Oracle Cloud Infrastructure Documentation

Set Up User Access to Oracle Fusion Data Intelligence Using Single Sign-On

You can set up how users from Oracle Fusion Cloud Applications access Oracle Fusion Data Intelligence using single sign-on. This setup simplifies how you manage user names and passwords. You must complete this setup before you create your Oracle Fusion Data Intelligence instances except where mentioned that further setup is required after you create the Oracle Fusion Data Intelligence instance.

Topics:

About Setting Up User Access to Oracle Fusion Data Intelligence Using Single Sign-On

Using single sign-on simplifies managing user access across applications.

Users of Oracle Fusion Data Intelligence are mostly Oracle Fusion Cloud Applications users and those whom you create specifically for Oracle Fusion Data Intelligence in the identity provider. Setting up access to Oracle Fusion Data Intelligence for these users using single sign-on depends on the identity domains available in your cloud accounts.

Oracle Cloud regions use the Oracle Cloud Infrastructure Identity and Access Management (IAM) identity domains. See Identity Domain Overview. It's easy to determine the presence of identity domains in your cloud account. In Oracle Cloud Infrastructure Console, navigate to Identity & Security. Under Identity, check for Domains.

Set up user access to Oracle Fusion Data Intelligence using single sign-on in either of these cases:
  • Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence are activated in the same cloud account This is highly recommended because it saves you time, cost, and complexity when setting up your security integration between Oracle Fusion Data Intelligence and your Oracle Fusion Cloud Applications, as well as improved ongoing synchronization performance.
  • Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence are activated in different cloud accounts. This will cost you additional time, money, and complexity when setting up your security integration between Oracle Fusion Data Intelligence and your Oracle Fusion Cloud Applications, and reduced performance in it's ongoing synchronization.

Set Up User Access in case of a Single Cloud Account

Set up user access to Oracle Fusion Data Intelligence using single sign-on when Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence are activated in the same cloud account and the cloud account offers identity domains.

If you’re a new user of Oracle Fusion Cloud Applications with Oracle Fusion Data Intelligence activated in the same cloud account as Oracle Fusion Cloud Applications and your cloud account offers identity domains, then perform these steps:

  1. Set up the JWT Based authentication for Oracle Fusion Data Intelligence.
    See Configure JWT Authentication Provider. While configuring the token-based authentication, ensure that you enter FAWServiceJWTIssuer as the trusted issuer.
  2. Use the Oracle Cloud Infrastructure Console and add these policies to enable users from the identity domain associated with Oracle Fusion Cloud Applications to access the Oracle Fusion Data Intelligence compartments: 
    Allow group '<DomainName>'/'<GroupName>' to manage analytics-warehouses in 
      tenancy
      Allow group '<DomainName>'/'<GroupName>' to manage
        analytics-instances in 
      tenancy
      Allow group '<DomainName>'/'<GroupName>' to manage
        autonomous-database-family 
      in tenancy
      Allow group '<DomainName>'/'<GroupName>' to manage all-resources
        in 
      compartment <compartment name>

    See "To create a policy" in Managing Policies.

  3. Copy and paste into a text file the URL of your Oracle Fusion Cloud Applications instance for later use. You specify this URL as the source Oracle Fusion Cloud Applications while creating the Oracle Fusion Data Intelligence instance.
  4. In Oracle Cloud Infrastructure, sign in to the cloud account where both Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence services have been activated using your cloud account administrator credentials.
  5. On the Oracle Cloud Infrastructure Sign-in page, choose the domain that’s corresponding to the Oracle Fusion Cloud Applications instance that you want to specify as the source while creating the Oracle Fusion Data Intelligence instance.
  6. In the Oracle Cloud Infrastructure Console, click the Navigation menu icon, click Analytics & AI and then click Data Intelligence to create the Oracle Fusion Data Intelligence instance.

Set Up User Access in case of Separate Cloud Accounts

Set up user access to Oracle Fusion Data Intelligence using single sign-on when Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence are activated in separate cloud accounts and both the cloud accounts offer identity domains.

