nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Oracle Communities

Oracle Analytics and AI

Child Item

Refused to frame/Connect because an ancestor violates the Content Security Policy directive

User_BIGQU

Hi I am trying to display OAS in an iframe within our main application but OAS is not allowing its content to be displayed not even the login page. This issue persists across other applications and even on a simple HTML page. Despite adding safe domains in OAS updating the instancecinfig.xml file multiple times and restarting the services, the iframe is still not working with OAS. We are unable to display our reports through OAS in an iframe.

"Refused to frame 'https://test.local.local:9503/' because an ancestor violates the following Content Security Policy directive: 'frame-ancestors 'self'."

Find more posts tagged with

OBIEE

Oracle Linux

OBIEE 12c

Analysis and Data Visualization

OAS

Accepted answers

Steve F-2

Any suggestion how can I configure SSO to access OAS from my application. Currently, I don't have any authentication between OAS and that application previously I was accessing OBIEE inside an Iframe in my application and I was accessing OBIEE in way that first I login to my application then again I need to use login credentials for OBIEE inside an IFRAME there were no SSO or direct authentication.

OAS Supports many types of Single/Same Sign-On (SSO) from Oracle on-prem products (OAM) , Oracle Cloud products (IDCS/IAM), to standards-based (SAML/Kerberos/WNA).

https://docs.oracle.com/en/middleware/bi/analytics-server/security-oas/enable-sso-authentication.html

Here is a list of some common configurations:

https://community.oracle.com/products/oracleanalytics/kb/articles/64-helpful-oracle-analytics-knowledge-content

There may be some duplicates here:

MAIN:
SAML 2.0 and Kerberos Single Sign-On Configuration for Oracle Analytics Server (Doc ID 2761678.1)

NON-DOCKER ALTERNATIVES:

Configuring Oracle Analytics Server for Kerberos Single Sign-On (SSO) (Doc ID 2707401.1)

Configuring Oracle Analytics Server for Kerberos Single Sign-On (SSO) using Oracle HTTP Server and GSSAPI Module (Doc ID 2941776.1) new

Configuring Oracle Analytics Server for SAML 2.0 Single Sign-On (SSO) Using Mellon Authentication Module of Apache HTTP Server (Doc ID 2902159.1)

IDCS
See: https://blogs.oracle.com/analytics/post/oas-sso-solutions

Single Sign-On with Oracle Identity Cloud Service (IDCS) through OAuth and OpenID using Oracle HTTP Server and WebGate

For more details see, Single Sign-On Configuration for Oracle Analytics Server on OCI Marketplace with Oracle Identity Cloud Service using Oracle HTTP Server and WebGate

Single Sign-On with Oracle Identity Cloud Service (IDCS) through OpenID using Apache and OpenID Module

For more details see, Single Sign-On Configuration for Oracle Analytics Server on OCI Marketplace with Oracle Identity Cloud Service using Apache HTTP Server and OpenIDC Module

Single Sign-On with Oracle Identity Cloud Service (IDCS) through IDCS App Gateway

For more details see, Understand App Gateway

Configuring SSO for OBIEE12c/OAS Running On On-Premise or On OCI Compute with IDCS Using App Gateway (Doc ID 2611016.1)

For more details see, Configuring SSO for OBIEE12c/OAS Running On On-Premise or On OCI Compute with IDCS Using App Gateway (Doc ID 2611016.1)

The Support Doc ID: 2611016.1 is created based on deploying IDCS App Gateway on an OCI Compute Instance.

We can now deploy the IDCS App Gateway as a Docker Container so that we can run the container on OAS Instance and no need of extra Oracle Cloud Infrastructure (OCI) Compute Instance.

Custom SSO (SAML2.0 and Kerberos) for Oracle Analytics Server on Oracle Cloud

For more details see Oracle Analytics Server Documentation, Configure Custom SSO Environments

For more details see, SAML 2.0 and Kerberos Single Sign-On Configuration for Oracle Analytics Server (Doc ID 2761678.1)

For more details see, Configuring Oracle Analytics Server for Kerberos Single Sign-On (SSO) (Doc ID 2707401.1)

Integrate Oracle Analytics Server with Oracle Identity Cloud Service or IAM Identity Domain for Single Sign-On using App Gateway (Doc ID 3021142.1)

Connecting an On-Premises Oracle Analytics Server (OAS) to an IAM Domain for Single Sign-On Using the IAM App Gateway (Doc ID 3019744.1)

