1. Getting Started with the Digital Assistant for Oracle Cloud Enterprise Performance Management
  2. Configuring EPM Digital Assistant for New Users
  3. Setting Up Authentication
  4. Configuring Authentication Parameters for an OAuth 2 OCI (Gen 2) Environment

Configuring Authentication Parameters for an OAuth 2 OCI (Gen 2) Environment

OAuth 2 is considered a secured mechanism for authentication between services, and is only available in an OCI Gen 2 environment.

Configure OAuth 2

There is a three step process to configure OAuth for authentication:
  1. Create an Oracle Identity Cloud Service (IDCS) Confidential App
  2. Configure the Oracle Digital Assistant (ODA) Instance to Point to the IDCS Instance
  3. Configure the Account Reconciliation or Financial Consolidation and Close Skill to Point to the OAuth Application

Create an Oracle Identity Cloud Service (IDCS) Confidential App

To create an IDCS Confidential App:

  1. Log into the IDCS administration console. The URL and login credentials are in the welcome email.
  2. Under Applications, click Add (+) and then select Confidential Application to add a new Confidential application.
    1. Provide a name for the application. For example, ODA Confidential App, and then click Next.
    2. Select Configure this application as a client now.
    3. Select Authorization Code and Refresh Token as Allowed Grant Types.
    4. Provide a value for the Redirect URL. This is the URL where users will be redirected to ODA after authentication/authorization in Oracle Identity Cloud Service. Refer to ODA documentation for coming up with your own Redirect URL.
    5. Turn on Bypass Consent.
    6. Under Token Issuance Policy, select the option All for Authorized Resources.
    7. Click Add Scopes under Resources.
      1. Click on the EPM application that you want to create the digital assistant for. For example Planning_arcs or Planning_arcs-test resource using the > button.
      2. Select the scope usually in the format of urn:opc:serviceInstanceID=XXXXXXXXXurn:opec:resource:consumer all checkbox to select all scopes. Note this down, as this would be required to be entered in ODA UI in a later step.
      3. Click Add.
      4. Click Next.
  3. Select the Configure this application as a resource server now option.
  4. Select the Is Refresh Token Allowed check box.
  5. Specify the Rest API Endpoint URL of the target EPM instance as the value of the Primary Audience.
    1. Consolidation and Close: https://server/HyperionPlanning/rest
    2. Account Reconciliation: https://server/armARCS/rest
    3. Click Finish.
  6. Make note of the Client ID and Client Secret, and click Close.
  7. Click Activate and then click OK in the confirm dialog to activate the application.
  8. Under Oracle Cloud Services, select the EPM application for which you want to create the digital assistant. Perform the following steps:
    • Click the Configuration tab and then expand the Resources section.
    • Select Is Refresh Token Allowed.

In addition to these steps, see the Add a Confidential Application instructions in the Administering Oracle Identity Cloud Service guide.

Configure the Oracle Digital Assistant (ODA) Instance to Point to the IDCS Instance

In this section, your ODA administrator adds the newly created IDCS confidential app to the list of Authentication Services on your ODA instance. Later on you will point your EPM skill to this Authentication Service, and that way any login to your digital assistant skill will be directed to the right authentication service. For more details, see the ODA Documentation.

To configure the ODA instance to point to the IDCS instance:

  1. Open your ODA instance.
  2. Under Settings, select Authentication Service to create a new authentication service.
  3. In Grant Type, select Authorization Code.
  4. In Identity Provider, select Oracle Identity Cloud Service.
  5. Enter a Name.
  6. In Token End Point URL, enter https://<idcs-service-Instance>/oauth2/v1/token.
  7. In Authorization End Point URL, enter https://<idcs-service-instance>/oauth2/v1/authorize.
  8. In Revoke Token End Point URL, enter https://<idcs-service-instance>/oauth2/v1/revoke
  9. In Client ID and Client Secret, enter the Client ID and Client Secret that were generated in the previous step from the IDCS Confidential App.
  10. In Scopes, enter the scope that was noted in previous step. It would be something like urn:opc:serviceInstanceID=XXXXXXXXX urn:opc:resource:consumer::all.
  11. Add offline_access with a space separating the two strings.
  12. In Subject Claim, enter sub.
  13. In Refresh Token Retention Period, we recommend using 7 days. but it can be any number of days.

Configure the Account Reconciliation, Financial Consolidation and Close, Tax Reporting, Planning, or Planning Modules Skill to Point to the Authentication Service

This section addresses how to use ODA to configure an EPM Skill to point to the Authentication Service.

  1. In ODA, open the EPM skill that you pulled from the skill store.
  2. Navigate to Settings.
  3. Navigate to the Configuration tab.
  4. Under Custom Parameters, change the following parameters:
    1. Use OAuth for Authentication: change this setting to True.
    2. Authentication Service: enter the name of the Authentication Service created in the previous section. Then click Authentication Service to edit it. Enter the new authentication service that you created in the previous section.
    3. Service Name Prefix: Enter a short name to be used as prefix for saving internal variables. We suggest you use ARC for Account Reconciliation, FCC for Financial Consolidation and Close. If you have multiple environments using the same Digital Assistant. then add a numeric suffix such as ARC1.
    4. Update the ARCS Service URL (da.devArcsBaseUrl), FCCS Service URL (da.devFccsBaseUrl), TRCS Service URL (da.devTrcsBaseUrl), Planning Modules Service URL (da.devEPbcsBaseUrl), or Planning Service URL (da.devPbcsBaseUrl) to reflect your environment.

      The format for da.devArcsBaseUrl is: https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com

      The format for da.devFccsBaseUrl is: https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com/HyperionPlanning/rest

      The format for da.devTrcsBaseUrl is: https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com/HyperionPlanning/rest

      The format for da.devEpbcsBaseUrl is: https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com/HyperionPlanning/rest

      The format for da.devPbcsBaseUrl is: https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com/HyperionPlanning/rest