Oracle Analytics Cloud and Server

Home Oracle Analytics Oracle Analytics Forums Oracle Analytics Cloud and Server Oracle Analytics Cloud and Server

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Refused to frame/Connect because an ancestor violates the Content Security Policy directive

Accepted answer
653
Views
17
Comments
User_BIGQU
User_BIGQU Rank 2 - Community Beginner
edited Aug 15, 2024 12:31PM in Oracle Analytics Cloud and Server

Hi I am trying to display OAS in an iframe within our main application but OAS is not allowing its content to be displayed not even the login page. This issue persists across other applications and even on a simple HTML page. Despite adding safe domains in OAS updating the instancecinfig.xml file multiple times and restarting the services, the iframe is still not working with OAS. We are unable to display our reports through OAS in an iframe.


"Refused to frame 'https://test.local.local:9503/' because an ancestor violates the following Content Security Policy directive: 'frame-ancestors 'self'."

Tagged:

Best Answer

  • SteveF-Oracle
    SteveF-Oracle Mod
    Answer ✓

    Any suggestion how can I configure SSO to access OAS from my application. Currently, I don't have any authentication between OAS and that application previously I was accessing OBIEE inside an Iframe in my application and I was accessing OBIEE in way that first I login to my application then again I need to use login credentials for OBIEE inside an IFRAME there were no SSO or direct authentication.

    OAS Supports many types of Single/Same Sign-On (SSO) from Oracle on-prem products (OAM) , Oracle Cloud products (IDCS/IAM), to standards-based (SAML/Kerberos/WNA).

    https://docs.oracle.com/en/middleware/bi/analytics-server/security-oas/enable-sso-authentication.html

    Here is a list of some common configurations:

    https://community.oracle.com/products/oracleanalytics/kb/articles/64-helpful-oracle-analytics-knowledge-content

    There may be some duplicates here:

    MAIN:
    SAML 2.0 and Kerberos Single Sign-On Configuration for Oracle Analytics Server (Doc ID 2761678.1)

    NON-DOCKER ALTERNATIVES:

    Configuring Oracle Analytics Server for Kerberos Single Sign-On (SSO) (Doc ID 2707401.1)

    Configuring Oracle Analytics Server for Kerberos Single Sign-On (SSO) using Oracle HTTP Server and GSSAPI Module (Doc ID 2941776.1) new

    Configuring Oracle Analytics Server for SAML 2.0 Single Sign-On (SSO) Using Mellon Authentication Module of Apache HTTP Server (Doc ID 2902159.1)

    IDCS
    See: https://blogs.oracle.com/analytics/post/oas-sso-solutions

    Single Sign-On with Oracle Identity Cloud Service (IDCS) through OAuth and OpenID using Oracle HTTP Server and WebGate

    For more details see, Single Sign-On Configuration for Oracle Analytics Server on OCI Marketplace with Oracle Identity Cloud Service using Oracle HTTP Server and WebGate

    Single Sign-On with Oracle Identity Cloud Service (IDCS) through OpenID using Apache and OpenID Module

    For more details see, Single Sign-On Configuration for Oracle Analytics Server on OCI Marketplace with Oracle Identity Cloud Service using Apache HTTP Server and OpenIDC Module

    Single Sign-On with Oracle Identity Cloud Service (IDCS) through IDCS App Gateway

    For more details see, Understand App Gateway

    Configuring SSO for OBIEE12c/OAS Running On On-Premise or On OCI Compute with IDCS Using App Gateway (Doc ID 2611016.1)

    For more details see, Configuring SSO for OBIEE12c/OAS Running On On-Premise or On OCI Compute with IDCS Using App Gateway (Doc ID 2611016.1)

    The Support Doc ID: 2611016.1 is created based on deploying IDCS App Gateway on an OCI Compute Instance.

    We can now deploy the IDCS App Gateway as a Docker Container so that we can run the container on OAS Instance and no need of extra Oracle Cloud Infrastructure (OCI) Compute Instance.

    Custom SSO (SAML2.0 and Kerberos) for Oracle Analytics Server on Oracle Cloud

    For more details see Oracle Analytics Server Documentation, Configure Custom SSO Environments

    For more details see, SAML 2.0 and Kerberos Single Sign-On Configuration for Oracle Analytics Server (Doc ID 2761678.1)

    For more details see, Configuring Oracle Analytics Server for Kerberos Single Sign-On (SSO) (Doc ID 2707401.1)

    Integrate Oracle Analytics Server with Oracle Identity Cloud Service or IAM Identity Domain for Single Sign-On using App Gateway (Doc ID 3021142.1)

    Connecting an On-Premises Oracle Analytics Server (OAS) to an IAM Domain for Single Sign-On Using the IAM App Gateway (Doc ID 3019744.1)

    Oracle Analytics Mobile Application for Oracle Analytics Server Configured with Single Sign-On using IAM App Gateway (Doc ID 3022506.1)

