Tutorial: Configure Datawiza to enable Microsoft Entra multifactor authentication and single sign-on to Oracle Hyperion EPM
Use this tutorial to enable Microsoft Entra multifactor authentication and single sign-on (SSO) for Oracle Hyperion Enterprise Performance Management (EPM) using Datawiza Access Proxy (DAP).
Learn more on datawiza.com.
Benefits of integrating applications with Microsoft Entra ID by using DAP:
- Embrace proactive security with Zero Trust - a security model that adapts to modern environments and embraces hybrid workplace, while it protects people, devices, apps, and data
- Microsoft Entra single sign-on - secure and seamless access for users and apps, from any location, using a device
- How it works: Microsoft Entra multifactor authentication - users are prompted during sign-in for forms of identification, such as a code on their cellphone, or a fingerprint scan
- What is Conditional Access? - policies are if-then statements, if a user wants to access a resource, then they must complete an action
- Easy authentication and authorization in Microsoft Entra ID with no-code Datawiza - use web applications such as: Oracle JDE, Oracle E-Business Suite, Oracle Siebel, and home-grown apps
- Use the Datawiza Cloud Management Console (DCMC) - manage access to applications in public clouds and on-premises
Scenario description
This scenario focuses on Oracle Hyperion EPM integration using HTTP authorization headers to manage access to protected content.
Due to the absence of modern protocol support in legacy applications, a direct integration with Microsoft Entra SSO is challenging. Datawiza Access Proxy (DAP) bridges the gap between the legacy application and the modern identity control plane, through protocol transitioning. DAP lowers integration overhead, saves engineering time, and improves application security.
Scenario architecture
The solution has the following components:
- Microsoft Entra ID - identity and access management service that helps users sign in and access external and internal resources
- Datawiza Access Proxy (DAP) - container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It passes identity transparently to applications through HTTP headers.
- Datawiza Cloud Management Console (DCMC) - administrators manage DAP with UI and RESTful APIs to configure DAP and access control policies
- Oracle Hyperion EPM - legacy application to be protected by Microsoft Entra ID and DAP
Learn about the service provider-initiated flow in Datawiza with Microsoft Entra authentication architecture.
Prerequisites
Ensure the following prerequisites are met:
- An Azure subscription
- If you don't have one, you can get an Azure free account
- A Microsoft Entra tenant linked to the Azure subscription
- Docker and Docker Compose
- Go to docs.docker.com to Get Docker and Install Docker Compose
- User identities synchronized from an on-premises directory to Microsoft Entra ID, or created in Microsoft Entra ID and flowed back to an on-premises directory
- An account with Microsoft Entra ID and the Application Administrator role
- An Oracle Hyperion EMP environment
- (Optional) An SSL web certificate to publish services over HTTPS. You can use default Datawiza self-signed certs for testing.
Getting started with DAP
To integrate Oracle Hyperion EMP with Microsoft Entra ID:
Sign in to Datawiza Cloud Management Console (DCMC).
The Welcome page appears.
Select the orange Getting started button.
Under Deployment Name in the Name and Description fields, enter information.
Select Next.
The Add Application dialog appears.
For Platform, select Web.
For App Name, enter a unique application name.
For Public Domain, for example use
https://hyperion.example.com. For testing, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain port.For Listen Port, select the port that DAP listens on.
For Upstream Servers, select the Oracle Hyperion implementation URL and port to be protected.
Select Next.
On Add Application, enter information. Note the example entries for Public Domain, Listen Port, and Upstream Servers.
Select Next.
On the Configure IdP dialog, enter relevant information.
Note
Use Datawiza Cloud Management Console (DCMC) One Click Integration to help complete configuration. DCMC calls the Microsoft Graph API to create an application registration on your behalf, in your Microsoft Entra tenant.
Select Create.
The DAP deployment page appears.
Make a note of the deployment Docker Compose file. The file includes the DAP image, also the Provisioning Key and Provisioning Secret, which pull the latest configuration and policies from DCMC.
Select Done.
SSO and HTTP headers
DAP gets user attributes from the identity provider (IdP) and passes them to the upstream application with a header or cookie.
The following instructions enable Oracle Hyperion EPM application to recognize the user. Using a name, it instructs DAP to pass the values from the IdP to the application through the HTTP header.
In the left navigation, select Applications.
Locate the application you created.
Select the Attribute Pass subtab.
For Field, select email.
For Expected, select HYPLOGIN.
For Type, select Header.
Note
This configuration uses the Microsoft Entra user principal name for the sign in username, which is used by Oracle Hyperion. For another user identity, go to the Mappings tab.
SSL configuration
Use the following instructions for SSL configuration.
Select the Advanced tab.
On the SSL tab, select Enable SSL.
From the Cert Type dropdown, select the type. For testing, there's a self-signed certificate.
Note
You can upload a certificate from a file.
Select Save.
Login and Logout Redirect URI
Use the following instructions to indicate Login Redirect URI and Logout Redirect URI.
Select the Advanced Options tab.
For Login Redirect URI and Logout Redirect URI, enter
/workspace/index.jsp.
Select Save.
Enable Microsoft Entra multifactor authentication
To provide more security for sign-ins, you can enforce Microsoft Entra multifactor authentication.
Learn more in the Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication
- Sign in to the Azure portal as an Application Administrator role.
- Select Microsoft Entra ID > Manage > Properties.
- Under Properties select Manage security defaults.
- Under Enable Security Defaults, select Yes.
- Select Save.
Enable SSO in the Oracle Hyperion Shared Services Console
Use the following instructions to enable SSO in the Oracle Hyperion environment.
Sign in to the Hyperion Shared Service Console with administrator permissions. For example,
http://{your-hyperion-fqdn}:19000/workspace/index.jsp.Select Navigate, then Shared Services Console.
Select Administration and then Configure User Directories.
Select the Security Options tab.
In Single Sign-On Configuration, select the Enable SSO checkbox.
From the SSO Provider or Agent dropdown, select Other.
From the SSO Mechanism dropdown, select Custom HTTP Header.
In the following field, enter HYPLOGIN, the header name the security agent passes to EMP.
Select OK.
Update Post Log off URL settings in EMP Workspace
Select Navigate.
In Administer, select Workspace Settings then Server Settings.
On the Workspace Server Settings dialog, for Post Logoff URL, select the URL users see when they sign out of EPM,
/datawiza/ab-logout.Select OK.
Test an Oracle Hyperion EMP application
To confirm Oracle Hyperion application access, a prompt appears to use a Microsoft Entra account for sign-in. Credentials are checked and the Oracle Hyperion EPM home page appears.
Next steps
- Tutorial: Configure Secure Hybrid Access with Microsoft Entra ID and Datawiza
- Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access
- Go to Datawiza for Add SSO and MFA to Oracle Hyperion EPM in minutes
- Go to docs.datawiza.com for Datawiza User Guides