Forum Stats

  • 3,838,691 Users
  • 2,262,394 Discussions
  • 7,900,732 Comments

Discussions

Configuring Azure AD Base Version as an Identity Provider with Oracle Planning and Budgeting Cloud S

Celvin Kattookaran
Celvin Kattookaran Member Posts: 3,143 Gold Trophy
edited Aug 2, 2017 1:50AM in Cloud Platform

In this concise, illustrated, how-to guide, Oracle ACE Director Celvin Kataookaran walks you step-by-step through the process of setting up Single Sign-On between Oracle Planning and Budgeting Cloud and Azure Active Directory Base version.


By Celvin Kattookaran ACED.gif

Introduction

Starting with the November 2015 Oracle Planning and Budgeting Cloud Service (PBCS) release, you can configure Single Sign-On (SSO) to authenticate service users using:

  • Microsoft Active Directory Federation Server (ADFS) 2.0,ADFS 2.1, ADFS 3.0
  • Shibboleth Identity Provider 2.4.0
  • Oracle Identity Federation Server 11g.

In this article we will review the process of setting up Single Sign-On between Oracle Planning and Budgeting Cloud and Azure Active Directory Base version.

SAML 2.0 and how it works

Security Assertion Markup Language 2.0 (SAML) is an XML-based data format for exchanging authentication and authorization data between security domains,  enabling cross-domain web-based authentication and authorization.

In a Single Sign-On configured setup one Security Domain acts as a Service Provider, consumer (SP) and one acts as an Identity Provider (IdP), authority, as illustrated in the image below.

image001.png

  1. User tries to login to PBCS
  2. OPC (Oracle Public Cloud) generates a SAML request
  3. OPC redirects the browser to the SSO URL page, Browser now opens the SSO page, User logs in using his AD username and password
  4. Azure now authenticates the user using the SAML request
  5. Azure generates a SAML response
  6. Azure returns the SAML response to browser, Browser now sends the SAML response to OPC
  7. OPC verifies the SAML response
  8. User is now logged into PBCS

Configuring Azure AD Base Version with Oracle Public Cloud involves a 5-step process:

  1. Configure Azure AD as IdP for Federation
  2. Configure Oracle Public Cloud as SP for Federation
  3. Updating Azure after OPC Configuration
  4. Testing SSO
  5. Enable SSO

Configure Azure AD as IdP for Federation

  1. Login to Azure portal. Navigate to Browse to Active Directory, then to Applications.

    image002.png

  2. Click the Addbutton to add a new application.

    image003.jpg

  3. Choose Add an application my organization is developing. (Oh, I get it, It's Oracle's application. )

    image004.png

  4. Provide a name and choose Web Application AND/OR Web API.

    image005.png

  5. The Sign-on URL will be your PBCS URL (excluding the Workspace/HyperionPlanning part).

    https://pbcs-domain.pbcs.us2.oraclecloud.com

  6. Add a URL for APP ID URI (we'll revisit this in a moment). I just copied the same Sign-On URL:

    image006.png

  7. Once the application is created, you can get the Provider Metadata by opening View EndPoints. You can also change the logo of the Azure Application by uploading a 215px x 215px image.

    image007.jpg

    image008.png

  8. Copy the link from "FEDERATION METADATA DOCUMENT" (it's a link to Federation metadata xml file). Paste that into a web browser.

    image009.png

  9. Save the file as an XML file.

It's now time to configure Oracle Public Cloud to act as Service Provider

Configure Oracle Public Cloud as Service Provider for SAML Federation

  1. Login to Oracle Public Cloud (https://myservices.us2.oraclecloud.com)->"Users"->"SSO Configuration"
  2. Click on Configure SSO

    image010.png

  3. Upload the Federation Metadata XML
  4. Choose HTTP POSTfor SSO Protocol
  5. Choose User's Email Address for "User Identifier"
  6. Choose NameID for "contained in"
  7. Click Save. You'll get four links after you Save the IdP information.

    image011.jpg

    You will need the Provider Id and Assertion Consumer Service URL values for the next step.

Updating Azure after OPC Configuration

  1. Login to the Azure portal.
  2. Navigate to Active Directory-> Applications -> Your Application -> Configuration

    image012.png

    APP ID URL = Provider ID

    Reply URL = Assertion Consumer Service URL

Testing SSO

  1. Login to OPC->Users->SSO Configuration->Test SSO

    image013.png

  2. Click on Start SSO. You'll be redirected to Microsoft site.

    image014.jpg

  3. Provide your password to see the results.

    image015.jpg

If the test is successful you can now Enable SSO in OPC.

Enabling SSO

image016.jpg

image017.jpg

Once enabled you'll see a new link in the PBCS Login url.

Loading Azure AD users in OPC

Azure AD users must be added in OPC before they can login into PBCS. This is can be done in a bulk mode by uploading a CSV file in the following format:

First Name, Last Name, Email, User Login

To upload users, Login to OPC->Users->Import->Browse the CSV file->Import

image018.jpg

Office 365 App Launcher

Using the Office 365 App Launcher you can pin your apps to EXCEL, Outlook and other Office apps, which allows you to launch the PBCS URL directly from within those Office applications.

image019.png

Conclusion

Using Single Sign-On significantly eases user maintenance by eliminating the need to update an account on external systems.

Customers can revoke access by removing users from their IdPs. Office 365 and the Basic Azure AD version allow to you access external applications directly from within Microsoft products.

About the Author

@Celvin Kattookaran is an Oracle ACE Director and Principal Architect with Huron Consulting Group. He is known for developing creative and effective business solutions to address his clients’ challenges. He is a frequent contributor to Oracle Community discussion forums and to the Network 54 Essbase forum. During his leisure time he develops utilities for EPM products which make a consultant’s life easier.

imran.anwar-Oracle

Comments

  • User_GTW6Y
    User_GTW6Y Member Posts: 1 Red Ribbon

    When configuring Azure and adding an application, do we have to set up the URL for both Production and Non-Production PBCS environments as separate Azure application entry since the URL string is different for each environment.