This discussion is archived
14 Replies Latest reply: Jul 25, 2013 1:21 AM by rmonk RSS

Enable SSO APEX 4 and MS Active Directory

683199 Newbie
Currently Being Moderated
Hi,

I want enable SSO on my APEX applications. Actually, we use Microsoft Active Directory and Windows 2003 (tomorrow maybe Windows 2008).
Regarding your experiences, what is the best solution that I can us in order to implement SSO ?

Thanks for your help,

I have forget to give this informations :
- Our Oracle Server is under Linux.
- We use Oracle Database 11GR2.
- Our domain controller is under Windows 2003 (we will probably upgrade to 2008 this year).
- Our APEX version is 4.1.0.00.32.

Edited by: user7224400 on 3 févr. 2012 16:23
  • 1. Re: Enable SSO APEX 4 and MS Active Directory
    683199 Newbie
    Currently Being Moderated
    Does somebody can help me ?
    We are a little enterprise approximate 150 users and want implement SSO with APEX for our personal use.

    Do you know a free, open source ou low cost solution ?

    Thanks,
  • 2. Re: Enable SSO APEX 4 and MS Active Directory
    TexasApexDeveloper Guru
    Currently Being Moderated
    Well, since you asked SOOO NICELY, here is a posting from a few years back: http://www.oracle.com/technetwork/issue-archive/2009/09-may/o39security-101079.html

    (Please change your Forum handle.. We are a friendly group here and lik eto know who were are talking with.. user7224400 is SOo unfriendly..)

    Thank you,

    Tony Miller
    Webster, TX
  • 3. Re: Enable SSO APEX 4 and MS Active Directory
    683199 Newbie
    Currently Being Moderated
    Thanks for your answer.
    I have already see this link. But this is not what I want.

    Users are lazy ! I'm searching for a solution where users haven't to enter their login information.
  • 4. Re: Enable SSO APEX 4 and MS Active Directory
    Patrick Wolf Employee ACE
    Currently Being Moderated
    Hi Villegente,

    have a look at the last posting at Active Directory and APEX 3.1 It should give you the necessary information if you want to login with your MS Active Directory credentials.

    If you want to have a SSO solution where APEX automatically picks up your Windows Login credentials you have to look for NTML.
    See http://www.inside-oracle-apex.com/using-windows-login-credentials-for-single-sign-on-ntlm-authentication/
    Please keep in mind that the PL/SQL based NTLM authentication isn't very secure and also always causes troubles with new browser versions.

    Regards
    Patrick
    -----------
    My Blog: http://www.inside-oracle-apex.com
    APEX Plug-Ins: http://apex.oracle.com/plugins
    Twitter: http://www.twitter.com/patrickwolf
  • 5. Re: Enable SSO APEX 4 and MS Active Directory
    MarkM. Explorer
    Currently Being Moderated
    For those of us that are using WebLogic and the APEX listener, has anyone seen or heard any options coming for NTLM or Kerberos authentication so my Active Directory users don't have to keep typing their credentials? It would be great to at least tell them something is coming down the pike for some future release. Thanks much!

    Rgds/Mark M.
  • 6. Re: Enable SSO APEX 4 and MS Active Directory
    mobra Journeyer
    Currently Being Moderated
    I want enable SSO on my APEX applications. Actually, we use Microsoft Active Directory and Windows 2003 (tomorrow maybe Windows 2008).
    Regarding your experiences, what is the best solution that I can us in order to implement SSO ?
    If you can use Microsoft IIS as your web server in front of Apex, then you can download the Thoth Gateway, a mod_plsql/Apex Listener replacement written in .NET.

    http://code.google.com/p/thoth-gateway/

    For SSO, just set up the virtual directory that contains the Thoth Gateway (the "pls" folder or whatever you choose to call it) with integrated Windows authentication. Then you can get the username of the authenticated user via owa_util.get_cgi_env('LOGON_USER'). You can then incorporate this into your custom Apex authentication function.

    - Morten

    http://ora-00001.blogspot.com
  • 7. Re: Enable SSO APEX 4 and MS Active Directory
    Patrick Wolf Employee ACE
    Currently Being Moderated
    Hi Morten,

    that solution sounds interesting! In APEX 4.1 you can use the new authentication type "HTTP Header Variable" where you just have to specify LOGON_USER as CGI variable containing the username.

