OAC : How to Connect to Oracle Fusion HCM-OTBI from OAC DV Dataset with SSO

Remark

 (Doc ID 2607450.1)

Both HCM and IDCS (where OAC instance is created) should be configured with same External SAML IDP. Here it is OKTA SSO for example.

Applicable from OAC 5.2 where OAC is created with IDCS as its Identity management.

General Information:

1. Need an Admin User in HCM or BI System Administrator Role User in OTBI who has Native Password (Need not login in Web with that native pwd as SSO is enabled)
2. Need BI Impersonator Role in HCM assigned to the same Admin user
3. HCM.USER1 is only used to connect the HCM/OTBI, the same user (HCM.USER1) will impersonate as the SSO Login user who tries to use the connection from OAC.
4. For SSO to work same users with same Username should exist in both HCM/OTBI and OAC/IDCS.

DETAILS

 

 

Environment details:

HCM Home page - https://xxxxxxxxx.oraclecloud.com/hcmUI/faces/FuseWelcome

DV Home page - https://xxxxxxx.analytics.ocp.oraclecloud.com/dv/ui

OKTA IDP is configured for SSO.

 

 Step 1:

Open HCM Home page - https://xxxxxxxxxx.oraclecloud.com/hcmUI/faces/FuseWelcome

Login as SUPER USER i.e ADMIN USER.

Navigate to Tools --> Security Console.

 

Create a Role called DV Access and then add BI Impersonator role and add HCM.USER1 user to that role.

 

 

 

 

 

 

 

Save and close.

Now check the User Roles.

 

 

Validate:

Login to https://xxxxxxx.analytics.ocp.oraclecloud.com/dv/ui as HCM.USER1/Password

Create an “OracleApplications” type Connection to setup connection to HCM.

 

 

 

Also shared this connection as Read Only to Axxx.Lxx and Cxxx.Fxx

 

 

Select the connection created.

 

 

 

Now logout as HCM.USER1 from OAC and login as Axxx.Lxx

Login to https://xxxxxxxxxxxx.analytics.ocp.oraclecloud.com/dv/ui as Axxx.Lxx with IDCS credentials and check if we can access the connection without entering credentials

 

 

For user1 the object level security is working fine with SSO .

Now Login to https://xxxxxxxxxxxx.analytics.ocp.oraclecloud.com/dv/ui as Axxx.Lxx with OKTA SSO credentials and check if we can access the connection without entering credentials.

 

 

 

 Now we see that object level security works fine with SSO.

Lets test with another user that has no Password in OAC-IDCS (Federated User)

Now Login to https://xxxxxxxxx.analytics.ocp.oraclecloud.com/dv/ui as Cxxx.Fxx with OKTA SSO credentials and check if we can access the connection without entering credentials

 

 

 

 

Now we see that the object level security and SSO works fine for other users also .

 

Now test data level security by creating a DV Project using the Dataset and connection to HCM with “Use Active User Credentials” Option

Login to OAC as HCM.USER1/Password

https://xxxxxxx.analytics.ocp.oraclecloud.com/dv/ui

Open the Connection and create a Dataset.

 

 

 

Click on Add

 

Click on Create Project

 

 

 

 

Now set the access permissions to the dataset and Project

Select the Dataset created and Inspect.

 

 

Now login to Analytics: https://xxxxxx.analytics.ocp.oraclecloud.com/analytics 

Navigate to catalog - Shared Folder  - HCM 

 

 

 

Open the Project Report as HCM.USER1:

 

 

Now login with SSO users (Axxx.Lxx , Cxxxx.Fxxx) to validate the data level security.