Configuring Oracle Analytics Server for SAML 2.0 Single Sign-On (SSO) Using Mellon Authentication Module of Apache HTTP Server (Doc ID 2902159.1)

Last updated on APRIL 04, 2024

Applies to:

Purpose

Disclaimer
The approach described in this document uses third party software (non-Oracle software) to provide SAML2 SSO with Oracle Analytics Server (OAS).
Oracle Analytics Server Support, covers the support on the configuration steps described in this document; however, support and maintenance for the third-party software (non-Oracle software) is outside of the scope of Oracle Analytics Server Support.

Where a fully-Oracle supported Single Sign-On solution with Oracle Analytics Server is required, Oracle Access Manager should be used instead.

The SAML SSO configuration steps documented for Oracle Business Intelligence (OBI) 11g or 12c are not valid for OAS. In OAS, it is not supported to modify any application (.ear) files or any binary files. Modifying the application files will cause certain resources to fail.
We need to follow the documentation of OAS for OAM SSO and implement/use the same Protected/Public/Excluded resources for SSO with SAML.

Configure custom SSO environments

There are many types of SSO tokens, but a basic implementation of a Weblogic Asserter recognizes a particular HTTP header or cookie (the token) that contains the authenticated user's UserID. The Weblogic Asserter retrieves the UserID from the token and passes it to the chain of Weblogic Authenticators. After this point, the authentication is the same as regular SSO.

Oracle Analytics Server's support for custom SSO starts where a custom asserter is working correctly to pass the authenticated user's UserID to the Weblogic chain of Oracle Analytics-certified authenticators.

Scope

Solution Overview

This is a hybrid solution. This solution does not require a docker implementation, as per SAML 2.0 and Kerberos Single Sign-On Configuration for Oracle Analytics Server (Doc ID 2761678.1)

Configure Apache server as a proxy server in front of OAS Server with mod_auth_mellon plugin and define the Protected, Public and Excluded Resources.
Apache with mod_auth_mellon module acts as SAML SP (service provider) to SAML IDP (identity provider) as a SAML SSO approach.
Apache to OAS WebLogic Server is an HTTP Header based SSO approach.

In this solution, the Weblogic managed server (bi_serverN) port will be blocked for public access and allow only for access via the Apache Server.
The Apache HTTP Server can be installed on a separate server or the same OAS server.

User Access Flow

1. User browser -------/analytics /dv /xmlpserver -------> Apache.
2. Apache------- If it’s a protected resource access request -------> mod_auth_mellon.
3. Apache mod_auth_mellon ------- redirects to IDP for Authentication -------> SAML IDP.
4. SAML IDP ------- responds back with authenticated user in a SAMLResponse -------> mod_auth_mellon.
5. Apache with mod_auth_mellon ------- sends the authenticated user in a HTTP Header -------> OAS WebLogic Server.
6. OAS WebLogic Server ------- check if the user exists in the list of Users for authorization and to apply application roles ------->OAS Server.

Details

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.