This discussion is archived
5 Replies Latest reply: Jul 23, 2013 2:20 AM by Kiran RSS

Apex RBAC and Seamless Single Sign ON

79b59e85-1c75-40f2-8ca8-5688ec13cff0 Newbie
Currently Being Moderated

Hi ,

We are building a GBAC (Group Based Acces Control) and SSO Module in Apex (I know .. Reiventing the wheel) as we have budget constraints and there are some limitiations in standard Apex implementation.

 

Problem Space:

Apex Version: 4.1.1.00.23

We have Multiple Workspaces and Multiple Applications within those Workspaces.

Our Users currently have a separate link for each App - Very Cumbersome.

The Current Authentication Mechanism is LDAP authentication. We have no Authorisation module in place.

This is a security Nightmare as any user with a valid LDAP account can access the Apex Reports/Forms if they get their hands on the Link.

 

Solution

We have built an Admin Module where we create Groups (Not Apex Groups) and then assign applications to those Groups. Apex Groups have a limited Scope (Workspace only).

Our Groups are Cross Workspace and can contain applications from Multiple Workspaces.

We finally assign LDAP users to those Groups.

All the Meta Information is stored in DB tables

We also use a lot of the Apex Dictionary tables to Get Application info


Where i am now Stuck

We now have created a Single Lauch Point (New App) to simulate a SSO Portal

Users will log into this Apex App using their LDAP Credentials.

Once the user is successfully Authenticated by LDAP, we check all the Groups the User Belongs to and Populate the Launch Page with Links for the Apps the user has access.

Now rather than Point the Link to Page 101 which is the login page we point the same to the Main Page (Page 1).

When the user Clicks on the Link, he gets shown the Login Page Again.

We do not want the user to Authenticate again as this defeats the Purpose.

 

 

Any sort of Pointers most appreciated.

  • 1. Re: Apex RBAC and Seamless Single Sign ON
    Aries_21 Newbie
    Currently Being Moderated

    Hi,

     

    Try referencing the authentication scheme of all your linked apex app to the authentication scheme of Single Launch Point app.

     

    Good Luck!

     

    Regards,

     

    Yol

  • 2. Re: Apex RBAC and Seamless Single Sign ON
    79b59e85-1c75-40f2-8ca8-5688ec13cff0 Newbie
    Currently Being Moderated

    Hi Yol,

     

    Can you provide a bit more detail.

     

    In the meantime i have made a small Breakthrough.

    I can seamlessly login from the Launch Portal to the Other Apps when the Applications are in the Same Workspace as the Launch Point App. for this i use APEX_CUSTOM_AUTH.LOGIN.

     

    When i try to launch an app in another workspace i get the following error

    Application ID and current security group ID are not consistent.

  • 3. Re: Apex RBAC and Seamless Single Sign ON
    Aries_21 Newbie
    Currently Being Moderated

    Hi,

     

    I had tried this, you need to modify the page 101 of the apps on the other workspace as follows:

    1. Hide all the items & buttons under page 101

    2. Create After Submit process as :

         10 Set Username Cooking

                     begin

                               owa_util.mime_header('text/html', FALSE);

                                 owa_cookie.send(

                                 name=>'LOGIN_USERNAME_COOKIE',

                              value=>lower(:P101_USERNAME));

                             exception when others then null;

                        end;

           20  Login

                     wwv_flow_custom_auth_std.login(

                             P_UNAME       => :P101_USERNAME,

                             P_PASSWORD    => :P101_PASSWORD,

                            P_SESSION_ID  => v('APP_SESSION'),

                            P_FLOW_PAGE   => :APP_ID||':1'

                              );

     

        30 Clear pages cache for page 101

     

    All the process must be unconditional

     

    Regards,

     

    Yol

  • 4. Re: Apex RBAC and Seamless Single Sign ON
    Tom Petrus Expert
    Currently Being Moderated

    You don't need to alter page 101 or call apex_custom_auth to be able to share a session (and thus authentication) between applications. All you have to do is to make sure that the session cookie for the applications which need to share the session has the same name in the authentication scheme of those application. Just go to "shared components > authentication schemes" and go to the "Session Cookie Attributes" section. You can set the cookie name there.

    However, you can not share session over workspaces, and is a security implementation of apex. If you need a seamless login for those cases you need to look into some of the custom/unconventional solutions.

  • 5. Re: Apex RBAC and Seamless Single Sign ON
    Kiran Expert
    Currently Being Moderated

    Hi,

     

    79b59e85-1c75-40f2-8ca8-5688ec13cff0 wrote:

     

    Hi ,

    We are building a GBAC (Group Based Acces Control) and SSO Module in Apex (I know .. Reiventing the wheel) as we have budget constraints and there are some limitiations in standard Apex implementation.

     

    Problem Space:

    Apex Version: 4.1.1.00.23

    We have Multiple Workspaces and Multiple Applications within those Workspaces.

    Our Users currently have a separate link for each App - Very Cumbersome.

    The Current Authentication Mechanism is LDAP authentication. We have no Authorisation module in place.

    This is a security Nightmare as any user with a valid LDAP account can access the Apex Reports/Forms if they get their hands on the Link.

     

    Solution

    We have built an Admin Module where we create Groups (Not Apex Groups) and then assign applications to those Groups. Apex Groups have a limited Scope (Workspace only).

    Our Groups are Cross Workspace and can contain applications from Multiple Workspaces.

    We finally assign LDAP users to those Groups.

    All the Meta Information is stored in DB tables

    We also use a lot of the Apex Dictionary tables to Get Application info


    Where i am now Stuck

    We now have created a Single Lauch Point (New App) to simulate a SSO Portal

    Users will log into this Apex App using their LDAP Credentials.

    Once the user is successfully Authenticated by LDAP, we check all the Groups the User Belongs to and Populate the Launch Page with Links for the Apps the user has access.

    Now rather than Point the Link to Page 101 which is the login page we point the same to the Main Page (Page 1).

    When the user Clicks on the Link, he gets shown the Login Page Again.

    We do not want the user to Authenticate again as this defeats the Purpose.

     

     

    Any sort of Pointers most appreciated.

     

    Please refer following discussion:

     

    Single authentication for all applications in the workspace.

     

    Of the solutions mentioned in the discussion above I have used following:

     

    http://apps2fusion.com/at/64-kr/413-maintaining-authentication-between-apex-applications

     

    which works for SSO using Session Cookie for Oracle APEX applications in ONE Workspace.


    Hope it helps!

    Regards,

    Kiran

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points