Configuring Azure AD Base Version as an Identity Provider with Oracle Planning and Budgeting Cloud Service

Version 6

    In this concise, illustrated, how-to guide, Oracle ACE Director Celvin Kataookaran walks you step-by-step through the process of setting up Single Sign-On between Oracle Planning and Budgeting Cloud and Azure Active Directory Base version.


    By Celvin Kattookaran ACED.gif

    Introduction

     

    Starting with the November 2015 Oracle Planning and Budgeting Cloud Service (PBCS) release, you can configure Single Sign-On (SSO) to authenticate service users using:

     

    • Microsoft Active Directory Federation Server (ADFS) 2.0,ADFS 2.1, ADFS 3.0
    • Shibboleth Identity Provider 2.4.0
    • Oracle Identity Federation Server 11g.

     

    In this article we will review the process of setting up Single Sign-On between Oracle Planning and Budgeting Cloud and Azure Active Directory Base version.

     

    SAML 2.0 and how it works

     

    Security Assertion Markup Language 2.0 (SAML) is an XML-based data format for exchanging authentication and authorization data between security domains,  enabling cross-domain web-based authentication and authorization.

     

    In a Single Sign-On configured setup one Security Domain acts as a Service Provider, consumer (SP) and one acts as an Identity Provider (IdP), authority, as illustrated in the image below.

    image001.png

     

    1. User tries to login to PBCS
    2. OPC (Oracle Public Cloud) generates a SAML request
    3. OPC redirects the browser to the SSO URL page, Browser now opens the SSO page, User logs in using his AD username and password
    4. Azure now authenticates the user using the SAML request
    5. Azure generates a SAML response
    6. Azure returns the SAML response to browser, Browser now sends the SAML response to OPC
    7. OPC verifies the SAML response
    8. User is now logged into PBCS

     

    Configuring Azure AD Base Version with Oracle Public Cloud involves a 5-step process:

     

    1. Configure Azure AD as IdP for Federation
    2. Configure Oracle Public Cloud as SP for Federation
    3. Updating Azure after OPC Configuration
    4. Testing SSO
    5. Enable SSO

     

     

    Configure Azure AD as IdP for Federation

     

    1. Login to Azure portal. Navigate to Browse to Active Directory, then to Applications.

      image002.png

    2. Click the Addbutton to add a new application.

      image003.jpg

    3. Choose Add an application my organization is developing. (Oh, I get it, It's Oracle's application. )

      image004.png

    4. Provide a name and choose Web Application AND/OR Web API.

      image005.png

    5. The Sign-on URL will be your PBCS URL (excluding the Workspace/HyperionPlanning part).

      https://pbcs-domain.pbcs.us2.oraclecloud.com

    6. Add a URL for APP ID URI (we'll revisit this in a moment). I just copied the same Sign-On URL:

      image006.png

    7. Once the application is created, you can get the Provider Metadata by opening View EndPoints. You can also change the logo of the Azure Application by uploading a 215px x 215px image.

      image007.jpg

      image008.png

    8. Copy the link from "FEDERATION METADATA DOCUMENT" (it's a link to Federation metadata xml file). Paste that into a web browser.

      image009.png

    9. Save the file as an XML file.

     

    It's now time to configure Oracle Public Cloud to act as Service Provider

     

    Configure Oracle Public Cloud as Service Provider for SAML Federation

     

    1. Login to Oracle Public Cloud (https://myservices.us2.oraclecloud.com)->"Users"->"SSO Configuration"
    2. Click on Configure SSO

      image010.png

    3. Upload the Federation Metadata XML
    4. Choose HTTP POSTfor SSO Protocol
    5. Choose User's Email Address for "User Identifier"
    6. Choose NameID for "contained in"
    7. Click Save. You'll get four links after you Save the IdP information.

      image011.jpg

      You will need the Provider Id and Assertion Consumer Service URL values for the next step.

       

    Updating Azure after OPC Configuration

     

    1. Login to the Azure portal.
    2. Navigate to Active Directory-> Applications -> Your Application -> Configuration

      image012.png

      APP ID URL = Provider ID

      Reply URL = Assertion Consumer Service URL

     

    Testing SSO

     

    1. Login to OPC->Users->SSO Configuration->Test SSO

      image013.png

    2. Click on Start SSO. You'll be redirected to Microsoft site.

      image014.jpg

    3. Provide your password to see the results.

      image015.jpg

    If the test is successful you can now Enable SSO in OPC.

     

    Enabling SSO

     

    image016.jpg

    image017.jpg

     

    Once enabled you'll see a new link in the PBCS Login url.

     

    Loading Azure AD users in OPC

     

    Azure AD users must be added in OPC before they can login into PBCS. This is can be done in a bulk mode by uploading a CSV file in the following format:

     

    First Name, Last Name, Email, User Login

     

    To upload users, Login to OPC->Users->Import->Browse the CSV file->Import

    image018.jpg

     

     

    Office 365 App Launcher

     

    Using the Office 365 App Launcher you can pin your apps to EXCEL, Outlook and other Office apps, which allows you to launch the PBCS URL directly from within those Office applications.

     

    image019.png

     

     

    Conclusion

     

    Using Single Sign-On significantly eases user maintenance by eliminating the need to update an account on external systems.

     

    Customers can revoke access by removing users from their IdPs. Office 365 and the Basic Azure AD version allow to you access external applications directly from within Microsoft products.

     

     

     

    About the Author

     

    Celvin Kattookaran is an Oracle ACE Director and Principal Architect with Huron Consulting Group. He is known for developing creative and effective business solutions to address his clients’ challenges. He is a frequent contributor to Oracle Community discussion forums and to the Network 54 Essbase forum. During his leisure time he develops utilities for EPM products which make a consultant’s life easier.