Domain Name (FQDN) of the gateway appended with workspace/index.jsp (example, https://gateway.server.example.com:443/workspace/index.jsp) as the enterprise application URL for EPM System.

    Configure the EPM System enterprise application to propagate an HTTP header.

    You can choose any unreserved header name as the name of the HTTP header. The value of the header should be the property that uniquely identifies EPM System users.

  2. Install, configure and register an application gateway to ensure that the enterprise application forwards only authenticated requests to EPM System.

    Use the following configuration settings:

    • FQDN of the gateway server (example, gateway.server.example.com:443) as the access point.
    • FQDN of EPM System (example, epm.server.example.com:443) as the resource to which authenticated HTTP(S) requests should be forwarded.
  3. Enable SSO in EPM System to honor HTTP(S) headers propagated by the application gateway. For detailed information, see Setting Security Options.

    To enable SSO:

    1. Access Oracle Hyperion Shared Services Console as a System Administrator. See Launching Shared Services Console.
    2. Select Administration, and then Configure User Directories.
    3. Click Security Options.
    4. In the Single Sign-On Configuration section:
      1. Select the Enable SSO check box.
      2. From SSO Provider or Security Agent drop-down list, select Other.
      3. From SSO Mechanism drop-down list, select Custom HTTP Header and then specify the name of the header that the security agent passes to EPM System.
    5. Click OK.
  4. Update Oracle Hyperion Enterprise Performance Management Workspace Post Logoff URL setting to that of the web page that you want users to see when they log out of EPM System.

    To update Post Logoff URL setting in EPM Workspace:

    1. Access EPM Workspace as a System Administrator. See Accessing EPM Workspace.
    2. Select Navigate, then Workspace Settings, and then Server Settings.
    3. In Workspace Server Settings, change POST Logoff URL to the URL of the web page that you want users to see when they log out of EPM System.
    4. Click OK.
  5. Restart Oracle Hyperion Foundation Services and all EPM System managed servers.