My Oracle Support Banner

How to Configure SAML 2.0 SSO on Oracle Analytics Server With OKTA Identity Provider (IdP) Using Mellon Authentication Module of Apache HTTP Server (Doc ID 2927209.1)

Last updated on JULY 15, 2024

Applies to:

Oracle Analytics Server - Version 5.9.0 and later
Oracle Analytics Server on OCI Marketplace - Version 5.9.0 and later
Information in this document applies to any platform.


The main purpose of this document is to provide the configuration steps to implement SAML2 SSO for Oracle Analytics Server via Mellon Authentication Module of Apache HTTP Server using OKTA as Identity Provider(IdP)

The approach described in this document uses third party software (non-Oracle software) to provide SAML2 SSO with Oracle Analytics Server (OAS).
Oracle Analytics Server Support, covers the support on the configuration steps described in this document; however, support and maintenance for the third-party software (non-Oracle software e.g. - OKTA IdP, Apache HTTP Server, Loadbalancer etc) is outside of the scope of Oracle Analytics Server Support.

Where a fully-Oracle supported Single Sign-On solution with Oracle Analytics Server is required, Oracle Access Manager should be used instead.

The SAML SSO configuration steps documented for Oracle Business Intelligence (OBI) 11g or 12c are not valid for OAS. In OAS, it is not supported to modify any application (.ear) files or any binary files. Modifying the application files will cause certain resources to fail.
We need to follow the documentation of OAS for OAM SSO and implement/use the same Protected/Public/Excluded resources for SSO with SAML.



Solution Overview

This is a hybrid solution in which the high level steps are followed from generic document - Configuring Oracle Analytics Server for SAML 2.0 Single Sign-On (SSO) Using Mellon Authentication Module of Apache HTTP Server (Doc ID 2902159.1) and added additional steps with screen shots that needs to be configured at OKTA IdP end.

This solution does not require a docker implementation, as per SAML 2.0 and Kerberos Single Sign-On Configuration for Oracle Analytics Server (Doc ID 2761678.1)Configure Apache server as a proxy server in front of OAS Server with mod_auth_mellon plugin and define the Protected, Public and Excluded Resources.

Apache with mod_auth_mellon module acts as SAML SP (service provider) to SAML OKTA IDP (identity provider) as a SAML SSO approach.

Apache to OAS WebLogic Server is an HTTP Header based SSO approach.


In this solution, the Weblogic managed server (bi_serverN) port will be blocked for public access and allow only for access via the Apache Server.

The Apache HTTP Server can be installed on a separate server or the same OAS server.

User Access Flow

  1. User browser -------/analytics /dv /xmlpserver -------> Apache.
  2. Apache------- If it’s a protected resource access request -------> mod_auth_mellon.
  3. Apache mod_auth_mellon ------- redirects to Okta IDP for Authentication -------> SAML Okta IdP.
  4. SAML Okta IdP ------- responds back with authenticated user in a SAMLResponse -------> mod_auth_mellon.
  5. Apache with mod_auth_mellon ------- sends the authenticated user in a HTTP Header -------> OAS WebLogic Server.
  6. OAS WebLogic Server ------- check if the user exists in the list of Users for authorization and to apply application roles ------->OAS Server.



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.