Oracle Analytics Mobile Application for Oracle Analytics Server Configured with Single Sign-On using IAM App Gateway (Doc ID 3022506.1)

Oracle Analytics Mobile Application for Oracle Analytics Server Configured with Single Sign-On Using OCI IAM Domain with Apache HTTP Server and OpenID Module (Doc ID 3022507.1)

OTHER:

End to End Steps to Deploy Oracle Analytics Server on OCI Marketplace, Configure Load Balancer, SSL and IDCS SSO (Doc ID 2831485.1)

How to Configure SAML 2.0 SSO on Oracle Analytics Server With OKTA Identity Provider (IdP) Using Mellon Authentication Module of Apache HTTP Server (Doc ID 2927209.1)

All comments

User_BIGQU

my OAS version is 7.0.0.0.240110

Gianni Ceresa

Hi,

Did you enter your domain where you are trying to embed the OAS page in DV > Console > Safe Domains as accepted for embedding?

This is from OAS 2024 (aka 7.6), can't remember if that page was already like that in OAS 2023 (7.0).

You can read some more details in the doc: https://docs.oracle.com/en/middleware/bi/analytics-server/administer-oas/register-safe-domains-1.html

PS: don't enable it for all domains, enter the domains you need only, keep your OAS a bit secured…

User_BIGQU

I’ve tried everything and have also reviewed your previous posts related to this issue. I attempted all suggested solutions, including those provided by Oracle Engineers, which involved modifications to the instanceconfig.xml file. Despite these efforts, the issue persists. Are there any other methods that could bypass all security layers for testing purposes?

User_BIGQU

I tried the steps below as well, but they didn’t work and are also causing issues during the service restart.

<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<InIFrameRenderingMode>allow</InIFrameRenderingMode>
<ContentSecurityPolicy>
<PolicyDirectives>
<Directive>
<Name>frame-src</Name>
<Value>https://abc.com https://*.abc.com *</Value>
</Directive>
<Directive>
<Name>img-src</Name>
<Value>*</Value>
</Directive>
</PolicyDirectives>
</ContentSecurityPolicy>
<XFrameOptions>
<Value>ALLOW-FROM https://abc.local.com</Value>
</XFrameOptions>
<EmbeddedContent>
<Iframe enabled="true"/>
</EmbeddedContent>
</Security>

Gianni Ceresa

You expect the login page to be visible in the embedding? What page is the system exactly trying to load?

The login page is a different deployment in the bi_server1, not sure any config in DV or OBIPS config file applies there.

User_BIGQU

I have an application where I’ve embedded OBIEE 11g in one IFRAME and OAS in a second IFRAME. Single Sign-On (SSO) is not enabled I’m just displaying the OBIEE and OAS dashboards in these IFRAMEs. OBIEE 11g is functioning correctly I can log in and view the dashboard. However, with OAS, I encounter an error referring to connection issues, and the page fails to load. Even the login page is inaccessible. I also tested with a simple HTML page, and I’m seeing the same error as in the application’s IFRAME.

User_BIGQU

This is the error.

User_BIGQU

Also, I don't have OHS or Apache in front of OAS. We are using OID, and there is no security configured in our environment

Gianni Ceresa

Look at the Network tab and find out exactly what page is being blocked. Because just having the console message about the domain doesn't tell you much…

And OBIEE 11g is 8+ years old, browsers security was different back at that time, don't take it as a reference for embedding…

For example, in this screenshot you can see that it isn't my OAS page that is blocked, but the login page that OAS redirected me to (the 3rd row being a 302 redirect to the 4th row, the login).

User_BIGQU

Hi,
As you can see there is no blockage at all.There is some issue with IFRAME/XFRAME because that is the only issue I am facing.I found the below file on server:

u01/app/OASUAT/Middleware/Oracle_Home/user_projects/domains/OAS_Domain/servers/bi_server1/tmp/_WL_user/bitech-analysis-application/ir/war/WEB-INF/web.xml.

It contains :

<description>Security option used in session header to indicate
whether app is embeddable in iframes</description>
<param-name>oracle.bi.tech.xFrameOptions</param-name>
<param-value>SAMEORIGIN</param-value>

frame-src 'self' docs.oracle.com;frame-ancestors 'self'.

Can we make change in it to allow for all domains ? Kindly suggest