    Oracle Analytics Mobile Application for Oracle Analytics Server Configured with Single Sign-On Using OCI IAM Domain with Apache HTTP Server and OpenID Module (Doc ID 3022507.1)

    OTHER:

    End to End Steps to Deploy Oracle Analytics Server on OCI Marketplace, Configure Load Balancer, SSL and IDCS SSO (Doc ID 2831485.1)

    How to Configure SAML 2.0 SSO on Oracle Analytics Server With OKTA Identity Provider (IdP) Using Mellon Authentication Module of Apache HTTP Server (Doc ID 2927209.1)

«1

Answers

  • User_BIGQU
    User_BIGQU Rank 2 - Community Beginner

    my OAS version is 7.0.0.0.240110

  • Gianni Ceresa
    Gianni Ceresa Mod
    edited Aug 15, 2024 2:25PM

    Hi,

    Did you enter your domain where you are trying to embed the OAS page in DV > Console > Safe Domains as accepted for embedding?

    image.png

    This is from OAS 2024 (aka 7.6), can't remember if that page was already like that in OAS 2023 (7.0).

    You can read some more details in the doc: https://docs.oracle.com/en/middleware/bi/analytics-server/administer-oas/register-safe-domains-1.html

    PS: don't enable it for all domains, enter the domains you need only, keep your OAS a bit secured…

  • User_BIGQU
    User_BIGQU Rank 2 - Community Beginner
    OAS Comm.png

    I’ve tried everything and have also reviewed your previous posts related to this issue. I attempted all suggested solutions, including those provided by Oracle Engineers, which involved modifications to the instanceconfig.xml file. Despite these efforts, the issue persists. Are there any other methods that could bypass all security layers for testing purposes?

  • User_BIGQU
    User_BIGQU Rank 2 - Community Beginner
    OAS Comm.png

    I tried the steps below as well, but they didn’t work and are also causing issues during the service restart.

    <Security>
    <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
    <InIFrameRenderingMode>allow</InIFrameRenderingMode>
    <ContentSecurityPolicy>
    <PolicyDirectives>
    <Directive>
    <Name>frame-src</Name>
    <Value>https://abc.com https://*.abc.com *</Value>
    </Directive>
    <Directive>
    <Name>img-src</Name>
    <Value>*</Value>
    </Directive>
    </PolicyDirectives>
    </ContentSecurityPolicy>
    <XFrameOptions>
    <Value>ALLOW-FROM https://abc.local.com</Value>
    </XFrameOptions>
    <EmbeddedContent>
    <Iframe enabled="true"/>
    </EmbeddedContent>
    </Security>

  • Gianni Ceresa
    Gianni Ceresa Mod

    You expect the login page to be visible in the embedding? What page is the system exactly trying to load?

    The login page is a different deployment in the bi_server1, not sure any config in DV or OBIPS config file applies there.

  • User_BIGQU
    User_BIGQU Rank 2 - Community Beginner

    I have an application where I’ve embedded OBIEE 11g in one IFRAME and OAS in a second IFRAME. Single Sign-On (SSO) is not enabled I’m just displaying the OBIEE and OAS dashboards in these IFRAMEs. OBIEE 11g is functioning correctly I can log in and view the dashboard. However, with OAS, I encounter an error referring to connection issues, and the page fails to load. Even the login page is inaccessible. I also tested with a simple HTML page, and I’m seeing the same error as in the application’s IFRAME.

    OAS Comm.png
  • User_BIGQU
    User_BIGQU Rank 2 - Community Beginner
    OAS Comm.png

    This is the error.

  • User_BIGQU
    User_BIGQU Rank 2 - Community Beginner

    Also, I don't have OHS or Apache in front of OAS. We are using OID, and there is no security configured in our environment

  • Gianni Ceresa
    Gianni Ceresa Mod

    Look at the Network tab and find out exactly what page is being blocked. Because just having the console message about the domain doesn't tell you much…

    And OBIEE 11g is 8+ years old, browsers security was different back at that time, don't take it as a reference for embedding…

    For example, in this screenshot you can see that it isn't my OAS page that is blocked, but the login page that OAS redirected me to (the 3rd row being a 302 redirect to the 4th row, the login).

    image.png
  • User_BIGQU
    User_BIGQU Rank 2 - Community Beginner
    OAS_DIAG.png

    Hi,
    As you can see there is no blockage at all.There is some issue with IFRAME/XFRAME because that is the only issue I am facing.I found the below file on server:

    u01/app/OASUAT/Middleware/Oracle_Home/user_projects/domains/OAS_Domain/servers/bi_server1/tmp/_WL_user/bitech-analysis-application/ir/war/WEB-INF/web.xml.

    It contains :

    <description>Security option used in session header to indicate
    whether app is embeddable in iframes</description>
    <param-name>oracle.bi.tech.xFrameOptions</param-name>
    <param-value>SAMEORIGIN</param-value>

    frame-src 'self' docs.oracle.com;frame-ancestors 'self'.

    Can we make change in it to allow for all domains ? Kindly suggest