I have two different authentication schemes:
SSO Authentication and User Defined (via function). Both work fine.
Now I face the problem that I need both in ONE application.
Internal users should be automatically authenticated via SSO, external users (which are not in our OID) should authenticate themselves via login page and the user defined function.
Both have different entry pages: internal users go directly to page 1 and external users get a link for page 101. Alternatively the entry page could be 101 for both of them with an "SSO Login"-Button for the SSO users.
Within the "Login"-Procedure on page 101 I could decide which authentication to use (based on the button pressed or the IP-Address or whatever).
The problem is that I can't find a description how to do the SSO-authentication manually. The whole Apex SSO-Authentication seems to be encapsulated.
1. Create a new application that uses SSO as the authentication scheme. Name the cookie in the authentication scheme. Create one page in this application. Give a link to this application/page to your OID (internal) users.
2. In the Post Authentication Process of this application's authentication scheme, do this:
...where XXXXX is the application ID of the main application.
3. For the main application, leave the authentication scheme as is but also provide the same cookie name as for the SSO-authenticated application. Give a link to any page in this application to your non-internal users.
When internal users use the link to the SSO application they will first have to authenticate using the SSO login page, then they'll be taken to page 1 in application XXXXX. When the page sentry in that application checks for the existence of a suitable session cookie, it will find it, the cookie having already been set by the authentication scheme in the SSO-authenticated application, which uses the same cookie name as that expected by application XXXXX.
When non-internal users use the link you gave them, the default authentication scheme will present the application's login page and they'll authenticate there.
this is a real good idea - and the very best: it works!
I had to move the owa_util.redirect..... to page 1 of the SSO-Authentication App.
I call it in the "Before Header"-Process - and get redirected to my "real" application, where my cookie is accepted :)
Don't know why this didn't work in the Post Authentication Process. This try ended up somewhere in a wierd URL of the SSO-Server.
But this doesn't matter - it works this way.