This document describes the integration of Oracle Application Express (APEX) with IBM Tivoli Access Manager (TAM) SSO.
Software Versions:
The basis of the interaction between WebSEAL SSO server and Oracle is the CGI Environment variable HTTP_IV_USER, which stores the login name after a successful SSO authentication at the WebSEAL server.
Complete the following steps:
<Location /pls/apex>
…
PlsqlCGIEnvironmentList HTTP_IV_USER
…
</Location>
This change requires a restart of the Oracle HTTP Server.CREATE OR REPLACE FUNCTION custom_page_sentry RETURN BOOLEAN AS -- -- Page sentry using built-in session verification logic -- and CGI Environment variable as the holder of the username. l_current_sid number; l_tam_userid varchar2(255) := upper(owa_util.get_cgi_env('HTTP_IV_USER')); BEGIN l_current_sid := wwv_flow_custom_auth_std.get_session_id_from_cookie; if wwv_flow_custom_auth_std.is_session_valid then wwv_flow.g_instance := l_current_sid; if l_tam_userid = wwv_flow_custom_auth_std.get_username then wwv_flow_custom_auth.define_user_session( p_user=>l_tam_userid, p_session_id=>l_current_sid); return true; else -- username mismatch. -- Unset the session cookie and -- redirect back here to take other branch wwv_flow_custom_auth_std.logout( p_this_flow=>v('APP_ID'), p_next_flow_page_sess=>v('APP_ID')||':'|| nvl(v('APP_PAGE_ID'),0)||':'||l_current_sid); wwv_flow.g_unrecoverable_error := true; -- tell apex engine to quit return false; end if; else -- application session cookie not valid; we need a new apex session wwv_flow_custom_auth.define_user_session( p_user=>l_tam_userid, p_session_id=>wwv_flow_custom_auth.get_next_session_id); wwv_flow.g_unrecoverable_error := true; -- tell apex engine to quit -- if owa_util.get_cgi_env('REQUEST_METHOD') = 'GET' then wwv_flow_custom_auth.remember_deep_link( p_url=>'f?'||wwv_flow_utilities.url_decode2( owa_util.get_cgi_env('QUERY_STRING'))); else wwv_flow_custom_auth.remember_deep_link(p_url=>'f?p='|| to_char(wwv_flow.g_flow_id)||':'|| to_char(nvl(wwv_flow.g_flow_step_id,0))||':'|| to_char(wwv_flow.g_instance)); end if; -- -- register session in apex sessions table, set cookie, -- redirect back wwv_flow_custom_auth_std.post_login( p_uname => l_tam_userid, p_flow_page => wwv_flow.g_flow_id||':'|| nvl(wwv_flow.g_flow_step_id,0)); return false; end if; END custom_page_sentry; / grant execute on custom_page_sentry to public / create public synonym custom_page_sentry for user.custom_page_sentry /This function accomplishes the session handling in APEX. It will be evaluated with each APEX page call. The purpose of this function is to guarantee that the user is already logged in at the WebSEAL SSO server. Only then the function will return TRUE and thus allows to access the APEX application.
Page Sentry Function: | return custom_page_sentry |
Session Not Valid URL: | http://[sso-servername.domain]/[junction-name]/pls/apex/f?p=&APP_ID.:1 |
Credentials Verification Method: | Do not verify credentials |
Logout URL: | http://[sso-servername.domain]/pkmslogout |
To test the configuration, call your APEX application using the following URL:
Even if the APEX application is called using the "original" URL http://apex-servername.de:7777/pls/apex/f?p=109, it will be automatically rerouted to the WebSEAL SSO server.