OAM 11g Integration with Apex 4.1.0

In this post I would like to explain the high level integration points of Oracle Access Manager 11g and APEX.

The integration architecture is given below.

It is assumed in the post that OAM 11g and APEX are installed and configured already. The typical integration flow is explained below:

  • Register OHS 11g WebGate. The integration is supported with 10g Agent as well, but 11g webgate is explained in this post.
  • Application Domain and host identifiers will be created respectively.
  • Create a new Resource in the APEX specific application domain with details as given below.

Type – HTTP
Host Identifier – APEX
Resource URL – /apex/apex_authentication.callback
Protection Level – Protected
Authentication Policy – Protected Resource Policy
Authorization Policy – Protected Resource Policy

  • Goto the authorization policy and specify the following header variables in actions.

Name: OAM_REMOTE_USER_GROUPS; Type: Header; Value: $user.groups
Name: OAM_REMOTE_USER_EMAIL; Type: Header; Value: $user.attr.mail

  •  Install OHS 11g WebGate and copy all the artifacts that are generated during webgate registration to webgate config folder.
  • Edit the httpd.conf or dads.conf for mod_plsql module to work correctly.

<Location /apex>
SetHandler pls_handler
Order deny,allow
Allow from all
PlsqlDocumentPath docs
PlsqlDocumentProcedure wwv_flow_file_manager.process_download PlsqlDatabaseConnectString orcl ServiceNameFormat
PlsqlNLSLanguage AMERICAN_AMERICA.AL32UTF8
PlsqlAuthenticationMode Basic
PlsqlDocumentTablename wwv_flow_file_objects$
PlsqlDatabaseUsername APEX_PUBLIC_USER
PlsqlDatabasePassword *****
PlsqlDefaultPage apex
PlsqlRequestValidationFunction wwv_flow_epg_include_modules.authorize PlsqlCGIEnvironmentList HTTP_OAM_REMOTE_USER
PlsqlCGIEnvironmentList HTTP_OAM_REMOTE_USER_GROUPS PlsqlCGIEnvironmentList HTTP_OAM_REMOTE_USER_EMAIL
</Location>
Alias /i/ /path/to/APEX/images/

  • Bounce the OHS 11g server.
  • Login to Oracle APEX environment.
  • Select the application to be configured from Application Builder
  • Select Shared Components, click Authentication
  • Click Create, select Based on a pre-configured scheme from the gallery, click Next
  • Enter a Name, select Scheme Type of HTTP Header Variable, enter HTTP Header Variable Name HTTP_OAM_REMOTE_USER. Please

Test the SSO now by accessing the APEX application. It should redirect to the authentication scheme that is configured for APEX application in OAM Admin console.

References: Integration Guide

 

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

2 comments
David Richardson says August 15, 2012

Did this integration back when the original article came out and David Peake’s rehashing of it. But was wondering how we could protect individual application (i.e.?f=100, etc.)

Reply
Mahendra says August 15, 2012

Yes David. David Peake is the author of the integration guide provided in references of this post. I don’t think OAM 11g provides more URL pattern resource protection and hence in the post complete application is protected with /…/* and then another resource /apex/apex_authentication.callback

-Mahendra

Reply
Add Your Reply

Not found