Set Up User Access to Oracle Fusion Data Intelligence Using Single Sign-On

You can set up how users from Oracle Fusion Cloud Applications access Oracle Fusion Data Intelligence using single sign-on. This setup simplifies how you manage user names and passwords. You must complete this setup before you create your Oracle Fusion Data Intelligence instances except as indicated in scenarios #5 and #6 that require further setup after you create the Oracle Fusion Data Intelligence instance.

About Setting Up User Access to Oracle Fusion Data Intelligence Using Single Sign-On

Using single sign-on simplifies managing user access to Oracle Fusion Data Intelligence.

Users of Oracle Fusion Data Intelligence are mostly Oracle Fusion Cloud Applications users and those whom you create specifically in Oracle Fusion Data Intelligence. Setting up access to Oracle Fusion Data Intelligence for these users using single sign-on depends on whether identity domains are available in your cloud account or you're using Oracle Identity Cloud Service to manage the users.

Some Oracle Cloud regions use the Oracle Cloud Infrastructure Identity and Access Management (IAM) identity domains. See Identity Domain Overview. It's easy to determine whether or not your cloud account offers identity domains. In Oracle Cloud Infrastructure Console, navigate to Identity & Security. Under Identity, check for Domains.

The way you set up user access to Oracle Fusion Data Intelligence using single sign-on is based on when you created the cloud account for Oracle Fusion Cloud Applications and the cloud account in which you activated Oracle Fusion Data Intelligence.

Check your cloud account for Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence to know whether identity domains are available and then use these scenarios as applicable to set up user access to Oracle Fusion Data Intelligence using single sign-on:
  • Scenario 1 - Existing Oracle Fusion Cloud Applications in a cloud account that doesn’t offer identity domains and Oracle Fusion Data Intelligence activated in the same cloud account as Oracle Fusion Cloud Applications.
  • Scenario 2 - New Oracle Fusion Cloud Applications in a cloud account that offers identity domains and Oracle Fusion Data Intelligence activated in the same cloud account as Oracle Fusion Cloud Applications.
  • Scenario 3 - Existing Oracle Fusion Cloud Applications in a cloud account that doesn’t offer identity domains and Oracle Fusion Data Intelligence activated in a different pre-existing cloud account that doesn’t offer identity domains.
  • Scenario 4 - New Oracle Fusion Cloud Applications in a cloud account that offers identity domains and Oracle Fusion Data Intelligence activated in a different pre-existing cloud account that doesn’t offer identity domains.
  • Scenario 5 - Existing Oracle Fusion Cloud Applications in a cloud account that doesn’t offer identity domains and Oracle Fusion Data Intelligence activated in a different new cloud account that offers identity domains.
  • Scenario 6 - New Oracle Fusion Cloud Applications in a cloud account that offers identity domains and Oracle Fusion Data Intelligence activated in a different new cloud account that offers identity domains.

Set Up User Access to Oracle Fusion Data Intelligence Using Single Sign-On in Scenario #1

Scenario #1 applies to a single cloud account for Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence and the cloud account doesn't offer identity domains.

If you’re an existing user of Oracle Fusion Cloud Applications with Oracle Fusion Data Intelligence activated in the same cloud account as Oracle Fusion Cloud Applications and your cloud account doesn’t offer identity domains, then perform these steps:

  1. Complete the setup required for provisioning Oracle Fusion Data Intelligence with single sign-on.
  2. In the Oracle Cloud Infrastructure Console, click the Navigation menu icon, click Analytics & AI and then click Data Intelligence to create the Oracle Fusion Data Intelligence instance.

Set Up Provisioning with Single Sign-On

Provisioning Oracle Fusion Data Intelligence with single sign-on enables you to synchronize users and groups in Oracle Fusion Cloud Applications with Oracle Identity Cloud Service and then enable these users to access Oracle Fusion Data Intelligence.

Here's the list of tasks that you must complete in the order that they are listed.

