Analytics Software

Did you see https://blogs.oracle.com/analytics/saml-20-and-kerberos-single-sign-on-configuration-for-oracle-analytics-server ?
There are documents in MOS how to setup SSO with SAML2 for OAS (maybe not update to 5.9, but because Weblogic and FMW are the exact same version of OAS 5.5, they are still valid).

Thanks for the response.
I went through the document it the approach only supports and targeted for the Linux and centos platform and we are using the windows 19 server.

Is that really a thing?
Anyway, https://support.oracle.com/epmos/faces/DocContentDisplay?id=2707401.1 clearly says "applies to any platform", so it covers any OS on which OAS 5.9.0 is certified.

Hi, this is the Blog owner. I shall document steps to implement on Windows soon and update you.
Also, the same docker image can be run on windows docker if you have Docker-based knowledge.
Anyways I'll document steps for Windows without Docker.
Please approach me through the comments on the blog.
https://blogs.oracle.com/analytics/post/saml-20-and-kerberos-single-sign-on-configuration-for-oracle-analytics-server

Hi Veera. Can we make that into a MOS Doc please so customers can look it up directly and we can share the MOS Doc ID with them?

Do you have the same doc for Linux environment. We want to enable SSO for OAS 5.9.

Thanks in advance.

Do you have the same doc for Linux environment. We want to enable SSO for OAS 5.9.

Thanks

The documents exists in MOS (linked above).
If you don't have a valid support contract, you can't access MOS content. In that case all you have is the public blog post (linked above as well).

SAML 2.0 and Kerberos Single Sign-On Configuration for Oracle Analytics Server (Doc ID 2761678.1)
This is the Docker Container-based approach for OAS Custom SSO for both SAML2 and Kerberos on Linux.
SAML2 SSO works with OAS 5.5 and 5.9
whereas Kerberos SSO on Linux works only with OAS 5.5 Basic version without patches and OAS 5.9 and + onwards

https://support.oracle.com/epmos/faces/DocContentDisplay?id=2707401.1
This covers Kerberos SSO without Docker on Linux for OAS 5.5 basic Version without patches and OAS 5.9 and 5.9+

Coming to the SSO Solution for OAS on Windows, I'll need to discuss with Product Management and take a decision to make it public or not. For now, the MOS Doc is Internal and we can share with Customers only upon request for the Solution on Windows. I will update in Jan 2022.

Veera,
I am doing some research on SAML SSO for Oracle Analytics Server. You said this article Doc ID 2761678.1 was the Docker-Container based approach for OAS, but this doc ID is for 12c using ADFS as the id provider. Is there an article for OAS specifically using the Docker approach or other approach for SAML SSO?

Thanks,
Alan

Hi Alan,
Please recheck, you are wrong. the Doc ID : 2761678.1 is still pointing to the SAML and Kerberos SSO for OAS.
There might be some confusion at your end, please recheck. (Also attaching the screenshot)
Oracle Support Document 2761678.1 (SAML 2.0 and Kerberos Single Sign-On Configuration for Oracle Analytics Server) can be found at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=2761678.1
Screenshot of Doc ID 2761678.1.PNG (112.86 KB)

We are also trying to do SAML2 with OAS 5.9. However, our users and groups information is in an oracle table. Is there any example anywhere on how to make that intergradation work? Any idea/pointers would be appreciated.

We have the ORacle Docker sso part running but need to know who to integrate WL with the DB to grab users and rolls.

You can use BISQLGroupProvider to map LDAP Users with Database Groups.
If you have both Users and Groups from Oracle Database, you can use SQLAuthenticator or ReadOnlySQLAuthenticator.
https://docs.oracle.com/en/middleware/bi/analytics-server/security-oas/configue-oracle-analytics-server-use-alternative-authentication-providers.html#GUID-BED8DEAA-A443-4DE5-8911-91985AB9F894

Really? I still used the Docker SSO right? It would really be helpful if Oracle could write up notes on the various combinations.

It's already there in the OAS Documentation, For SSO to work we need Users and Groups from either the WebLogic Embedded LDAP or External Authenticator like any LDAP (MSAD, MS ADLDS, Open LDAP, ODSEE, OID, OUD, etc)
We Delegate Authentication to SAML IDP. We perform Authorization at the product level. So we need the same set of Users existing at the SAML IDP User Store to exist in the OAS WebLogic Admin Console to be configured as an Authenticator.
Also in the SAML/KERB SSO Docker MOS Note (SAML 2.0 and Kerberos Single Sign-On Configuration for Oracle Analytics Server (Doc ID 2761678.1)) we have given info on Configuring External Authenticator like MSAD and BISQLGroupProvider. Maybe we might have not given SQLAuthenticator, but one needs to check the OAS Documentation on multiple ways to get the users and groups on board if they need more info.
https://docs.oracle.com/en/middleware/bi/analytics-server/security-oas/configue-oracle-analytics-server-use-alternative-authentication-providers.html#GUID-BED8DEAA-A443-4DE5-8911-91985AB9F894

ok thank you

We do not have an ldap that contains all the users. We do have a table that has users and groups (but no passwords). Would we be able to leverage Docker SSO with BISQLGroupProvider and SQLAuthenticator? We do not have an ldap. We federate with various offices but do not have a central LDAP.

Please check this Doc attached (Maybe it's better not to attach the doc if you want the doc to share your email and I can send you directly) I used a Static password. If you want you can have a Random number or a system date command to execute and compare it as a user's password.
No real column in the table.
SELECT 'Welcome1' AS U_PASSWORD FROM USERS_VW WHERE U_NAME = ? (NOTE: pwd, for testing purpose)
Also as I am using SSO the password column is not imp and real users should not use that PWD to log in. so I create a random no or static PWD or a system date function in the password query.

are you reachable thru oracle support?

I have the db authenticator working. However, what identity asserter do I use? So I have the Docker SSO configured and the db authenticator. When I login via the federated url I end up and the username password screen in oas. I have confirmed that my user and associated groups appear in the weblogic console.

No I do not have it working.. I end up at the Username password screen in OAS.

so I have the UserGroupDBAuthenticator working and I have updated the adapter to use the database as an ldap. I can see users in the Weblogic Console and I see the groups as well. There are no SQL errors in the out log. HOwever, after I get passed from Docker SSO to OAS I end up at the OAS login screen. What am I missing? Any help would be appreciated.

please approach me at
veera.raghavendra.rao@oracle.com

So I have SSO working and in the Weblogic Conole I can see the users and the groups from the DB Ldap. However, when I log into OAS my application roles are not populated from the table. Any ideas what I could be missing? All the roles do appear in Enterprise Manager (my id is not listed in any of the groups but not sure they would)

Once I added the group to the role in the enterprise manager this solved the problem