AWS Community Day CPH - Three problems of Terraform
AD SSO with Oracle Analytics Cloud - Oracle Open World 18
1. Becky Wagner, Sr BI Architect
E: bwagner@us-analytics.com T: @Bec_Wagner
Active Directory and Single Sign-On
with Oracle Analytics Cloud (OAC)
October 24th, 2018 Oracle Open World Marquis Nob Hill C/D
https://www.us-analytics.com/oac-active-directory-single-sign-on
2. 2
AGENDA
OAC Options – Customer Case1
AD Bridge2
SAML 2.0 ADFS3
Direct SSO vs Link4
Trouble Spots5
3. 3
BECKY WAGNER
WHO AM I?
§ Wife; Mother of 3 (ages 16, 13, and 9);
§ 2nd degree black belt in Tae Kwon Do
§ Red Cross Blood Drive Coordinator
§ ODTUG BI Community Leader
§ Oracle ACE Associate
§ Sr BI Architect at US-Analytics
§ 14 years in IT
§ Email: bwagner@us-analytics.com
§ Twitter: @Bec_Wagner
§ LinkedIn: https://www.linkedin.com/in/rebecca-wagner-bb356924/
§ IRC Channel (Telegram): #obihackers
7. 7
Who is US-Analytics?
80+
EPM and BI
professionals
with 12+ years of experience.
BY THE NUMBERS
19+years in business
with continued growth
>600clients
1,500+engagements
with
9. 9
AGENDA
OAC Options – Customer Case1
SAML 2.0 ADFS3
Direct SSO vs Link4
Trouble Spots5
AD Bridge2
10. 10
• Security is highest priority
• Waited to start Project until AD integration
• VPNaaS to Palo Alto NextGen Firewalls
• Private IP Ranges
• Access from within network only
• OAC with IDCS (Identity Cloud)
• Migrating from OBIEE 11g to OAC
• AD integration required (8000+ users, 14000+
groups)
• SSO was highly desirable
Large Financial Management Customer
US-Analytics: Customer Case – Enterprise worthy OAC
11. 11
AGENDA
OAC Options – Customer Case1
AD Bridge2
SAML 2.0 ADFS3
Direct SSO vs Link4
Trouble Spots5
12. 12
AD Bridge
Besides following the tutorial, what you need:
• Must install on Server joined to AD Domain
• User with rights to install software
• User with the following AD rights
• Read for all users and groups in the domain
• Read for all OUs
• If you are using an AD user specifically setup for this AD Bridge, specific permissions
can be found here:
• https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/creating-
bridge.html
• Tutorial for AD Bridge
• https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs
_idbridge_obe/idbridge.html
13. 13
AD Bridge - Roadmap
1. Download From IDCS
2. Install On Domain-Joined Server
3. Configure Users and Groups
4. Import in IDCS
5. Verify
*Note: OAC comes with IDCS Foundation. AD Bridge is in IDCS Basic.