  1. Ensure that you’ve the FA_GSI_Administrator role for the applicable Oracle Fusion Cloud Applications environment. You need this role to synchronize users and groups in Oracle Fusion Cloud Applications with the Oracle Identity Cloud Service instance specified in the Identity Cloud account associated with your Oracle Fusion Cloud Applications instance. See How to add FA_GSI_Administrator role to a user?
  2. Write down the Oracle Identity Cloud Service details in the mail notifying you of the Identity Cloud account associated with your Oracle Fusion Cloud Applications instance for later use.
  3. Set up synchronization of Oracle Fusion Cloud Applications with the Oracle Identity Cloud Service instance specified in the Identity Cloud account associated with your Oracle Fusion Cloud Applications instance.
  4. Federate the Oracle Identity Cloud Service instance specified in the Identity Cloud account associated with your Oracle Fusion Cloud Applications instance to the Oracle Cloud Infrastructure tenancy where Fusion Data Intelligence is provisioned.
  5. Sign in to the Oracle Cloud Infrastructure tenancy where Fusion Data Intelligence is provisioned using the federated Oracle Identity Cloud Service instance.
Copy and Store the Oracle Identity Cloud Service URL

Copy and store the Oracle Identity Cloud Service URL available in the mail notifying you of the Identity Cloud account associated with your Oracle Fusion Cloud Applications instance in a text file. You require this information while setting up the synchronization of Oracle Fusion Cloud Applications with the Oracle Identity Cloud Service instance.

As the administrator of Oracle Fusion Cloud Applications, you would have received emails notifying you of the Identity Cloud account associated with your Oracle Fusion Cloud Applications instance.
  1. From the email, copy the Oracle Identity Cloud Service URL for each of the development and production instances for each of the Oracle Fusion Cloud Applications environments and paste them in a text file.
  2. If the email isn’t available, then you can raise a service request to obtain information about the Identity Cloud account associated with your Oracle Fusion Cloud Applications instances. See Contact My Oracle Support. Alternatively, as the Oracle Cloud account administrator, access the My Services Dashboard to obtain this information; see About My Services Dashboard.
Set Up Synchronization of Oracle Fusion Cloud Applications with Oracle Identity Cloud Service

Set up the synchronization of Oracle Fusion Cloud Applications with the Oracle Identity Cloud Service instance specified in the Identity Cloud account associated with your Oracle Fusion Cloud Applications instance. This synchronization gets the Oracle Fusion Cloud Applications users and groups into the applicable Oracle Identity Cloud Service instance that enables these users to access Oracle Fusion Data Intelligence.

To set up this synchronization, you need the client ID and secret from the Identity Cloud account associated with your Oracle Fusion Cloud Applications instance.
  1. Sign in to Oracle Identity Cloud Service using the URL that you obtained in Copy and Store the Oracle Identity Cloud Service URL.
  2. Navigate to Home, click the Navigator menu, click Oracle Cloud Services, and then click Oracle Fusion Cloud Applications.
  3. Open a text file, copy the URL from the browser until “identity.oraclecloud.com”, and paste it in the text file.
    Sample format of the URL is https://idcs-<Oracle Identity Cloud Service stripe ID>.identity.oraclecloud.com/. For example, in the url https://idcs-12ab34c56789.identity.oraclecloud.com:443, copy https://idcs-12ab34c56789.identity.oraclecloud.com.
  4. On the Oracle Fusion Cloud Applications page, click Configuration, expand General Information, copy the client ID and paste it in the text file. Then click Show Secret, copy the text, paste it in the text file, and then save the text file.
  5. On the Oracle Fusion Cloud Applications page, under Configuration, expand Client Configuration, scroll down, and click Add.
  6. In Add App Role, select Application Administrator and Identity Domain Administrator and then click Add.
  7. On the Oracle Fusion Cloud Applications page, click Provisioning, and then select Enable Provisioning.
  8. Under Select Provisioning Operations, select Authoritative Sync, and then select Enable Synchronization.
  9. Under Provisioning, expand Configure Connectivity, and click Test Connectivity. Then click Save.
  10. Confirm that the synchronization of Oracle Fusion Cloud Applications with Oracle Identity Cloud Service was set up successfully by viewing the users and groups along with user to groups mappings before and after synchronization.
Federate the Oracle Identity Cloud Service Instance to Your Oracle Cloud Infrastructure Tenancy

Federate the Oracle Identity Cloud Service associated with your Oracle Fusion Cloud Applications instance to the Oracle Cloud Infrastructure tenancy where Oracle Fusion Data Intelligence is provisioned to connect them and enable the usage of a single set of sign-in credentials.

