04/27/2024 | Press release | Archived content
Using a hybrid custom SSO environment approach, you can configure SAML 2.0 and Kerberos single sign-on (SSO) for Oracle Analytics Server (OAS). The custom SSO configuration follows the steps documented in the blog SAML 2.0 and Kerberos Single Sign-On (SSO) for Oracle Analytics Server (and Oracle Sypport Doc ID 2761678.1).
This blog explores how to set up multiple Docker containers housed on a single host to enable SAML 2.0 and Kerberos SSO across various OAS environments.Configure SSO for each OAS environment. Follow the steps in the blog (or Doc ID 2761678.1).
NOTE: An OAS environment can consist of either a single OAS server or a cluster of OAS server nodes.
Complete the prerequisites listed in Doc ID 2761678.1 to configure SAML 2.0 and Kerberos SSO Docker containers on a compute instance.
This diagram shows the authentication flow in the SAML SSO Docker container:
This diagram shows the authentication flow in the Kerberos SSO Docker container:
This section illustrates the scalability of the Docker host machine, which hosts multiple Docker containers to configure SAML 2.0 or Kerberos SSO for Oracle Analytics Server environments.
For example, consider a scenario with three OAS environments: OAS DEV, OAS UAT, and OAS PROD. Each environment is configured with one SAML 2.0 or Kerberos SSO Docker container, and all three containers run on a single Docker host machine.
Following the steps in Oracle Support Doc ID 2761678.1.
1. Copy the oassodocker.tar.gzfile to ${Docker_Zip_Extracted_Location}and extract it.
tar -xzf ${Docker_Zip_Extracted_Location}/oassdocker.tar.gz
This extracts a folder oasso. For example: ${Docker_Zip_Extracted_Location}/oasso
2. Rename the folder to oasso-dev. For example: ${Docker_Zip_Extracted_Location}/oasso-dev
3. Perform the Docker Image creation step and run the config utility.
4. During configuration, enter the DEV load balancer details, DEV load balancer certificates, and SAML IDP Metadata XML file.
NOTE: If the DEV environment doesn't have a load balancer, enter the Docker host name and the port where the DEV container is running. For example: 8443.
5. Assume that the configuration and test are successful for the OAS DEV environment.
The OASSO Docker Image is loaded into the Docker repository, the oasso-ctl service is created, and the Docker container runs on port 80 and 443.
6. Modify a few files to accommodate easy configuration for the next container.
For SAML SSO
Change the Docker Container Scripts:
cd ${Docker_Zip_Extracted_Location}/oasso-dev/saml/scripts
Edit the scripts below.
Change the Service Name
cd /etc/init.d
Change the script name added to chkconfig as a service
Test the service by starting it and checking the OAS URL:
The Docker image name continues to be oasso.
The Docker container name for the OAS DEV environment is oassodev.
The service command to start the Docker container for OAS DEV is: service oassodev-ctl stop|start|restart
Inside the Docker container, the services run at ports 80 and 443; these services are listened to by the Docker host at ports 8080 and 8443.
Tasks to be done before proceeding to the next Docker container configuration
Before deploying another container, perform the following tasks:
Following the steps in the Support Doc ID 2761678.1.
1. Copy the oassodocker.tar.gzfile to ${Docker_Zip_Extracted_Location}and extract it.
tar -xzf ${Docker_Zip_Extracted_Location}/oassdocker.tar.gz
This extracts a folder oasso. For example: ${Docker_Zip_Extracted_Location}/oasso
2. Rename the folder to oasso-uat. For example: ${Docker_Zip_Extracted_Location}/oasso-uat
3. Perform the Docker Image creation step and run the config utility.
4. During configuration, enter the UAT load balancer details, UAT load balancer certificates, and SAML IDP Metadata XML file.
NOTE: If the UAT environment doesn't have a load balancer, enter the docker host name and the port at which the UAT container needs to run. For example: 9443
5. Assume that the configuration and test are successful for the OAS UAT environment.
The OASSO Docker Image is loaded to the Docker repository, the oasso-ctl service is created, and the Docker container runs on port 80 and 443.
6. Modify a few files to accommodate easy configuration for the next container.
7. Repeat the same steps discussed in the OAS DEV environment. After configuring oasso, change the name to oassouat for the UAT environment.
You can use the automation script oasso_container_host_scalability.sh (available below) to perform the steps you completed in the OAC DEV environment in the UAT environment:
Test the service by starting it and checking the OAS URL.
The Docker image name continues to be oasso.
The Docker container name for the OAS UAT environment is oassouat.
The service command to start the Docker container for OAS UAT is: service oassouat-ctl stop|start|restart
Inside the Docker container, the services run at ports 80 and 443; these services are listened to by the Docker host at ports 9080 and 9443.
Following the steps in the Support Doc ID 2761678.1.
Since it's in production, there's no need to use an automation script or a manual approach to edit the files. Use the configuration without any modification.
NOTE: If you need customization for this PROD environment, proceed to run the automation script.
Test the service by starting it and checking the OAS URL.
The Docker image name continues to be oasso.
The Docker container name for the OAS PROD environment is oasso.
The service command to start the Docker container for OAS PROD is: service oasso-ctl stop|start|restart
Inside the Docker container, the services run at ports 80 and 443; these services are listened to by the Docker host at ports 80 and 443.
1. Change the downloaded and extracted oasso folder name to oassodev for the DEV environment and oassouat for the UAT environment.
2. Edit the files for each environment after Docker configuration.
3. Change the Docker container scripts:
cd ${Docker_Zip_Extracted_Location}/oasso-dev/kerb/scripts
4. Edit the scripts below.
Change the Service Name
cd /etc/init.d
Change the script name added to chkconfig as a service
Test the service by starting it and checking the OAS URL.
The Docker image name continues to be oasso.
The Docker container name for the OAS DEV environment is oassodev.
The Service command to start the Docker container for OAS DEV is: service oassodev-ctl stop|start|restart
Inside the Docker container, the services run at ports 80 and 443; these services are listened to by the Docker host at ports 8080 and 8443.
Tasks to be done before proceeding to the next Docker container configuration
Before deploying another container, perform the following tasks:
Repeat the same steps for the Kerberos UAT environment.
This blog describes how to configure SAML 2.0 and Kerberos SSO using Docker containers and customize the services to manage multiple oasso Docker containers to run on the same Docker host machine.
Refer to similar blogs, such as Single Sign-On Solutions for Oracle Analytics Server on On-Premise and on Oracle Cloud.
Once you've tried this yourself, share your results and feedback in the Oracle Analytics Community.