Wednesday, October 20, 2010

Custom Authentication Scheme for Oracle Application Express and Oracle Access Manager - Addendum

As mentioned in my earlier post about Oracle Application Express integration with Oracle Access Manager, Dilip Gowda, an Oracle consultant, very kindly shared a Word document detailing all of the steps he performed to get Oracle Access Manager 10.1 working with Oracle Application Express 3.2. It can be downloaded from here. The custom authentication scheme for APEX should work with any APEX version - it's a generic header variable authentication scheme.

Once I get Oracle Access Manager 11gR1 installed and configured, I hope to prepare and share a similar document. The eventual goal is to turn this into an official whitepaper and then ultimately provide an out-of-the-box header variable authentication scheme in a future version of Oracle Application Express.

8 comments:

Eccles! said...

Thanks very much Joel! Just what I was looking for...

cheers. Jerry

Ryan said...

Joel, this is what I need, but for 11g OAM. Have you attempted integrating 11g yet? In your opinion, do you think I could follow the doc on this site for 11g and figure it out from that?

Joel R. Kallman said...

Hi Ryan,

I have not attempted this for 11gR1 OAM yet, but I think the major actions would be the same (I'm not expert in OAM).

Joel

Ryan said...

Hey Joel,
I followed through your doc. I'm definitely getting OAM to force authentication via the authentication policy I created (I get prompted by OAM). Once I'm through, I'm prompted by APEX to enter a username as my "identification for this session". When I enter the same username I used to get through OAM (or any other username) I get the following error:
ORA-06550: line 2, column 8: PLS-00201: identifier 'HEADER_VARIABLE_PAGE_SENTRY' must be declared ORA-06550: line 2, column 1: PL/SQL: Statement ignored
I've also tried compiling the HEADER_VARIABLE_PAGE_SENTRY function on the actual schema for my APEX application (as opposed to on APEX_PUBLIC_USER). When I do that, I am continually prompted for a username, without getting through to the actual application. Any ideas as to what could be causing this?

Joel R. Kallman said...

Hi Ryan,

Firstly, the function should be compiled in your application parsing schema and not APEX_PUBLIC_USER. Nothing should ever exist in the APEX_PUBLIC_USER schema, nor should any privileges be granted to this account.

As far as your specific error, did you specify the correct HTTP header variable name which contains the authenticated username? Are you able to verify this by tracing the HTTP headers?

I hope this helps.

Joel

Marian said...

Hi Joel, Ryan,
did you manage to make OAM 11g work with APEX yet?
Thanks
Marian

Ryan said...

Yes I did actually! There are a few easy steps to get it to work:

1. In OAM, I am protecting APEX (urls /pls and /pls/.../*). In the response, I'm passing a cookie named 'oam_cookie_userid' with '${user.user_id}' as the parameter. This will grab your SSO username on sign in and put it into a cookie called 'oam_cookie_userid'. This is explained in the OAM Admin documentation (i believe)

2. In my APEX apps authentication scheme, I use the following code (Scheme Type: PL/SQL Function Returning Boolean):

declare
user_count number;
cookie_uid varchar2(255) := null;
cook owa_cookie.cookie;
begin
cook := owa_cookie.get('oam_cookie_userid');
cookie_uid := cook.vals(1);
select count(*) into user_count
from ht_people
where upper(ide_username) = upper(cookie_uid);
if (user_count > 0) then
wwv_flow.g_user := cookie_uid;
return true;
else
return false;
end if;
end;


'ht_people' is just a table we use to store our users, and the 'wwv_flow.g_user' sets the APEX username that shows up at the top of your app.

And that's it! Hope that helps

Joel R. Kallman said...

Hi Marian,

A whitepaper is forthcoming on this topic, for integration with OAM and APEX 4.1. It's undergoing final reviews now.

Joel