This post covers integration of Apex 4.1 with Oracle Access Manager 11g for Single Sign-On. For previous version of Apex integration with Oracle Single Sign-On click here
Apex 4.1 integration with OAM 11g is well explained in Guide on OTN here This post covers key points from this document.
.
About OAM
1. There are currently two Web Single Sign-On solution available from Oracle a) Oracle Application Server Single Sign-On (OSSO) b) Oracle Access Manager (OAM)
2. Oracle Access Manager (OAM) is recommended Single Sign-On solution from Oracle and extensively covered in my book at Amazon
3. For Oracle Access Manager , there are two version 10g and 11g with architectural differences mentioned here
4. OAM 11g runs on WebLogic Server under managed server and runtime access server listens on OAM-Proxy Port (5575 default port). To know more on WebLogic Domain and Server click here
5. WebGates installed on WebServer (like OHS, Apache, IIS..) connects to OAM -Proxy port to evaluate Policies defined to access application like /apex. More on Agents in OAM here
6. OAM 11g by default uses WebLogic’s embedded LDAP Server for user store. It is recommended to change identity store to enterprise LDAP Server like OID, AD or Sun Directory Server (now ODSEE). To change Identity Store in OAM 11.1.1.3 click here and for OAM 11.1.1.5 click here
.
About Apex
1. Apex is browser based development tool for developing Web 2.0 applications based on Oracle Database.
2. Apex resides completely inside database and can be installed on database 10g R2 and higher
3. There are three web listeners available with Apex : a) Apex Listener, b) Oracle HTTP Server with mod_plsql , and c) Embedded PL/SQL Gateway (EPG) available with 11g and higher databases.
4. Apex uses authentication schemes to validate user credentials. Pre-configured authentication schemes provided with Apex are OSSO (old SSO method), LDAP Server, HTTP Header variable, Database Credentials etc..
Note: You use Apex’s HTTP Header based authentication scheme to integrate Apex with OAM .
How Apex – OAM integration works ?
1. When a Apex request is made, it is first sent to Web Server (Oracle HTTP Server – OHS in this case)
2. Oracle HTTP Server (OHS) with webgate will intercept request
3. Given that user has not logged in yet, request is forwarded to OAM Server to find protection level of URL (aka resource)
4. As resource accesses by user is protected in OAM, OAM Run time server presents authentication scheme configured for this resource
5. User types username/password when then are verified by OAM server against Identity store configured for OAM Server.
6. On successful authentication cookie is presented to user (via OHS) and HTTP Header variable is set
7. As user is now authenticated, request is sent via mod_plsql to Apex engine within Oracle Database.
8. Apex engine then dynamically builds page and returns it back to user’s browser.
.
Pre-Requisites
1. Ensure that Oracle Database and Apex 4.1.x is already installed.
2. Apply Apex patch 12955671 (check if Apex 4.1.1 is available now)
3. Oracle Access Manager (OAM 11g) is installed and configured. (to check OAM Installation <> this post is for 11.1.1.3 where as latest version currently is 11.1.1.5 steps remains same)
Apex-OAM Configuration Tasks
1. Install Oracle HTTP Server
2. Add dads.conf or with-in httpd.conf with entry like
<Location /apex>
SetHandler pls_handler
Order deny,allow
Allow from all
PlsqlDocumentPath docs
PlsqlDocumentProcedure wwv_flow_file_manager.process_download
PlsqlDatabaseConnectString orcl ServiceNameFormat
PlsqlNLSLanguage AMERICAN_AMERICA.AL32UTF8
PlsqlAuthenticationMode Basic
PlsqlDocumentTablename wwv_flow_file_objects$
PlsqlDatabaseUsername APEX_PUBLIC_USER
PlsqlDatabasePassword *****
PlsqlDefaultPage apex
PlsqlRequestValidationFunction wwv_flow_epg_include_modules.authorize
PlsqlCGIEnvironmentList HTTP_OAM_REMOTE_USER
PlsqlCGIEnvironmentList HTTP_OAM_REMOTE_USER_GROUPS
PlsqlCGIEnvironmentList HTTP_OAM_REMOTE_USER_EMAIL
</Location>Alias /i/ /path/to/APEX/images/
3. Restart OHS Server and see if you can access /apex
4. Register WebGate Instance in OAM server (This can be done via RREG or manually using OAM Console ) . Registering webgate instance using RREG or manually using console is also covered in my book here
Note: Ensure that /apex/apex_authentication.callback is protected resource and / & /…/* are defined as public/unprotceted resource
5. Add responses to authorisation policy to return two header variables (OAM_REMOTE_USER_GROUPS & OAM_REMOTE_USER_EMAIL)
Name: OAM_REMOTE_USER_GROUPS; Type: Header; Value: $user.groups
Name: OAM_REMOTE_USER_EMAIL; Type: Header; Value: $user.attr.mail
6. Install OAM 11g WebGate on OHS Server
7. Copy generate artefacts from step 4 webgate registration (on OAM Server) to OHS Server
8. Restart OHS Server
9. Define Authentication Scheme HTTP Header Variable in Apex application (Shared Components -> Administration -> Create) with Header variable as HTTP_OAM_REMOTE_USER
10. Test Apex – OAM integration by accessing Apex Application.