Use the text file in which you had previously saved the URL, client ID, and client secret. See Set Up Synchronization of Oracle Fusion Cloud Applications with Oracle Identity Cloud Service. After you've connected the Oracle Identity Cloud Service instance to the Oracle Cloud Infrastructure tenancy, use the new identity provider to sign in to Oracle Cloud Infrastructure.
  1. Sign in to your Oracle Cloud account that contains the tenancy where Oracle Fusion Data Intelligence is provisioned (in certain cases this can be same as your Oracle Fusion Cloud Applications account).
  2. On the Oracle Cloud Home, navigate to Identity and then click Federation.
  3. On the Federation page, click Add Identity Provider.
  4. On the Add Identity Provider page, use lower case to enter a Name and add a description.
  5. Select Oracle Identity Cloud Service, and enter the URL, client ID, and client secret that you had previously saved in a text file.
  6. Scroll down and click Continue at the bottom of the Add Identity Provider page.
  7. In the next page, map IDCS_Administrators under Identity Provider Group to Administrators under OCI Group and click Add Provider.
  8. On the Federation page, view and write down the name of the new identity provider.
Sign in to Oracle Cloud Infrastructure using the Federated Oracle Identity Cloud Service Instance

You must sign in to Oracle Cloud Infrastructure using the federated Oracle Identity Cloud Service instance to create your Oracle Fusion Data Intelligence instance.

  1. Sign in to the Oracle Cloud Infrastructure by selecting the tenancy where Oracle Fusion Data Intelligence is provisioned and under Single Sign-On (SSO), select the identity provider that you added in Federate the Oracle Identity Cloud Service Instance to Your Oracle Cloud Infrastructure Tenancy.
  2. In the Oracle cloud account Sign In dialog, click Oracle Fusion Cloud Applications.
  3. In the Sign In Oracle Fusion Cloud Applications dialog, enter your Oracle Fusion Cloud Applications credentials and click Sign In.
    You see the Oracle Cloud Infrastructure's Console Home page.

Set Up User Access to Oracle Fusion Data Intelligence Using Single Sign-On in Scenario #2

Scenario #2 applies to a single cloud account for Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence and the cloud account offers identity domains.

If you’re a new user of Oracle Fusion Cloud Applications with Oracle Fusion Data Intelligence activated in the same cloud account as Oracle Fusion Cloud Applications and your cloud account offers identity domains, then perform these steps:

  1. Set up the JWT Based authentication for Oracle Fusion Data Intelligence.
    See Configure JWT Authentication Provider. While configuring the token-based authentication, ensure that you enter FAWServiceJWTIssuer as the trusted issuer.
  2. Use the Oracle Cloud Infrastructure Console and add these policies to enable users from the identity domain associated with Oracle Fusion Cloud Applications to access the Oracle Fusion Data Intelligence compartments:
    Allow group '<DomainName>'/'<GroupName>' to manage analytics-warehouses in 
          tenancy
          Allow group '<DomainName>'/'<GroupName>' to manage
            analytics-instances in 
          tenancy
          Allow group '<DomainName>'/'<GroupName>' to manage
            autonomous-database-family 
          in tenancy
          Allow group '<DomainName>'/'<GroupName>' to manage all-resources
            in 
          compartment <compartment name>

    See "To create a policy" in Managing Policies.

  3. Copy and paste into a text file the URL of your Oracle Fusion Cloud Applications instance for later use. You specify this URL as the source Oracle Fusion Cloud Applications while creating the Oracle Fusion Data Intelligence instance.
  4. In Oracle Cloud Infrastructure, sign in to the cloud account where both Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence services have been activated using your cloud account administrator credentials.
  5. On the Oracle Cloud Infrastructure Sign-in page, choose the domain that’s corresponding to the Oracle Fusion Cloud Applications instance that you want to specify as the source while creating the Oracle Fusion Data Intelligence instance.
  6. In the Oracle Cloud Infrastructure Console, click the Navigation menu icon, click Analytics & AI and then click Data Intelligence to create the Oracle Fusion Data Intelligence instance.

Set Up User Access to Oracle Fusion Data Intelligence Using Single Sign-On in Scenario #3

Scenario #3 applies to separate cloud accounts for Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence and both the cloud accounts don't offer identity domains.

If you’re an existing user of Oracle Fusion Cloud Applications in a cloud account that doesn’t offer identity domains with Oracle Fusion Data Intelligence activated in a different existing cloud account that doesn’t offer identity domains, then perform these steps:

  1. Complete the steps listed in Set Up Provisioning with Single Sign-On.
  2. In the Oracle Cloud Infrastructure Console, click the Navigation menu icon, click Analytics & AI and then click Data Intelligence to create the Oracle Fusion Data Intelligence instance.

Set Up User Access to Oracle Fusion Data Intelligence Using Single Sign-On in Scenario #4

Scenario #4 applies to separate cloud accounts for Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence with one cloud account offering identity domains and another not offering identity domains.

