My Oracle Support Banner

Configuring Oracle Analytics Server for SAML 2.0 Single Sign-On (SSO) Using Mellon Authentication Module of Apache HTTP Server (Doc ID 2902159.1)

Last updated on OCTOBER 31, 2022

Applies to:

Oracle Analytics Server on OCI Marketplace - Version 5.9.0 and later
Oracle Analytics Server - Version 5.9.0 and later
Information in this document applies to any platform.


The approach described in this document uses third party software (non-Oracle software) to provide SAML2 SSO with Oracle Analytics Server (OAS).
Oracle Analytics Server Support, covers the support on the configuration steps described in this document; however, support and maintenance for the third-party software (non-Oracle software) is outside of the scope of Oracle Analytics Server Support.

Where a fully-Oracle supported Single Sign-On solution with Oracle Analytics Server is required, Oracle Access Manager should be used instead.

The SAML SSO configuration steps documented for Oracle Business Intelligence (OBI) 11g or 12c are not valid for OAS. In OAS, it is not supported to modify any application (.ear) files or any binary files. Modifying the application files will cause certain resources to fail.
We need to follow the documentation of OAS for OAM SSO and implement/use the same Protected/Public/Excluded resources for SSO with SAML.



Solution Overview

This is a hybrid solution. This solution does not require a docker implementation, as per SAML 2.0 and Kerberos Single Sign-On Configuration for Oracle Analytics Server (Doc ID 2761678.1)

Configure Apache server as a proxy server in front of OAS Server with mod_auth_mellon plugin and define the Protected, Public and Excluded Resources.
Apache with mod_auth_mellon module acts as SAML SP (service provider) to SAML IDP (identity provider) as a SAML SSO approach.
Apache to OAS WebLogic Server is an HTTP Header based SSO approach.

In this solution, the Weblogic managed server (bi_serverN) port will be blocked for public access and allow only for access via the Apache Server.
The Apache HTTP Server can be installed on a separate server or the same OAS server.

User Access Flow

  1. User browser -------/analytics /dv /xmlpserver -------> Apache.
  2. Apache------- If it’s a protected resource access request -------> mod_auth_mellon.
  3. Apache mod_auth_mellon ------- redirects to IDP for Authentication -------> SAML IDP.
  4. SAML IDP ------- responds back with authenticated user in a SAMLResponse -------> mod_auth_mellon.
  5. Apache with mod_auth_mellon ------- sends the authenticated user in a HTTP Header -------> OAS WebLogic Server.
  6. OAS WebLogic Server ------- check if the user exists in the list of Users for authorization and to apply application roles ------->OAS Server.



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 Protecting direct HTTP access to OBIPS

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.