Configure SSO with Oracle Identity Cloud Service and App Gateway
This topic describes the process that you need to follow to configure SSO with Oracle Identity Cloud Service and App Gateway.
Configure the Oracle Identity Cloud Integrator Provider In WebLogic Server
The Oracle Identity Cloud Integrator provider combines authentication and identity assertion into a single provider. The provider establishes identity (the Subject) on WebLogic Server with the authenticated user and the user's groups when the identity store is the Oracle Identity Cloud Service.
You must configure Oracle Identity Cloud Service as Oracle Analytics Server's authentication provider either before or at the same time you configure Oracle Analytics Server to use Oracle Identity Cloud Service as the SSO provider.
If you've already configured Oracle Identity Cloud Service as Oracle Analytics Server's authentication provider, then go to the Oracle Analytics Server WebLogic Server Administration Console and configure the provider to accept the Oracle Identity Cloud Service user assertion tokens. These are the tokens that provide SSO for a user. To update the configuration, go to the Active Types field and move idcs_user_assertion and ldcs_user_assertion from the Chosen box to the Available box.
Install and Configure App Gateway
App Gateway acts as a reverse proxy protecting web applications by restricting unauthorized network access to them. App Gateway intercepts any HTTP request to these applications and ensures that the users are authenticated with Oracle Identity Cloud Service before forwarding the request to these applications. App Gateway propagates the authenticated user's identity to the applications using a token.
Use App Gateway to:
- Integrate enterprise applications hosted either on-premises or in a cloud infrastructure with Oracle Identity Cloud Service for authentication purposes.
- Expose intranet web applications to internet access.
- Integrate with applications that lack a native authentication mechanism and don't support SAML federation, OAuth, or OpenID Connect integration methods.
- Integrate with applications that support the HTTP header-based authentication.
For information about how to install App Gateway, see Set Up an App Gateway.
Create and Configure an Oracle Identity Cloud Service Enterprise Application
When you add App Gateway to the SSO configuration, then you need to go to Oracle Identity Cloud Service and add an enterprise application that interacts with App Gateway.
For information about how to create and configure the enterprise application, see Add an Enterprise Application.
Protect Oracle Analytics Server URLs or Make Them Public
In the Oracle Identity Cloud Service enterprise application, you must add the following Oracle Analytics Server URLs (resources), specify if they are public (public resources) or protected (resources protected by form or token), and select the Allow CORS and Require Secure Cookies authentication policies to apply them to the URLs. App Gateway enforces these policies in the enterprise application.
Resource | Public | Protected |
---|---|---|
/analytics/?.* |
- | Yes |
/analytics/saw.dll/wsdl?.* |
Yes | - |
/analytics-bi-adf/?.* |
Yes | - |
/analytics-ws?.* |
Yes | - |
/api/?.* |
Yes | - |
/aps/?.* |
Yes | - |
/aps/JAPI/?.* |
Yes | - |
/aps/SmartView/?.* |
- | Yes |
/bicontent/?.* |
- | Yes |
/bi-lcm/?.* |
Yes | - |
/biinfer/?.* |
- | Yes |
/bi-sac-config-mgr/?.* |
- | Yes |
/bisearch/?.* |
- | Yes |
/bi-security-login/?.* |
Yes | - |
/biserviceadministration/?. |
- | Yes |
/biservices/?.* |
Yes | - |
/cds/?.* |
- | Yes |
/dv/?.* |
- | Yes |
/mapviewer/?.* |
- | Yes |
/mapviewer/dataserver/?.* |
Yes | - |
/mapviewer/foi/?.* |
Yes | - |
/mapviewer/mcserver/?.* |
Yes | - |
/mapviewer/wms/?.* |
Yes | - |
/mapviewer/wmts/?.* |
Yes | - |
/mobile/?.* |
- | Yes |
/security/?.* |
- | Yes |
/xmlpserver/?.* |
- | Yes |
/xmlpserver/Guest?.* |
Yes | - |
/xmlpserver/report_service/?.* |
Yes | - |
/xmlpserver/ReportTemplateService.xls?.* |
Yes | - |
/xmlpserver/services/?.* |
Yes | - |
/bimajel/?.* |
- | Yes |
/analytics/res/?.* |
Yes | - |
/dv/public/?.* |
Yes | - |
/dv/ui/api/?.* |
Yes | - |
/dv/static/?.* |
Yes | - |
/logout |
- | Yes |