If you’re a new user of Oracle Fusion Cloud Applications in a cloud account that offers identity domains with Oracle Fusion Data Intelligence activated in a different existing cloud account that doesn’t offer identity domains, then you must federate the identity domain associated with Oracle Fusion Cloud Applications to the Oracle Cloud Infrastructure tenancy where Oracle Fusion Data Intelligence is provisioned. During provisioning of Oracle Fusion Cloud Applications in a cloud account that offers identity domains, typically the Oracle Fusion Cloud Applications users and groups are synchronized automatically with the identity domain. In case the Oracle Fusion Cloud Applications users and groups aren't synchronized automatically with the identity domain, then you must manually enable the synchronization before performing the steps listed in this section. See Synchronize Users from Your Oracle Fusion Cloud Applications Instance with the Identity Domain.

  1. Copy and store the details of the identity domain associated with the Oracle Fusion Cloud Applications instance.
  2. Federate the identity domain associated with Oracle Fusion Cloud Applications to the Oracle Cloud Infrastructure tenancy where Oracle Fusion Data Intelligence is provisioned.
  3. Sign in to Oracle Cloud Infrastructure using the federated identity domain to create your Oracle Fusion Data Intelligence instance.
  4. In the Oracle Cloud Infrastructure Console, click the Navigation menu icon, click Analytics & AI and then click Data Intelligence to create the Oracle Fusion Data Intelligence instance.

Copy and Store Details of the Identity Domain

Copy and store the client ID, client secret, and the URL of the identity domain associated with the Oracle Fusion Cloud Applications instance in a text file to use while federating the identity domain with the Oracle Cloud Infrastructure tenancy where Oracle Fusion Data Intelligence is provisioned.

  1. Sign in to the Oracle Cloud Infrastructure Console using the credentials of the cloud account associated with Oracle Fusion Cloud Applications.
  2. In the Navigator menu, click Identity & Security and on the Identity & Security page, click Domains.
  3. On the Domains page, click the identity domain associated with the Oracle Fusion Cloud Applications instance.
  4. On the domain Overview page, in the Domain information section, copy the domain url till identity.oraclecloud.com. For example, in the domain url https://idcs-12ab34c56789.identity.oraclecloud.com:443, copy https://idcs-12ab34c56789.identity.oraclecloud.com.
  5. On the domain Overview page, click Oracle Cloud Services and then click Oracle Fusion Cloud Applications.
  6. On the Oracle Fusion Cloud Applications page, click Configuration.
  7. Under General Information, copy the Client ID and paste into a text file.
  8. In Client Secret, click Show Secret, copy the secret, and paste into a text file.

Federate the Identity Domain to Your Oracle Cloud Infrastructure Tenancy

Federate the identity domain associated with your Oracle Fusion Cloud Applications instance to the Oracle Cloud Infrastructure tenancy where Oracle Fusion Data Intelligence is provisioned. This federation enables users to sign in to Oracle Fusion Data Intelligence using their Oracle Fusion Cloud Applications credentials.

  1. Sign in to your Oracle Cloud account that contains the tenancy where Oracle Fusion Data Intelligence is provisioned.
  2. On the Oracle Cloud Home, navigate to Identity and then click Federation.
  3. On the Federation page, click Add Identity Provider.
  4. On the Add Identity Provider page, enter a name and description.
  5. Select Oracle Identity Cloud Service as Type.
  6. Enter the URL of the identity domain, client ID, and client secret that you had saved in a text file. See Copy and Store Details of the Identity Domain.
  7. Scroll down and click Continue at the bottom of the Add Identity Provider page.
  8. In the next page, map Domain_Administrators group under Identity Provider Group with Administrators group under OCI Group and click Add Provider.

Sign in to Oracle Cloud Infrastructure using the Federated Identity Domain

You must sign in to Oracle Cloud Infrastructure using the federated identity domain associated with your Oracle Fusion Cloud Applications instance to create the Oracle Fusion Data Intelligence instance.

  1. Sign in to the Oracle Cloud Infrastructure by selecting the tenancy where Oracle Fusion Data Intelligence is provisioned and under Single Sign-On (SSO), select the identity provider that you added in Federate the Identity Domain to Your Oracle Cloud Infrastructure Tenancy.
  2. In the Oracle Cloud Account Sign In dialog, click Oracle Fusion Cloud Applications.
  3. In the Sign In Oracle Fusion Cloud Applications dialog, enter your Oracle Fusion Cloud Applications credentials and click Sign In.
    You see the Oracle Cloud Infrastructure's Console Home page.

