Can FAW instance be created without enabling SSO, and later SSO be enabled successfully?

User_L2TQS

Ravi Guddanti-Oracle

It won't complicate anything, in order to ensure the provisioning process runs smoothly verify that the user initiating the provisioning exists within the specified domain and is able to login using the local authentication (not the SSO as it hasn't been setup yet). Once the provisioning is completed, at a later point in time, you can configure the SSO setup just as documented in the blog. Download the pdf file from the blog, which has stepby-step instructions on configuring the SSO. The steps within the individual sections remain the same.

Ravi Guddanti-Oracle

Yes, SSO can be enabled after the instance has been provisioned. Reference

Setting up Oracle Fusion Analytics Warehouse and Single Sign-On

https://blogs.oracle.com/analytics/post/setting-up-oracle-fusion-analytics-warehouse-and-sso

Oracle is merging its Identity Cloud Service (IDCS) with Oracle Cloud Infrastructure Identity and Access Management (OCI IAM). Due to this transition, the process of enabling a single sign-on to allow users from Oracle Applications Cloud to access Oracle Fusion Analytics Warehouse (FAW) requires steps that are outlined in the document titled

blog post for additional information on setting up SSO.

User_L2TQS

The document says "You must set up single sign-on before you create your FAW instance. The steps depend on the following scenarios:"

So this is just a recommendation? Will it complicate anything if done later or the steps remain the same i.e. "Create the following OCI policy to enable a specific group of users to create and
manage the FAW instances on the tenancy"

User_L2TQS

@Ravi Guddanti-Oracle I have been looking for clarification on this. in the document it says -

"Create the following OCI policy to enable a specific group of users to create and
manage the FAW instances on the tenancy:

Allow group ''/'' to manage analytics-warehouses in
tenancy
Allow group ''/'' to manage analytics-instances in tenancy
Allow group ''/'' to manage autonomous-database-family
in tenancy

"

What should be this specific group of users? Should we create a group for all users who request access to FAW and then add policies for this group?

Looks like this policy allows this group to do much more than use SSO. what exactly is happening when we allow this policy?

Thanks for addressing my questions.

Ravi Guddanti-Oracle

These specific policies should be assigned to only those users who are designated to create and manage Fusion Analytics instances in the tenancy. This must not be assigned to all users who request access to Fusion Analytics application. These policies allow users to view and manage the Fusion Analytics instance and its associated OAC and ADW instances in the tenancy. Hope this clarifies.

User_L2TQS

Hi @Ravi Guddanti-Oracle this makes sense. But can you clarify further - how in background does this step enable all users to use SSO access to FAW? I see for scenario#2 , this is the only step mentioned for enabling SSO.

BalagurunathanBagavathy-Oracle

@User_L2TQS As @Ravi Guddanti-Oracle mentioned, these policies are only required for those users that need to administrate FDI and its associated OAC and ADW in the tenancy. As per scenario# 2, both Fusion Applications and FDI are associated with the same identity domain within the same cloud tenancy. So, the SSO is already taken care.

@Ravi Guddanti-Oracle Please correct me if I am missing something.

User_L2TQS

@BalagurunathanBagavathy-Oracle Makes sense. But I am still not sure why is this step to add policy mentioned in the SSO document Scenario#2 ?

Lauriane Massin Whitaker

Hi guys,

Jumping on that one because m'y instances had not initially been created in the same HCM domains (and no SSo setup). So in FDI, i was not able to see the HCM users.

Someone helped me and WE managed to move the instances from oracle identity service domain to HCM prod and HCM test domains (We set Up the different policies mentioned earlier as well). Now I'm able in each domain to see all the users for FDI.

But earlier today, a manager At the clients I'm working for requested Access to the console and I gave him the oac URL but he was not recognized by the system... And when he tried to reset his password he never got the email for Oracle...

I feel like thèse HCM users won't be able to Access the console and I don't know if it's an SSo issue... Because you're saying that now thé instance is in the same domain as HCM, the SSo should be autimatically enabled, right ?