If you’re a new user of Oracle Fusion Cloud Applications in a cloud account that offers identity domains with Oracle Fusion Data Intelligence activated in a different new cloud account that offers identity domains, then perform these steps:

  1. Copy and paste into a text file the URL of your Oracle Fusion Cloud Applications instance for later use.
    You specify this URL as the source Oracle Fusion Cloud Applications while creating the Oracle Fusion Data Intelligence instance.
  2. Create a domain in the cloud account in which you activated Oracle Fusion Data Intelligence to control the authentication and authorization of the users who can sign in to Oracle Fusion Data Intelligence.
    Ensure that you select Free domain type but ignore the limits mentioned for the Free domain type because they aren’t applicable for Oracle Fusion Data Intelligence. See Creating Identity Domains and Creating an Identity Domain in Using the Console.
  3. Configure the GenericSCIM Template in the identity domain that you created in the cloud account in which you activated Oracle Fusion Data Intelligence for enabling synchronization of users, groups, and group mappings from the identity domain associated with the Oracle Fusion Cloud Applications instance.
    While configuring the GenericSCIM template, use the GenericScim - Client Credentials template and in Select Provisioning Operation, choose Authoritative Sync. In the Configure connectivity section, ensure that the host name is in this sample format (without the https): idcs-123456abcde123.identity.oraclecloud.com. See Configure the Generic SCIM App Template.
  4. Configure single sign-on between the identity domain associated with Oracle Fusion Cloud Applications and the identity domain associated with Oracle Fusion Data Intelligence.
  5. In Oracle Cloud Infrastructure Console, create an Oracle Cloud Infrastructure policy to enable a domain user to create the Oracle Fusion Data Intelligence instance.
    While creating the policy, select the identity domain in which you plan to create the Oracle Fusion Data Intelligence instance and enter these policy statements:
    • Allow group '<DomainName>'/'<GroupName>' to manage analytics-warehouses in tenancy
    • Allow group '<DomainName>'/'<GroupName>' to manage analytics-instances in tenancy
    • Allow group '<DomainName>'/'<GroupName>' to manage autonomous-database-family in tenancy

    See To create a policy.

  6. In the Oracle Cloud Infrastructure Console, click the Navigation menu icon to navigate to Data Intelligence and create the Oracle Fusion Data Intelligence instance.
  7. Create an identity provider policy for single sign-on to ensure that the Oracle Fusion Data Intelligence sign-in page has an option to sign in with the Oracle Fusion Cloud Applications credentials.

    See Adding an Identity Provider Policy in Using the Console.

    On the Add IdP Rule page, in Assign identity providers select the SAML IDP that you created in Add an SAML Application; for example, the FAW-SSO SAML identity provider.

  8. Assign the ANALYTICSAPP_<faw-instance-name> and ANALYTICSINST_oax<faw-instance-name>-<id> analytics apps to the identity provider policy for single sign-on.
    When you attempt to authenticate through these apps, the only identity providers that appear in the Sign In page of these apps are the ones you assigned to the identity provider policy for single sign-on. For example, the FAW-SSO SAML identity provider. These apps were created when you created the Oracle Fusion Data Intelligence instance. See Adding Apps to the Policy in Using the Console.

Configure Single Sign-on Between Two Identity Domains

Configure single sign-on between the the identity domain associated with Oracle Fusion Cloud Applications and the identity domain associated with Oracle Fusion Data Intelligence to ensure that users can sign into Oracle Fusion Data Intelligence with their existing Oracle Fusion Cloud Applications credentials.

To configure single sign-on between the identity domain associated with Oracle Fusion Cloud Applications and the identity domain associated with Oracle Fusion Data Intelligence, you must create a Security Assertion Markup Language (SAML) application using the Oracle Cloud Infrastructure Console. You then configure this SAML application with the details from the metadata XML file of the Oracle Fusion Data Intelligence identity domain.

