I'm relatively new to heavy duty ApEx development and have developed and application that the user community wants to integrate with the eBusiness Suite. I've implemented the authentication scheme to check credentials against FND_USER and it works like a champ.
What the users would like to do is invoke the ApEx application so that they do not have to log in a second time (to ApEx). I have a table internal to the ApEx app and check the credentials against that so I am not worried about a non-authorized user getting into the app - they will just get a blank menu.
Though I can pass USER_ID, there is no way I want to pass the unencrypted password to ApEx as this violates basic Good I/T Practices
Any help would be appreciated (document, pdf, blog, et al)
As you may be aware, Oracle has released a whitepaper on apex-ebs integration:
Not a whole lot is covered in there, and it does not show or hint at any form of seamless integration coming from ebs but it does some basic steps.
Before getting a crack at the seamless login or a form thereof some questions.
- Do you already have a link set up in ebs to go to apex? (using gwy.jsp)
- Your login function uses validate_login, that's good. Why would you want to check any other tables for access? I'd say that your ebs credentials and setup should drive things.
- If you want to run reports based on ebs data then you might know that setting the correct context (and vpd policies if r12) is important too.
As for seamless login: the whitepaper does not mention any such thing if you are not using SSO or OAM. It is there, somewhere, one line in the text that mentions this. However, a technique is mentioned in an earlier version of the whitepaper made by Rod West (which is also relevant if you have ebs r11):
In this document he outlines a solution for a seamless login. In a before headers process you will check the ebs ics cookie, and use this cookie to check if a valid ebs session exists. If there is, then a hash will be made based on the username (pulled from cookie) and a time component (and another key part if you would wish so). The authentication scheme login function is called next with the ebs username and the hash as credentials.
The login authentication function of the authentication scheme is extended to first check the password to see if it matches a hash: a hash is generated here aswell based on the provided username and a timecomponent once more. If the hashes match then the authentication is considered successful.
I integrated it not so long ago and I have to see that it works a treat (though I had some minor quibbles with it). The paper also mentions that this system is not 100% safe, but then again, since you can not pass credentials (password) I'm not sure how exactly you'd otherwise do it. Basically someone could try and enter a random hash to get in, but hey, good luck unless you're really dedicated to cracking it (and why wouldn't you try to use the usual simple password first...) Using the icx cookie works great though, and seems secure enough, even if part of it might be obscurity (hash system).