Synchronize Users from Your Oracle Fusion Cloud Applications Instance with the Identity Domain

Synchronize users from your Oracle Fusion Cloud Applications instance with the identity domain in the cloud account associated with Oracle Fusion Cloud Applications.

  1. Sign in to the Oracle Cloud Infrastructure Console using your Oracle Fusion Cloud Applications credentials.
  2. In the Oracle Cloud Infrastructure Navigator menu, click Identity & Security and then in the Identity & Security pane, under Identity, click Domains.
  3. On the Domains page, navigate to the identity domain associated with the Oracle Fusion Cloud Applications instance that you plan to use while creating the Oracle Fusion Data Intelligence instance.
  4. Click Oracle Cloud Services from the menu options.
  5. On the Oracle Cloud Services page, click the Oracle Fusion Cloud Applications application.
  6. On the application page, click Provisioning and turn on the Enable provisioning switch.
  7. In the Select provisioning operations section, select the Authoritative Sync check box and turn on the Enable synchronization switch.
  8. Click Save changes.
  9. On the application page, click Import to initiate the synchronization process.
    After the process finishes, you see the list of users and groups synchronized from Oracle Fusion Cloud Applications in the identity domain.

Set Up User Access to Oracle Fusion Data Intelligence Using Single Sign-On in Scenario #5

Scenario #5 applies to separate cloud accounts for Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence and one cloud account offers identity domains and another doesn't.

If you’re an existing user of Oracle Fusion Cloud Applications in a cloud account that doesn’t offer identity domains with Oracle Fusion Data Intelligence activated in a different new cloud account that offers identity domains, then perform these steps:

  1. Synchronize the Oracle Fusion Cloud Applications users and roles with the Oracle Identity Cloud Service instance associated with it.
  2. Create a domain in the cloud account in which you activated Oracle Fusion Data Intelligence to control the authentication and authorization of the users who can sign in to Oracle Fusion Data Intelligence.
    Ensure that you select Free domain type but ignore the limits mentioned for the Free domain type because they aren’t applicable for Oracle Fusion Data Intelligence. See Creating Identity Domains and Creating an Identity Domain in Using the Console.
  3. Configure the GenericSCIM Template in the identity domain that you created in the cloud account in which you activated Oracle Fusion Data Intelligence for enabling synchronization of users, groups, and group mappings from the Oracle Identity Cloud Service instance associated with the Oracle Fusion Cloud Applications instance.
    While configuring the GenericSCIM template, use the GenericScim - Client Credentials template and in Select Provisioning Operation, choose Authoritative Sync. In the Configure connectivity section, provide these details of the source Oracle Identity Cloud Service or Identity from where the users are going to be synchronized:
    • Host Name: For example, (without the https)<idcs-source>.identity.oraclecloud.com or idcs-123456abcde123.identity.oraclecloud.com
    • Base URL: /admin/v1
    • Client ID: Enter the client ID you made note of from the confidential application.
    • Client Secret: Enter the client secret you made note of from the confidential application.
    • Scope: urn:opc:idm:__myscopes__
    • Authentication Server Url: For example, https://<idcs-source>.identity.oraclecloud.com/oauth2/v1/token or idcs-123456abcde123.identity.oraclecloud.com/oauth2/v1/token
    See Configure the Generic SCIM App Template.
  4. Configure single sign-on between the Oracle Identity Cloud Service instance associated with Oracle Fusion Cloud Applications and the identity domain associated with Oracle Fusion Data Intelligence.
  5. In the Oracle Cloud Infrastructure Console, create an Oracle Cloud Infrastructure policy to enable a domain user to create the Oracle Fusion Data Intelligence instance.
    While creating the policy, select the identity domain in which you plan to create the Oracle Fusion Data Intelligence instance and enter these policy statements:
    • Allow group '<DomainName>'/'<GroupName>' to manage analytics-warehouses in tenancy
    • Allow group '<DomainName>'/'<GroupName>' to manage analytics-instances in tenancy
    • Allow group '<DomainName>'/'<GroupName>' to manage autonomous-database-family in tenancy

    See To create a policy.

  6. In the Oracle Cloud Infrastructure Console, click the Navigation menu icon to navigate to Data Intelligence and create the Oracle Fusion Data Intelligence instance.
  7. Create an identity provider policy for single sign-on to ensure that the Oracle Fusion Data Intelligence sign-in page has an option to sign in with the Oracle Fusion Cloud Applications credentials.

    See Adding an Identity Provider Policy in Using the Console.

