Is it possible to set up my Oracle Application Express (Apex) application with Single Signon (SSO) based on Windows Integrated Security (NTLM), so that the end-users are automatically logged into the Apex application with their Windows (Active Directory) account without entering their username and password?
The answer is yes, but the implementation depends on your infrastructure, and specifically your web server:
- If you are using Apache (Oracle HTTP Server), the Embedded PL/SQL Gateway (DBMS_EPG) or the Apex Listener, then this post is not for you. There are various options such as mod_ntlm, mod_auth_sspi, proxies, etc., but you must look elsewhere for more details about those.
- If you are using (or can use) Microsoft Internet Information Server (IIS) to serve your Apex applications, then read on.
How to set up Single Signon for Oracle Apex applications on Microsoft IIS
Here are the high-level steps you need to take:
- Install (enable) Microsoft IIS on your Windows Server
- Download and install the Thoth Gateway, a mod_plsql replacement for IIS
- Configure the virtual directory of the gateway application (typically the "pls" folder) to use Integrated Windows Authentication
- Create an authentication scheme in your Apex application that checks the HTTP header called "LOGON_USER" and make that the current scheme of your application
Let's look at the two last steps in some more detail.
Configure virtual directory to use Integrated Windows Authentication
After you have installed the Thoth Gateway (see the installation instructions provided with the download), you can use the IIS management console to change the directory security settings of the virtual folder (application) where the gateway is installed.
In the following screenshot the folder is called "web-integrated-security", which just shows that you can really call it anything, but in a default installation of the Thoth Gateway the folder will be called "pls" (which mimics the naming convention used by Apache and mod_plsql).
Simply check "Integrated Windows Authentication" to enable SSO. Also remember to remove anonymous access to the website!
In the following screenshot the folder is called "web-integrated-security", which just shows that you can really call it anything, but in a default installation of the Thoth Gateway the folder will be called "pls" (which mimics the naming convention used by Apache and mod_plsql).
Simply check "Integrated Windows Authentication" to enable SSO. Also remember to remove anonymous access to the website!
Create Apex authentication scheme that checks LOGON_USER
IIS will now capture the username of the current user and pass it along to the Thoth Gateway as the CGI variable called "LOGON_USER".
You can access this value from PL/SQL using
owa_util.get_cgi_env('LOGON_USER')
To use this value in an authentication scheme in Apex, you can use the code provided by Joel Kallmann in this post where he provides a "custom authentication scheme, which can be used with (...) really any environment which will securely set a header variable to an authenticated username." Joel describes five high-level steps, of which you can ignore steps 3 and 4, as this is now handled by IIS and the Thoth Gateway. Also remember to reference "LOGON_USER" rather than "REMOTE_USER".
If you are using Apex 4.1 or later, then there is no need to create a custom authentication scheme, as there is a new built-in "HTTP Header Variable" authentication scheme:
Be sure to make this authentication scheme the current scheme of your application.
Verify that it works
If you are logged into the network with a Windows (Active Directory) account and use Internet Explorer to access your website (which should be in the browser's list of Trusted Sites -- it will typically already be trusted if the website is in the Intranet zone), you should not be asked for a username and password, and your Apex username (APP_USER) should be automatically set to "DOMAIN\USERNAME".
That was easy, wasn't it ?
0 comments:
Post a Comment