OAS Single Sign-On Integration
Integrating Oracle Identity and Access Management (IAM) and Single Sign-On (SSO) with your SFA instances of Oracle Analytics Server will provide you seamless and secure access to reporting using a single set of credentials. This streamlines your user experience by reducing the need to remember multiple passwords and enhances security through centralized access control. With IAM, you benefit from simplified compliance management and more efficient user administration across environments.
URLs
- There will be no changes to your existing target URLs; you can continue using the same links to access Oracle Analytics Server as before.
- Accessing the URL will now redirect you to your configured SSO provider. This applies whether you are using IAM as your identity provider or an external provider integrated through IAM.
Users
- Each user must have accounts in both IAM and OAS to log in.
- User groups, permissions, and roles continue to be managed within OAS.
- Refer to the "Steps to Enable" section for more details.
Business Value
Enabling Single Sign-On (SSO) through Oracle Identity and Access Management streamlines user access, enhances security, and reduces administrative overhead, delivering a seamless and efficient experience.
Here's the demo of these capabilities:
Steps to Enable and Configure
Use the Opt In UI to enable this feature. For instructions, refer to the Optional Uptake of New Features section of this document.
Offering: Student Financial Aid No Longer Optional From: Update 26C
Setup Required on OAS console
- If users are already configured in OAS using their email as their login, no additional steps are required in the console
- If you have previously created common user accounts (shared by multiple individuals) or accounts that do not use the user’s email address as the username, you will need to update these configurations in the console. In both cases, each user should be updated to log in individually using their email address as the username to ensure proper access management with SSO.
- Navigate to: Security Realms > myrealm > Users and Groups
- When adding a user, please ensure the following fields are set:
- Name: User’s email address
- Description: Optional
- Provider: DefaultAuthenticator
- Password: Any value (this will not be used, as authentication will occur through your configured Identity Provider)
- When adding a user, please ensure the following fields are set:
- Navigate to: Security Realms > myrealm > Users and Groups
- Pre-Migration steps -
- If your current usernames in OAS are not email addresses that match your usernames in IAM, you must have EACH user complete the following steps to ensure data is not lost when their new username and account is created
- Backup MyFolders
- In the Analytics Server
- Click on MyFolders and then click "Archive"
- In the XmlpServer
- Click on MyFolders and then click "Download"
- In the Analytics Server
- Backup MyFolders
- If your current usernames in OAS are not email addresses that match your usernames in IAM, you must have EACH user complete the following steps to ensure data is not lost when their new username and account is created
Setup Required on IAM console
- To access OAS, a user must have an account in IAM with the same email address as their username in OAS. If the user does not exist in IAM, you will need to create the account.
- There are no specific IAM groups required; roles and permissions for OAS users continue to be managed within the EM and OAS console applications.
To opt-in
After setup is completed, you will need to log a Service Request (SR) by Oracle Support.
- Submit an SR for a Test Environment by 26B.
- To begin the SSO integration process, you need to log an SR requesting that SSO be enabled and configured on a designated test environment of Oracle Analytics Server.
- Test and Validate SSO Configuration
- After SSO is enabled in the test environment, you should thoroughly test and validate their workflows and user access. Note: Once SSO is enabled, all local logins will be restricted and authentication will be managed solely through IAM.
- Submit an SR for your Production and remaining Test Environments by 26C.
- Upon successful validation in the test environment, customers must log an SR to request migration of the SSO configuration to their production and any remaining test environments.
Tips And Considerations
- User Provisioning: Ensure all users who require access are provisioned in both IAM and OAS with matching email addresses to avoid login issues.
- Testing First: Always validate the SSO integration in a test environment before rolling it out to production, to minimize disruption and identify potential configuration issues.
- Password Expiry and Policies: After enabling SSO, password complexity and expiration policies will be enforced by your IAM provider, not by OAS.
- User Training: Communicate upcoming changes and provide training materials to end users so they know to use their SSO credentials for access.
- Group and Role Management: Although authentication is managed through IAM, OAS user groups and role-based access controls must still be managed separately within OAS.
- Local Account Restrictions: Once SSO is enabled, direct (local) user authentication to OAS is disabled; ensure no critical access is left dependent on local accounts.
- Troubleshooting Access: If users experience access issues, first verify that user accounts exist and are aligned between IAM and OAS.
- Audit and Compliance: Centralizing identity management improves auditability and compliance with organizational and regulatory policies.
Key Resources
- Review Step 8 (Set up Single Sign-On for Oracle Analytics Server within How do I set up OCI Identity and Access Management for Student Financial Aid? Playbook
- Review Overview of Identity and Access Management documentation
- Review Oracle Analytics Server - Get Started documentation
- For more information on the associated Customer tickets, see these resources:
- Idea 558645