20160308 apex sso
TRANSCRIPT
Single Sign-On for APEX: It‘s not an option
Niels de Bruijn08.03.2016 | APEX World
Facts & Figures
Independent Technology Housewith Cross-Industry Expertise
HeadquarterRatingen
(North Rhine – Westphalia)
240 Employees
Founded1994
BranchesDortmund, Cologne,
Frankfurt
Top Company for Trainees &
Students
Privately-Owned
Corporation
Oracle Platinum Partner
24 Mio. Euro Revenue
2Single Sign-On for APEX
3
About me
§ Niels de Bruijn, Business Unit Manager APEX
§ Born in 1977, married, three daughters, living in Ratingen
§ Working for MT AG since DEC-2003§ After working for 2 years as Oracle consultant for Oracle Nederland B.V.
§ Track record with APEX since its inception
§ Responsible for all APEX activity in the company§ Knowledge Portal: apex.mt-ag.com
§ Active DOAG member and responsible for APEX within this society
§ Presenting at Kscope, DOAG Conference, APEXposed, APEX World, APEX Connect
§ Conference Chair for conference DOAG APEX Connect
§ Part of APEX Content Committee for Kscope
§ Member of the APEX Review Board
Single Sign-On for APEX
§ Single Sign-On: it is not an option
§ How does the magic work?
§ Caveats
§ I want more
§ Questions I get
§ More information
4
Agenda
Single Sign-On for APEX
For the sake of security
§ Credentials are not passed to the database
§ Kerberos is secure (as used by Windows itself)
§ Central user store in Active Directory
§ No corporate password policy needed within APEX
For the sake of productivity
§ End users love it
§ Developers can now switch between workspaces without logging in again
WHAT IS YOUR EXCUSE FOR NOT USING IT?
5
Single Sign-On: it is not an option
Single Sign-On for APEX
6
How does the magic work?
8009
Single Sign-On for APEX
Start here: http://www.slideshare.net/nielsdb/mt-ag-howtosingle-signonforapexapplicationsusingkerberos-46435415
Overview
§ Install RDBMS & APEX
§ Install JDK, Tomcat & Apache/IIS
§ Configure ORDS & deploy
§ Configure Apache or IIS for SSO incl. SSL certificate
General installation steps of Apache & ORDS can be found here:
http://www.opal-consulting.de/downloads/presentations/2015-11-DOAG-ORDS-Setup
7
How does the magic work?
Single Sign-On for APEX
§ Map existing APEX accounts with their AD usernameAPEX_UTIL.SET_USERNAME( p_userid => APEX_UTIL.GET_USER_ID('ADMIN'), p_username => 'NDBRUIJN');
§ When using mod_auth_kerb and AD user is member of too many AD groups§ Have a look here: http://blogs.technet.com/b/surama/archive/2009/04/06/kerberos-
authentication-problem-with-active-directory.aspx
§ Once enabled, you can’t change the identity without changing the OS user§ Prepare your end users§ For developers: just switch the authentication scheme to “open door” in the dev environment
8
Caveats
Single Sign-On for APEX
§ What about people not listed in Active Directory?§ Option 1: Use a separate entry point (ie. VirtualHost) & use Custom Auth in your APEX app§ Option 2: Use software like Microsoft Forefront (no change in ORDS/APEX needed)
§ What about devices like MacBooks or Smartphones that are not part of the Windows domain?§ Fallback Authentication using Basic Authentication over HTTPS
§ Tipp: don’t use Digest Authentication (doesn’t work with Firefox)
§ Don’t want to enter username/password? Client certificates will help you out.
9
I want more
Single Sign-On for APEX
§ “We already have the shared session Cookie, so why bother?”§ Still use it to prevent multiple APEX session cookies
§ “We already have LDAP authentication utilized in our APEX app”§ Are you sure you want to pass your AD credentials to the database?
§ “What about the rights in my app?”§ We are talking about authentication here, the authorization is normally determined by the app
§ “Any concerns about the session timeout setting in APEX?”§ Set it to 99999 as this is now delegated to Kerberos
§ “The logout link in my app doesn’t work anymore”§ Just delete it
10
Questions I get
Single Sign-On for APEX
§ General installation steps of Apache & ORDS can be found here:
http://www.opal-consulting.de/downloads/presentations/2015-11-DOAG-ORDS-Setup
§ About Kerberos
http://www.roguelynn.com/words/explain-like-im-5-kerberos
§ About mod_auth_kerb
http://blog.hallowelt.biz/wp-content/uploads/SSO_mit_mod_auth_kerb_v3.pdf
§ More SSO options
http://wphilltech.com/options-for-windows-native-authentication-with-apex
11
More information
Single Sign-On for APEX
Questions?
@nielsdb
http://nielsdebr.blogspot.de
http://de.linkedin.com/in/nielsdebruijn
www.xing.com/profile/Niels_deBruijn
http://www.apexsolutions.de/blog