Skip to main content

Enable Microsoft Entra ID (Azure AD) SSO to Oracle Hyperion via Datawiza

About 2 min

Overview

This tutorial shows how to enable Microsoft Entra ID (formerly known as Azure Active Directory) Single Sign-On (SSO) and Microsoft Entra ID Multi-Factor Authentication (MFA) for an Oracle Hyperion application using Datawiza Access Proxy (DAP).

Benefits of integrating applications with Microsoft Entra ID using DAP include:

  • Proactive security with Zero Trust through Microsoft Entra ID SSO.
  • Easy authentication and authorization in Microsoft Entra ID with no-code Datawiza. Use of web applications such as: Oracle JDE, Oracle E-Business Suite, Oracle Sibel, Oracle Peoplesoft, Oracle Hyperion, and home-grown apps.
  • Use the Datawiza Cloud Management Consoleopen in new window to manage access to applications in public clouds and on-premises.

Background

This document focuses on Oracle Hyperion application integration using HTTP authorization headers to manage access to protected content.

For legacy applications, due to the absence of modern protocol support, a direct integration with Microsoft Entra ID SSO is difficult. Datawiza Access Proxy bridges the gap between the legacy application and the modern ID control plane, through protocol transitioning. DAP lowers integration overhead, saves engineering time, and improves application security.

Architecture

The solution has the following components:

  • Microsoft Entra ID (Azure AD) : The Microsoft cloud-based identity and access management service, which helps users sign in and access external and internal resources.
  • Datawiza Access Proxy (DAP): A lightweight container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It transparently passes identity to applications through HTTP headers.
  • Datawiza Cloud Management Console (DCMC): A centralized console to manage DAP. DCMC has UI and RESTful APIs for administrators to configure Datawiza Access Proxy and access control policies.
  • Oracle Hyperion application : Legacy application going to be protected by Microsoft Entra ID and DAP.

Prerequisites

Ensure the following prerequisites are met:

Getting started with DAP

To integrate Oracle Hyperion with the Microsoft Entra ID:

  1. Sign in to Datawiza Cloud Management Consoleopen in new window.

  2. The Welcome page appears.

  3. Select the orange Getting started button. Oracle Hyperion SSO and MFA | Getting Started

  4. In the Name and Description fields, enter the relevant information.

  5. Select Next. Oracle Hyperion SSO and MFA| Create a New Deployment

  6. On the Add Application dialog, use the following values:

    PropertyValue
    App TypeWeb
    NameEnter a unique application name.
    Application URLFor example: https://hyperion-external.example.com. For testing, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain with the port.
    Listen PortThe port that DAP listens on.
    Upstream ServersThe Oracle Hyperion implementation URL and port to be protected.
  7. Select Next. Oracle Hyperion SSO and MFA | Create a New Application

  8. On the Configure IdP dialog, enter the relevant information.

    Info

    DCMC has one-click integration to help complete Microsoft Entra ID configuration. DCMC calls the Microsoft Graph API to create an application registration on your behalf in your Microsoft Entra ID tenant.

  9. Select Create. Microsoft Entra ID (Azure AD) SSO and MFA | Creare a New Microsoft Entra ID (Azure AD) IdP

  10. The DAP deployment page appears.

Install and run Datawiza Access Proxy

Once clicking on the Create button, the basic configuration on the management console is finished. You will see the final step of the guide, which presents you with a page showing the simple steps to deploy Datawiza Access Proxy (DAP) with your application. Note down the commands for your deployment. The first command will download Docker and Datawiza Access Proxy image, and the second command will create a Docker Compose file and run Datawiza Access Proxy. You can refer to Install and Run Datawiza Access Proxy by command for more information.

DAP Docker Compose File

SSO and HTTP headers

The DAP gets user attributes from IdP and passes them to the upstream application via header or cookie.

For the Oracle Hyperion application to recognize the user correctly, there's another configuration step. Using a certain name, it instructs DAP to pass the values from the IdP to the application through the HTTP header.

Such configuration will be done in the Applications tab on the left panel and go to Attribute Pass sub-tab. For Oracle Hyperion, please refer to the screenshot below to configure the attribute pass:

PropertyValue
FieldUsername
ExpectedHYPLOGIN
TypeHeader

Oracle Hyperion Entra ID (Azure AD) SSO and MFA | Attribute Pass

Info

This configuration uses the Microsoft Entra ID displayName as the sign in username used by Oracle Hyperion. Please make sure that the displayName is as same as the name in Hyperion user directories. To use another user identity, go to the Mappings tab.

Oracle Hyperion Entra ID (Azure AD) SSO and MFA | Profile Mapping

SSL Configuration

  1. Select the Advanced tab. Oracle Hyperion SSO and MFA | Enable SSL

  2. Select Enable SSL.

  3. From the Cert Type dropdown, select a type.

  4. For testing purposes, we'll be providing a self-signed certificate. Oracle Hyperion SSO and MFA | Config Self-signed Cert

    Info

    You have the option to upload a certificate from a file.

  5. Click Save.

Login and Logout Redirect URI

  1. Click Advanced Options.
  2. Input /workspace/index.jsp in both Login Redirect URI and Logout Redirect URIOracle Hyperion SSO and MFA | Login and Logout Redirect URI
  3. Click Save.

(Optional) Enable MFA on Microsoft Entra ID (Formerly Azure AD)

To provide an extra level of security for sign-ins, sometimes you might want to enforce MFA for user sign-in. There are several ways to achieve this. The simplest and easiest way is to enable MFA on the Azure portal.

  1. Sign in to the Azure portal as a Global Administrator.
  2. Select Microsoft Entra ID > Manage > Properties.
  3. Under Properties , click the Manage security defaults. Microsoft Entra ID (Azure AD) SSO and MFA | Manage Security Defaults
  4. Under Enable Security defaults, select Yes and then Save. Microsoft Entra ID (Azure AD) SSO and MFA | Enable Security Default

Enable SSO in the Oracle Hyperion Console

To enable SSO in the Oracle Hyperion environment:

  1. Log into to Hyperion Shared Service Console http://{your-hyperion-fqdn}:19000/workspace/index.jsp as a System Administrator.

Enable SSO

  1. Select Navigate, and then Shared Services Console. Oracle Hyperion SSO and MFA | Shared Services Console
  2. Select Adminstration, and then Configure User Directories.
  3. Click Security Options.
  4. In the Single Sign-On Configuration section:
    1. Select the Enable SSO check box.
    2. From SSO Provider or Security Agent drop-down list, select Other.
    3. From SSO Mechanism drop-down list, select Custom HTTP Header and then specify the name of the header that the security agent passes to EPM System, which is HYPLOGIN.
  5. Click OK. Oracle Hyperion SSO and MFA | Single Sign-On Configuration

Update Post Logoff URL setting in EPM Workspace

  1. Select Navigate, then Workspace Settings, and then Server Settings. Oracle Hyperion SSO and MFA | Server Settings
  2. In Workspace Server Settings, change POST Logoff URL to the URL of the web page that you want users to see when they log out of EPM System, which is /datawiza/ab-logout.
  3. Click OK. Oracle Hyperion SSO and MFA | POST Logoff URL

Test an Oracle Hyperion application

To confirm SSO and MFA for Oracle Hyperion application work correctly, a prompt should appear to use an Identity Provider account for signing in. Credentials and optional MFA are checked and the Oracle Hyperion home page appears.

Note

For security purpose, organizations using this model in production environment should block all direct access to the application, thus forcing the use of a strict path through the Datawiza Access Proxy.