    On the Add IdP Rule page, in Assign identity providers select the SAML IDP that you created in Add an SAML Application; for example, the FAW-SSO SAML identity provider.

  8. Assign the ANALYTICSAPP_<faw-instance-name> and ANALYTICSINST_oax<faw-instance-name>-<id> analytics apps to the identity provider policy for single sign-on.
    When you attempt to authenticate through these apps, the only identity providers that appear in the Sign In page of these apps are the ones you assigned to the identity provider policy for single sign-on. For example, the FAW-SSO SAML identity provider. These apps were created when you created the Oracle Fusion Data Intelligence instance. See Adding Apps to the Policy in Using the Console.

Configure Single Sign-on Between Oracle Identity Cloud Service and Identity Domain

Configure single sign-on between the Oracle Identity Cloud Service instance associated with Oracle Fusion Cloud Applications and the identity domain associated with Oracle Fusion Data Intelligence to ensure that users can sign into Oracle Fusion Data Intelligence with their existing Oracle Fusion Cloud Applications credentials.

To configure single sign-on between the Oracle Identity Cloud Service instance associated with Oracle Fusion Cloud Applications and the identity domain associated with Oracle Fusion Data Intelligence, you must create a Security Assertion Markup Language (SAML) application in Oracle Identity Cloud Service. You then configure this SAML application with the details from the metadata XML file of the Oracle Fusion Data Intelligence identity domain.

Add an SAML Application

Add a Security Assertion Markup Language (SAML) application in the Oracle Identity Cloud Service associated with your Oracle Fusion Cloud Applications instance to provide a way to authenticate a user once and then communicate that authentication to multiple applications.

  1. Sign in to the Console of Oracle Identity Cloud Service associated with your Oracle Fusion Cloud Applications instance.
  2. In the Navigator menu, click Applications and on the Applications page, click Add.
  3. In Add Application, select SAML Application.
  4. On the Add SAML Application page, in the Details section, enter a name such as FAW-SSO and select the User can request access check box to enable the user to access the app.
  5. In the SSO Configuration section, click Download Identity Provider Metadata to download the metadata XML file of Oracle Identity Cloud Service associated with your Oracle Fusion Cloud Applications instance and save the metadata XML file to your local machine.
  6. Save and pause the configuration of this SAML application temporarily to collect certain values from the metadata XML file of the Oracle Fusion Data Intelligence identity domain. Don't sign off from Oracle Identity Cloud Service.
Copy Details from the Identity Domain Metadata File

Copy details from the metadata XML file of the Oracle Fusion Data Intelligence identity domain into a text file to use while configuring the SAML Application that you created.

  1. Sign in to the Oracle Cloud Infrastructure Console using the credentials of the domain that you created in the cloud account in which you activated Oracle Fusion Data Intelligence.
  2. In the Oracle Cloud Infrastructure Navigator menu, click Identity & Security and then in the Identity & Security pane, under Identity, click Domains.
  3. On the Domains page, navigate to the identity domain that you created in this cloud account and on the identity domain details page, click Security and then click Identity Providers.
  4. On the Identity provider (IdP) policies in the identity domain page, click Add IdP, and select Add SAML IdP from the dropdown list.
  5. On the Add SAML identity provider page, in the Add Details section, enter Name such as Fusion SSO Login.
  6. In the Configure IdP section, select the Import identity provider metadata radio button to choose and import the metadata XML file of Oracle Identity Cloud Service associated with your Oracle Fusion Cloud Applications instance that you previously downloaded to your local machine.
  7. In the Map Attributes section, select Unspecified if the Username for Oracle Identity Cloud Service associated with your Oracle Fusion Cloud Applications instance can be email or short name. If the Username is email, then select EmailAddress.
  8. In the Export section, download the metadata XML file of the Oracle Fusion Data Intelligence identity domain and its signing certificate.
  9. Open the metadata XML file of the Oracle Fusion Data Intelligence identity domain in a text editor and copy the values for entityID, AssertionConsumerService, and SingleLogoutService into another text file to use while configuring the SAML Application that you created.
  10. Return to configuring the SAML Application in the Console of Oracle Identity Cloud Service associated with your Oracle Fusion Cloud Applications instance.
Configure the SAML Application

Use the details from the metadata XML file of the Oracle Fusion Data Intelligence identity domain to configure the SAML Application that you created in the Oracle Identity Cloud Service associated with your Oracle Fusion Cloud Applications instance.