Topics:

Add an SAML Application

Add a Security Assertion Markup Language (SAML) application in the identity domain associated with your Oracle Fusion Cloud Applications instance to provide a way to authenticate a user once and then communicate that authentication to multiple applications.

  1. Sign in to the Oracle Cloud Infrastructure Console using the credentials of the cloud account associated with Oracle Fusion Cloud Applications.
  2. In the Navigator menu, click Applications and on the Applications page, click Add.
  3. In Add Application, select SAML Application.
  4. On the Add SAML Application page, in the Details section, enter a name such as FAW-SSO and select the User can request access check box to enable the user to access the app.
  5. In the SSO Configuration section, click Download Identity Provider Metadata to download the metadata XML file of the identity domain associated with your Oracle Fusion Cloud Applications instance and save the metadata XML file to your local machine.
  6. Save and pause the configuration of this SAML application temporarily to collect certain values from the metadata XML file of the Oracle Fusion Data Intelligence identity domain.
Copy Details from the Identity Domain Metadata File

Copy details from the metadata XML file of the Oracle Fusion Data Intelligence identity domain into a text file to use while configuring the SAML Application that you created.

  1. Sign in to the Oracle Cloud Infrastructure Console using your Oracle Fusion Data Intelligence service administrator credentials.
  2. In the Oracle Cloud Infrastructure Navigator menu, click Identity & Security and then in the Identity & Security pane, under Identity, click Domains.
  3. On the Domains page, navigate to the identity domain that you created in this cloud account and on the identity domain details page, click Security and then click Identity Providers.
  4. On the Identity provider (IdP) policies in the identity domain page, click Add IdP, and select Add SAML IdP from the dropdown list.
  5. On the Add SAML identity provider page, in the Add Details section, enter Name such as Fusion SSO Login.
  6. In the Configure IdP section, select the Import identity provider metadata radio button to choose and import the metadata XML file of the identity domain associated with your Oracle Fusion Cloud Applications instance that you previously downloaded to your local machine.
  7. In the Map Attributes section, select Unspecified if the Username for the identity domain associated with your Oracle Fusion Cloud Applications instance can be email or short name. If the Username is email, then select EmailAddress.
  8. In the Export section, download the metadata XML file of the Oracle Fusion Data Intelligence identity domain and its signing certificate.
  9. Open the metadata XML file of the Oracle Fusion Data Intelligence identity domain in a text editor and copy the values for entityID, AssertionConsumerService, and SingleLogoutService into another text file to use while configuring the SAML Application that you created.
  10. Return to configuring the SAML Application in the Oracle Cloud Infrastructure Console that you had previously signed into using the credentials of the cloud account associated with Oracle Fusion Cloud Applications.
Configure the SAML Application

Use the details from the metadata XML file of the Oracle Fusion Data Intelligence identity domain to configure the SAML Application that you created in the identity domain associated with your Oracle Fusion Cloud Applications instance.

Return to creating the SAML application that you had paused in Add an SAML Application.
  1. On the Add SAML Application page, use the metadata XML file of the Oracle Fusion Data Intelligence identity domain and the signing certificate to enter values for Entity ID and Assertion Consumer URL in the General section.
  2. In Signing Certificate, click Upload to select the signing certificate of the Oracle Fusion Data Intelligence identity domain that you had previously downloaded and upload it.
  3. In NameID Format, select Unspecified and in NameID Value, select User Name.
  4. In the Advanced Settings section, select the Include Signing Certificate in Signature and Enable Single Logout. Use the metadata XML file of the Oracle Fusion Data Intelligence identity domain and the signing certificate to enter values for Single Logout URL and Logout Response URL.
  5. Expand the Authentication and Authorization section and ensure that the Enforce Grants as Authorization option isn't selected.
  6. Click Finish and then click Activate.
  7. Navigate to the Oracle Fusion Data Intelligence identity domain, click the SAML application that you created to edit it.
  8. In Edit SAML identity provider, click Test Login to verify that you're able to login successfully.