Hmm... Seamless is better than seemless
1 person found this helpful
As you may be aware, Oracle has released a whitepaper on apex-ebs integration:
Not a whole lot is covered in there, and it does not show or hint at any form of seamless integration coming from ebs but it does some basic steps.
Before getting a crack at the seamless login or a form thereof some questions.
- Do you already have a link set up in ebs to go to apex? (using gwy.jsp)
- Your login function uses validate_login, that's good. Why would you want to check any other tables for access? I'd say that your ebs credentials and setup should drive things.
- If you want to run reports based on ebs data then you might know that setting the correct context (and vpd policies if r12) is important too.
As for seamless login: the whitepaper does not mention any such thing if you are not using SSO or OAM. It is there, somewhere, one line in the text that mentions this. However, a technique is mentioned in an earlier version of the whitepaper made by Rod West (which is also relevant if you have ebs r11):
In this document he outlines a solution for a seamless login. In a before headers process you will check the ebs ics cookie, and use this cookie to check if a valid ebs session exists. If there is, then a hash will be made based on the username (pulled from cookie) and a time component (and another key part if you would wish so). The authentication scheme login function is called next with the ebs username and the hash as credentials.
The login authentication function of the authentication scheme is extended to first check the password to see if it matches a hash: a hash is generated here aswell based on the provided username and a timecomponent once more. If the hashes match then the authentication is considered successful.
I integrated it not so long ago and I have to see that it works a treat (though I had some minor quibbles with it). The paper also mentions that this system is not 100% safe, but then again, since you can not pass credentials (password) I'm not sure how exactly you'd otherwise do it. Basically someone could try and enter a random hash to get in, but hey, good luck unless you're really dedicated to cracking it (and why wouldn't you try to use the usual simple password first...) Using the icx cookie works great though, and seems secure enough, even if part of it might be obscurity (hash system).
Thanks Tom -
I found the Rod White paper shortly after posting this. I will pass this whole issue to the technical team as I am not a heavy duty technical person.