14. 14
AD Bridge – Detailed Steps Part 1
• Browser - IDCS, navigate to Directory Integration and click Add
• Copy the URL, Client ID and Client Secret
• Click Download
• Click Run and Next, Next, Next
• Enter the URL, ID and Secret and Test
• If successful, click Next
• Enter AD Domain User and Password and Test
• If successful, click Next
1:07
1:15
1:52
1:55
2:12
2:21
2:27
2:31
15. 15
AD Bridge – Detailed Steps Part 2
• Browser – IDCS Directory Integration partially configured
• Expand OU’s and check appropriate OU for Users
• Repeat for groups
• Click Attribute Mappings, delete all non-needed, don’t change
• Save, Refresh, Import
• Verify by clicking on Users tab in left menu
3:07
3:17
3:25
3:32
4:17
5:01
17. 17
AD Bridge – The More You Know
• Becomes a service. Note that this service is running and starts automatically
• Find the AD Bridge Config Utility in C:Program FilesIDBridgeIDBridgeUI.exe
• Click on View Logs – Highly important to note log locations
• Sync has a limit, will continue at the frequency until fully sync’d
• Errors will have details in the logs, like missing email or some other attribute issue
19. 19
ADFS & Single Sign-On – SAML 101
Img from - https://developers.onelogin.com/assets/img/pages/saml/sso-diagram.svg
20. 20
ADFS & Single Sign-On – Detailed Steps Part 1
1. Download ADFS Metadata File
• https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetatdata.xml
• XML files have tags, if browser doesn’t show them, right click and view source, then save
2. IDCS Identity Provider Setup
• Add SAML IDP
• Name, Next, Upload FederationMetadata.xml, Requested NameID – Email Addr, Next, Finish
• Don’t click Export – Use the following URL to download IDCS metadata XML
• https://MYTENANT.identity.oraclecloud.com/fed/v1/metadata?adfsmode=true
Tutorial: https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/adfs.html
0:23
1:40
21. 21
ADFS & Single Sign-On – Detailed Steps Part 2
3. In AD FS management console add a Relying Party Trust
• Import Metadata.xml, Next, Name, Next Next Next Next, Finish
• Add Claim Rules
1. Send LDAP Attributes as Claims, Name - Email, Attribute Store - Active Directory,
LDAP Attribute - Email Addresses and Outgoing Claim Type – Email Address
2. Transform an Incoming Claim, Name – Name ID, Incoming – Email Address,
Outgoing claim – Name ID, Outgoing format – Email
4. IDCS Configuration
• Drop down – select Activate, Drop down again – select Show on Login Page
• IDP Policies – Click Default and then Assign new ADFS
Tutorial: https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/adfs.html
2:43
4:20
22. 22
ADFS & Single Sign-On, Video Walk-Through
https://youtu.be/FcULyV0mgFs
24. 24
Removing Local Logins
Oracle Support Doc ID 2438952.1
OAC/OAAC: How To Disable IDCS Chooser Login Page and Get Redirected to Custom SSO
Login Page Directly in Oracle Analytics Cloud(OAC)
Once everything has been confirmed working for SSO link on login page:
• IDP Policies
• Remove ADFS from ‘Default Identity Provider Policy’
• Create new IDP Policy
• Assign ADFS to Policy
• Assign OAC Application(s)
• Configure Application for Redirect URL
• Can be any URL (www.oracle.com), and doesn’t actually affect behavior
0:12
0:26
1:05
27. 27
Things to be on the lookout for
Trouble Spots and Lessons Learned
ADFS Direct SSOAD Bridge
• Sometimes logs stop
while still showing
Active in IDCS and
service shows
running in Windows
• Logs path not in
documentation, use
ADBridge Application
and View Logs.
• While checking OUs,
be sure to expand
and check lower
levels (Default now)
• Username - Email
• IDCS uses SAML 2.0,
for Win 2016 we had
to get a different
ADFS xml file
• Don’t download the
Export IDCS
metadata. ADFS
needs a special
format. Can get from
URL:
• https://DOMAIN.oracle
cloud.com/fed/v1/met
adata?adfsmode=true
• Security wants users
to be authenticated
by AD only
• EM, RPD Admin Tool,
Weblogic Console,
still direct login –
Can’t use AD users
• Configure IDP Policy
• Sign Out redirects to
OAC DV, still signed
in. Can configure
ADFS global sign-out
then IDCS sign out
URL
29. 29
§ Remove IDCS Chooser Page
§ Still need local login for EM
and Weblogic Console and RPD
Admin Tool
RECAP
OAC Options AD Bridge
SAML 2.0 ADFS Direct SSO or Link
§ Security Sensitive
§ IDCS Private IP
§ Allows for AD and SSO
integration
§ Local AD Domain joined Server
§ Find your logs
§ Find your ADFS buddy
§ Sign Out – redirects to DV
§ Claim Rules only worked with
Email
Getting Fancy: HA AD Bridge – Docker style
https://www.oracle.com/technetwork/articles/idm/gutierrez-idcs-idbridge-3960710.html
30. Becky Wagner, Sr BI Architect
E: bwagner@us-analytics.com T: @Bec_Wagner
Questions?
October 24th, 2018 Marquis Nob Hill C/DOracle Open World
https://www.us-analytics.com/oac-active-directory-single-sign-on