Return to creating the SAML application that you had paused in Add an SAML Application.
  1. On the Add SAML Application page, use the metadata XML file of the Oracle Fusion Data Intelligence identity domain and the signing certificate to enter values for Entity ID and Assertion Consumer URL in the General section.
  2. In Signing Certificate, click Upload to select the signing certificate of the Oracle Fusion Data Intelligence identity domain that you had previously downloaded and upload it.
  3. In NameID Format, select Unspecified and in NameID Value, select User Name.
  4. In Advanced Settings section, select the Include Signing Certificate in Signature and Enable Single Logout. Use the metadata XML file of the Oracle Fusion Data Intelligence identity domain and the signing certificate to enter values for Single Logout URL and Logout Response URL.
  5. Expand the Authentication and Authorization section and ensure that the Enforce Grants as Authorization option isn't selected.
  6. Click Finish and then click Activate.
  7. Navigate to the Oracle Fusion Data Intelligence identity domain, click the SAML application that you created to edit it.
  8. In Edit SAML identity provider, click Test Login to verify that you're able to login successfully.

Set Up User Access to Oracle Fusion Data Intelligence Using Single Sign-On in Scenario #6

Scenario #6 applies to separate cloud accounts for Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence and both the cloud accounts offer identity domains.

If you’re a new user of Oracle Fusion Cloud Applications in a cloud account that offers identity domains with Oracle Fusion Data Intelligence activated in a different new cloud account that offers identity domains, then perform these steps:

  1. Copy and paste into a text file the URL of your Oracle Fusion Cloud Applications instance for later use.
    You specify this URL as the source Oracle Fusion Cloud Applications while creating the Oracle Fusion Data Intelligence instance.
  2. Create a domain in the cloud account in which you activated Oracle Fusion Data Intelligence to control the authentication and authorization of the users who can sign in to Oracle Fusion Data Intelligence.
    Ensure that you select Free domain type but ignore the limits mentioned for the Free domain type because they aren’t applicable for Oracle Fusion Data Intelligence. See Creating Identity Domains and Creating an Identity Domain in Using the Console.
  3. Configure the GenericSCIM Template in the identity domain that you created in the cloud account in which you activated Oracle Fusion Data Intelligence for enabling synchronization of users, groups, and group mappings from the identity domain associated with the Oracle Fusion Cloud Applications instance.
    While configuring the GenericSCIM template, use the GenericScim - Client Credentials template and in Select Provisioning Operation, choose Authoritative Sync. In the Configure connectivity section, ensure that the host name is in this sample format (without the https): idcs-123456abcde123.identity.oraclecloud.com. See Configure the Generic SCIM App Template.
  4. Configure single sign-on between the identity domain associated with Oracle Fusion Cloud Applications and the identity domain associated with Oracle Fusion Data Intelligence.
  5. In Oracle Cloud Infrastructure Console, create an Oracle Cloud Infrastructure policy to enable a domain user to create the Oracle Fusion Data Intelligence instance.
    While creating the policy, select the identity domain in which you plan to create the Oracle Fusion Data Intelligence instance and enter these policy statements:
    • Allow group '<DomainName>'/'<GroupName>' to manage analytics-warehouses in tenancy
    • Allow group '<DomainName>'/'<GroupName>' to manage analytics-instances in tenancy
    • Allow group '<DomainName>'/'<GroupName>' to manage autonomous-database-family in tenancy

    See To create a policy.

  6. In the Oracle Cloud Infrastructure Console, click the Navigation menu icon to navigate to Data Intelligence and create the Oracle Fusion Data Intelligence instance.
  7. Create an identity provider policy for single sign-on to ensure that the Oracle Fusion Data Intelligence sign-in page has an option to sign in with the Oracle Fusion Cloud Applications credentials.

    See Adding an Identity Provider Policy in Using the Console.

    On the Add IdP Rule page, in Assign identity providers select the SAML IDP that you created in Add an SAML Application; for example, the FAW-SSO SAML identity provider.

  8. Assign the ANALYTICSAPP_<faw-instance-name> and ANALYTICSINST_oax<faw-instance-name>-<id> analytics apps to the identity provider policy for single sign-on.
    When you attempt to authenticate through these apps, the only identity providers that appear in the Sign In page of these apps are the ones you assigned to the identity provider policy for single sign-on. For example, the FAW-SSO SAML identity provider. These apps were created when you created the Oracle Fusion Data Intelligence instance. See Adding Apps to the Policy in Using the Console.

