Single Sign-On (SSO) is not an optional feature for APEX applications according to the speaker. The document discusses how SSO using Kerberos works by having APEX applications authenticate users through Active Directory without passing credentials to the database. Some caveats are mentioned such as how to handle users not in AD. Additional information resources are provided to learn more about Kerberos, mod_auth_kerb, and other SSO options.
1. Single Sign-On for APEX:
It‘s not an option
Niels de Bruijn
08.03.2016 | APEX World
2. Facts & Figures
Independent Technology House
with Cross-Industry Expertise
Headquarter
Ratingen
(North Rhine – Westphalia)
240
Employees
Founded
1994
Branches
Dortmund, Cologne,
Frankfurt
Top Company
for Trainees &
Students
Privately-
Owned
Corporation
Oracle
Platinum
Partner
24 Mio. Euro
Revenue
2Single Sign-On for APEX
3. 3
About me
§ Niels de Bruijn, Business Unit Manager APEX
§ Born in 1977, married, three daughters, living in Ratingen
§ Working for MT AG since DEC-2003
§ After working for 2 years as Oracle consultant for Oracle Nederland B.V.
§ Track record with APEX since its inception
§ Responsible for all APEX activity in the company
§ Knowledge Portal: apex.mt-ag.com
§ Active DOAG member and responsible for APEX within this society
§ Presenting at Kscope, DOAG Conference, APEXposed, APEX World, APEX Connect
§ Conference Chair for conference DOAG APEX Connect
§ Part of APEX Content Committee for Kscope
§ Member of the APEX Review Board
Single Sign-On for APEX
4. § Single Sign-On: it is not an option
§ How does the magic work?
§ Caveats
§ I want more
§ Questions I get
§ More information
4
Agenda
Single Sign-On for APEX
5. For the sake of security
§ Credentials are not passed to the database
§ Kerberos is secure (as used by Windows itself)
§ Central user store in Active Directory
§ No corporate password policy needed within APEX
For the sake of productivity
§ End users love it
§ Developers can now switch between workspaces without logging in again
WHAT IS YOUR EXCUSE FOR NOT USING IT?
5
Single Sign-On: it is not an option
Single Sign-On for APEX
8. § Map existing APEX accounts with their AD username
APEX_UTIL.SET_USERNAME
( p_userid => APEX_UTIL.GET_USER_ID('ADMIN')
, p_username => 'NDBRUIJN'
);
§ When using mod_auth_kerb and AD user is member of too many AD groups
§ Have a look here: http://blogs.technet.com/b/surama/archive/2009/04/06/kerberos-
authentication-problem-with-active-directory.aspx
§ Once enabled, you can’t change the identity without changing the OS user
§ Prepare your end users
§ For developers: just switch the authentication scheme to “open door” in the dev environment
8
Caveats
Single Sign-On for APEX
9. § What about people not listed in Active Directory?
§ Option 1: Use a separate entry point (ie. VirtualHost) & use Custom Auth in your APEX app
§ Option 2: Use software like Microsoft Forefront (no change in ORDS/APEX needed)
§ What about devices like MacBooks or Smartphones that are not part of the Windows domain?
§ Fallback Authentication using Basic Authentication over HTTPS
§ Tipp: don’t use Digest Authentication (doesn’t work with Firefox)
§ Don’t want to enter username/password? Client certificates will help you out.
9
I want more
Single Sign-On for APEX
10. § “We already have the shared session Cookie, so why bother?”
§ Still use it to prevent multiple APEX session cookies
§ “We already have LDAP authentication utilized in our APEX app”
§ Are you sure you want to pass your AD credentials to the database?
§ “What about the rights in my app?”
§ We are talking about authentication here, the authorization is normally determined by the app
§ “Any concerns about the session timeout setting in APEX?”
§ Set it to 99999 as this is now delegated to Kerberos
§ “The logout link in my app doesn’t work anymore”
§ Just delete it
10
Questions I get
Single Sign-On for APEX
11. § General installation steps of Apache & ORDS can be found here:
http://www.opal-consulting.de/downloads/presentations/2015-11-DOAG-ORDS-Setup
§ About Kerberos
http://www.roguelynn.com/words/explain-like-im-5-kerberos
§ About mod_auth_kerb
http://blog.hallowelt.biz/wp-content/uploads/SSO_mit_mod_auth_kerb_v3.pdf
§ More SSO options
http://wphilltech.com/options-for-windows-native-authentication-with-apex
11
More information
Single Sign-On for APEX