5 Replies Latest reply: Jul 23, 2013 4:20 AM by Kiran Pawar RSS

    Apex RBAC and Seamless Single Sign ON

    79b59e85-1c75-40f2-8ca8-5688ec13cff0

      Hi ,

      We are building a GBAC (Group Based Acces Control) and SSO Module in Apex (I know .. Reiventing the wheel) as we have budget constraints and there are some limitiations in standard Apex implementation.

       

      Problem Space:

      Apex Version: 4.1.1.00.23

      We have Multiple Workspaces and Multiple Applications within those Workspaces.

      Our Users currently have a separate link for each App - Very Cumbersome.

      The Current Authentication Mechanism is LDAP authentication. We have no Authorisation module in place.

      This is a security Nightmare as any user with a valid LDAP account can access the Apex Reports/Forms if they get their hands on the Link.

       

      Solution

      We have built an Admin Module where we create Groups (Not Apex Groups) and then assign applications to those Groups. Apex Groups have a limited Scope (Workspace only).

      Our Groups are Cross Workspace and can contain applications from Multiple Workspaces.

      We finally assign LDAP users to those Groups.

      All the Meta Information is stored in DB tables

      We also use a lot of the Apex Dictionary tables to Get Application info


      Where i am now Stuck

      We now have created a Single Lauch Point (New App) to simulate a SSO Portal

      Users will log into this Apex App using their LDAP Credentials.

      Once the user is successfully Authenticated by LDAP, we check all the Groups the User Belongs to and Populate the Launch Page with Links for the Apps the user has access.

      Now rather than Point the Link to Page 101 which is the login page we point the same to the Main Page (Page 1).

      When the user Clicks on the Link, he gets shown the Login Page Again.

      We do not want the user to Authenticate again as this defeats the Purpose.

       

       

      Any sort of Pointers most appreciated.

        • 1. Re: Apex RBAC and Seamless Single Sign ON
          Aries_21

          Hi,

           

          Try referencing the authentication scheme of all your linked apex app to the authentication scheme of Single Launch Point app.

           

          Good Luck!

           

          Regards,

           

          Yol

          • 2. Re: Apex RBAC and Seamless Single Sign ON
            79b59e85-1c75-40f2-8ca8-5688ec13cff0

            Hi Yol,

             

            Can you provide a bit more detail.

             

            In the meantime i have made a small Breakthrough.

            I can seamlessly login from the Launch Portal to the Other Apps when the Applications are in the Same Workspace as the Launch Point App. for this i use APEX_CUSTOM_AUTH.LOGIN.

             

            When i try to launch an app in another workspace i get the following error

            Application ID and current security group ID are not consistent.

            • 3. Re: Apex RBAC and Seamless Single Sign ON
              Aries_21

              Hi,

               

              I had tried this, you need to modify the page 101 of the apps on the other workspace as follows:

              1. Hide all the items & buttons under page 101

              2. Create After Submit process as :

                   10 Set Username Cooking

                               begin

                                         owa_util.mime_header('text/html', FALSE);

                                           owa_cookie.send(

                                           name=>'LOGIN_USERNAME_COOKIE',

                                        value=>lower(:P101_USERNAME));

                                       exception when others then null;

                                  end;

                     20  Login

                               wwv_flow_custom_auth_std.login(

                                       P_UNAME       => :P101_USERNAME,

                                       P_PASSWORD    => :P101_PASSWORD,

                                      P_SESSION_ID  => v('APP_SESSION'),

                                      P_FLOW_PAGE   => :APP_ID||':1'

                                        );

               

                  30 Clear pages cache for page 101

               

              All the process must be unconditional

               

              Regards,

               

              Yol

              • 4. Re: Apex RBAC and Seamless Single Sign ON
                Tom Petrus

                You don't need to alter page 101 or call apex_custom_auth to be able to share a session (and thus authentication) between applications. All you have to do is to make sure that the session cookie for the applications which need to share the session has the same name in the authentication scheme of those application. Just go to "shared components > authentication schemes" and go to the "Session Cookie Attributes" section. You can set the cookie name there.

                However, you can not share session over workspaces, and is a security implementation of apex. If you need a seamless login for those cases you need to look into some of the custom/unconventional solutions.

                • 5. Re: Apex RBAC and Seamless Single Sign ON
                  Kiran Pawar

                  Hi,

                   

                  79b59e85-1c75-40f2-8ca8-5688ec13cff0 wrote:

                   

                  Hi ,

                  We are building a GBAC (Group Based Acces Control) and SSO Module in Apex (I know .. Reiventing the wheel) as we have budget constraints and there are some limitiations in standard Apex implementation.

                   

                  Problem Space:

                  Apex Version: 4.1.1.00.23

                  We have Multiple Workspaces and Multiple Applications within those Workspaces.

                  Our Users currently have a separate link for each App - Very Cumbersome.

                  The Current Authentication Mechanism is LDAP authentication. We have no Authorisation module in place.

                  This is a security Nightmare as any user with a valid LDAP account can access the Apex Reports/Forms if they get their hands on the Link.

                   

                  Solution

                  We have built an Admin Module where we create Groups (Not Apex Groups) and then assign applications to those Groups. Apex Groups have a limited Scope (Workspace only).

                  Our Groups are Cross Workspace and can contain applications from Multiple Workspaces.

                  We finally assign LDAP users to those Groups.

                  All the Meta Information is stored in DB tables

                  We also use a lot of the Apex Dictionary tables to Get Application info


                  Where i am now Stuck

                  We now have created a Single Lauch Point (New App) to simulate a SSO Portal

                  Users will log into this Apex App using their LDAP Credentials.

                  Once the user is successfully Authenticated by LDAP, we check all the Groups the User Belongs to and Populate the Launch Page with Links for the Apps the user has access.

                  Now rather than Point the Link to Page 101 which is the login page we point the same to the Main Page (Page 1).

                  When the user Clicks on the Link, he gets shown the Login Page Again.

                  We do not want the user to Authenticate again as this defeats the Purpose.

                   

                   

                  Any sort of Pointers most appreciated.

                   

                  Please refer following discussion:

                   

                  Single authentication for all applications in the workspace.

                   

                  Of the solutions mentioned in the discussion above I have used following:

                   

                  http://apps2fusion.com/at/64-kr/413-maintaining-authentication-between-apex-applications

                   

                  which works for SSO using Session Cookie for Oracle APEX applications in ONE Workspace.


                  Hope it helps!

                  Regards,

                  Kiran