    Regards
    Patrick
    -----------
    My Blog: http://www.inside-oracle-apex.com
    APEX Plug-Ins: http://apex.oracle.com/plugins
    Twitter: http://www.twitter.com/patrickwolf
  • 8. Re: Enable SSO APEX 4 and MS Active Directory
    user119900 Newbie
    Currently Being Moderated
    Hi

    We have just achieved this. But we could only make it work with ias 10g which is 32 bit with ntlm.so and ntlm.c files for Apache 1.3. They are running on Windows 2008 64bit server and database is also on that server.

    We tried it on Linux and OHS 11g which is 64 bit but could not solve the problems and were running out of time. So went for the above which is working .. There is one user who can not get in ...

    Regards

    AJ
  • 9. Re: Enable SSO APEX 4 and MS Active Directory
    MarkM. Explorer
    Currently Being Moderated
    Morten -- Interesting. I wish we had found that before we implemented WebLogic and the APEX listener, it may have been an interesting other option to consider. I'm not sure it would have made it past our change control folks as they might bark at the supportability/security, but it is a intriguing option.

    Patrick -- (You have a great blog by the way.). We are talking about upgrading our APEX 3.1 instances this year so I am very interested in the new authentication type. Is it doing anything other than simply retrieving the logon_user? i.e., is it actually authenticating against anything or would it just read the logon_user and let them in if they matched a known username?

    AJ -- We just converted from Oracle Portal last year. When I had Oracle Portal, I had it setup to use Windows Native Authentication following the supported solution for that and then had APEX set up as a partner application for portal. So if someone hit portal first, they'd automatically logon as their active directory user through WNA and would be dropped into portal. If they then hit a link for APEX in portal, it would (in rapid succession) go to APEX, redirect back to the portal SSO server, see they were authenticated in app server, and drop them into APEX with barely a visible screen flicker. It worked flawlessly UNTIL we started upgrading to Windows 7. Then a number of changes and patches are required to get WNA to work with app server 10g and Windows 7. If you are using portal in your 10g IAS, you may want to consider that route.

    Pardon me while I hop on my soapbox briefly -- I think if our friends in Oracle land could come out with a fully supported method of using NTLM or similar technologies to automatically login to APEX applicaitons, it would help considerably in the adoption of APEX and the APEX listener in customers that have Oracle databases and Active Directory which is a pretty decent size market.

    Ok, soapbox moment ended. :-)

    Rgds/Mark M.
  • 10. Re: Enable SSO APEX 4 and MS Active Directory
    mobra Journeyer
    Currently Being Moderated
    In APEX 4.1 you can use the new authentication type "HTTP Header Variable" where you just have to specify LOGON_USER as CGI variable containing the username.
    Hi Patrick,

    indeed, I've seen this new authentication type mentioned a few places, and it would make the setup even simpler.

    For the thread starter's reference, here is the link to the documentation:

    http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/sec_authentication.htm#sthref2365

    As mentioned, IIS must be set up with Integrated Security to automatically populate the LOGON_USER variable.

    Also see http://code.google.com/p/thoth-gateway/issues/detail?id=4 if running IIS 7.

    - Morten

    http://ora-00001.blogspot.com
  • 11. Re: Enable SSO APEX 4 and MS Active Directory
    683199 Newbie
    Currently Being Moderated
    Patrick Wolf wrote:
    Hi Morten,

    that solution sounds interesting! In APEX 4.1 you can use the new authentication type "HTTP Header Variable" where you just have to specify LOGON_USER as CGI variable containing the username.

    Regards
    Patrick
    Please, can you help me to do this ?
    We don't use IIS.

    Edited by: villegente on 27 févr. 2012 14:36
  • 12. Re: Enable SSO APEX 4 and MS Active Directory
    683199 Newbie
    Currently Being Moderated
    Hello,

    Do you know if is it possible to use HTTP Header (REMOTE_USER) to auto logon when APEX is install with XML DB ?

    Regards
  • 13. Re: Enable SSO APEX 4 and MS Active Directory
    rmonk Newbie
    Currently Being Moderated

    Hi Mark, has there been any progress on this?

  • 14. Re: Enable SSO APEX 4 and MS Active Directory
    rmonk Newbie
    Currently Being Moderated

    Hi Mark,

    Can you provide any details about how you went with WebLogic and the APEX listener?

    It appears that the only documented solution provided by Oracle is their Oracle Access Manager, but we aren't willing to pay for it.

    I am a similar situation where we are shutting down our 10g Portal / SSO / WNA system, which is also being used by Apex for authentication and we need to find an alternative.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points