Configure Single Sign-on Between Two Identity Domains

Configure single sign-on between the the identity domain associated with Oracle Fusion Cloud Applications and the identity domain associated with Oracle Fusion Data Intelligence to ensure that users can sign into Oracle Fusion Data Intelligence with their existing Oracle Fusion Cloud Applications credentials.

To configure single sign-on between the identity domain associated with Oracle Fusion Cloud Applications and the identity domain associated with Oracle Fusion Data Intelligence, you must create a Security Assertion Markup Language (SAML) application using the Oracle Cloud Infrastructure Console. You then configure this SAML application with the details from the metadata XML file of the Oracle Fusion Data Intelligence identity domain.

Add an SAML Application

Add a Security Assertion Markup Language (SAML) application in the identity domain associated with your Oracle Fusion Cloud Applications instance to provide a way to authenticate a user once and then communicate that authentication to multiple applications.

  1. Sign in to the Oracle Cloud Infrastructure Console using the credentials of the cloud account associated with Oracle Fusion Cloud Applications.
  2. In the Navigator menu, click Applications and on the Applications page, click Add.
  3. In Add Application, select SAML Application.
  4. On the Add SAML Application page, in the Details section, enter a name such as FAW-SSO and select the User can request access check box to enable the user to access the app.
  5. In the SSO Configuration section, click Download Identity Provider Metadata to download the metadata XML file of the identity domain associated with your Oracle Fusion Cloud Applications instance and save the metadata XML file to your local machine.
  6. Save and pause the configuration of this SAML application temporarily to collect certain values from the metadata XML file of the Oracle Fusion Data Intelligence identity domain.
Copy Details from the Identity Domain Metadata File

Copy details from the metadata XML file of the Oracle Fusion Data Intelligence identity domain into a text file to use while configuring the SAML Application that you created.

  1. Sign in to the Oracle Cloud Infrastructure Console using your Oracle Fusion Data Intelligence service administrator credentials.
  2. In the Oracle Cloud Infrastructure Navigator menu, click Identity & Security and then in the Identity & Security pane, under Identity, click Domains.
  3. On the Domains page, navigate to the identity domain that you created in this cloud account and on the identity domain details page, click Security and then click Identity Providers.
  4. On the Identity provider (IdP) policies in the identity domain page, click Add IdP, and select Add SAML IdP from the dropdown list.
  5. On the Add SAML identity provider page, in the Add Details section, enter Name such as Fusion SSO Login.
  6. In the Configure IdP section, select the Import identity provider metadata radio button to choose and import the metadata XML file of the identity domain associated with your Oracle Fusion Cloud Applications instance that you previously downloaded to your local machine.
  7. In the Map Attributes section, select Unspecified if the Username for the identity domain associated with your Oracle Fusion Cloud Applications instance can be email or short name. If the Username is email, then select EmailAddress.
  8. In the Export section, download the metadata XML file of the Oracle Fusion Data Intelligence identity domain and its signing certificate.
  9. Open the metadata XML file of the Oracle Fusion Data Intelligence identity domain in a text editor and copy the values for entityID, AssertionConsumerService, and SingleLogoutService into another text file to use while configuring the SAML Application that you created.
  10. Return to configuring the SAML Application in the Oracle Cloud Infrastructure Console that you had previously signed into using the credentials of the cloud account associated with Oracle Fusion Cloud Applications.
Configure the SAML Application

Use the details from the metadata XML file of the Oracle Fusion Data Intelligence identity domain to configure the SAML Application that you created in the identity domain associated with your Oracle Fusion Cloud Applications instance.

Return to creating the SAML application that you had paused in Add an SAML Application.
  1. On the Add SAML Application page, use the metadata XML file of the Oracle Fusion Data Intelligence identity domain and the signing certificate to enter values for Entity ID and Assertion Consumer URL in the General section.
  2. In Signing Certificate, click Upload to select the signing certificate of the Oracle Fusion Data Intelligence identity domain that you had previously downloaded and upload it.
  3. In NameID Format, select Unspecified and in NameID Value, select User Name.
  4. In the Advanced Settings section, select the Include Signing Certificate in Signature and Enable Single Logout. Use the metadata XML file of the Oracle Fusion Data Intelligence identity domain and the signing certificate to enter values for Single Logout URL and Logout Response URL.
  5. Expand the Authentication and Authorization section and ensure that the Enforce Grants as Authorization option isn't selected.
  6. Click Finish and then click Activate.
  7. Navigate to the Oracle Fusion Data Intelligence identity domain, click the SAML application that you created to edit it.
  8. In Edit SAML identity provider, click Test Login to verify that you're able to login successfully.