I just migrated our APEX applications to SAML2 authentication also. On the
server side it looks pretty similar:
* Tomcat - just to run ORDS, and listens only on localhost
* Apache HTTP server - to do SAML2 authentication (mod_auth_mellon) -
authentication result is written to HTTP header that is passed via
Tomcat/ORDS to APEX app, and APEX app uses HTTP header authentication
scheme. And mod_ssl. You can also add mod_security and whatnot.
For high availability, we actually have multiple of these apache+tomcat
servers and then an additional external loadbalancer in front.
But SAML2 authentication works via client browser, Apache+ORDS+APEX do not
need to talk to the identity provider directly. Identity provider is a
separate service, it can be set up in the Windows domain infrastructure
(ADFS), but probably your company has purchased this service from an
external identity provider (Okta, Auth0, or other).
On Wed, Jan 30, 2019 at 3:15 PM Bill Ferguson <wbfergus@xxxxxxxxx> wrote:
Hi all,
I currently have an environment of Windows Server 2012 R2, Oracle 12.1,
Apex 5, and Tomcat7 (with organizational wildcard certificate). I am also
only using LAP authentication, as I have never in around 15 years been able
to get the LDAPS authentication to work, and our LDAP administrators seem
to be even more lost than I am. Also, later this year I am tasked with
migrating my two systems to the Amazon cloud.
So with that basic info out of the way, the IT network security Nazi's
finally noticed that I am doing cleartext password authentication, and told
me to convert to LDAPS. They don't care that the LDAP admins are clueless
as to why I have always been unable to get Apex to authenticate, they just
demand it get done.
Since I am also tasked with migrating everything to the Amazon cloud, my
agency also has the mandatory requirement that all authentication in the
cloud has to be done with SAML 2.0. So rather than waste my time with
LDAPS, just to switch in a couple months to SAML, I'd rather spend my time
productively with SAML.
And this is where I have a bunch of questions. Some may be easy, or even
apparent, but I've been trying to wrap my head around how it will al work
in the Amazon cloud and been completely befuddled.
First off, I haven't found anything on the web about SAML in the Windows
environment with Tomcat. The best resource I found is witha Linux
environment, but along with the Tomcat webserver, he also is using the
Apache HTTP server. This appears to me as he is using two web servers? This
seems so confusing and unnecessary, but I'm probably missing something.
Could it be bacause of the requirement to use the 'mellon' packages (and
something else, I forget which one), the only way to get them integrated
into the environment is with the Apache HTTP server, and then Tomcat itself
is then needed to complete the communication to Apex?
Next question would be if anybody has any experience with all of this as
it pertains to a cloud environment, preferably the Amazon cloud. In this
regard I am confused about how the parts work together. The Oracle database
part residing in the cloud I understand, I'm having problems figuring out
how the Tomcat webserver, URL addressing and authentication would work.
Will I keep a machine running locally with the Tomcat web server, which
will communicate to the Amazon cloud, determine it is a new connection for
the day, then relay the authentication request back to Tomcat to then
contact the 'identity provider' (is that an Active Directory server or a
LDAP server?), get a token, then attach that token to all communication
back and forth to the database? Or does the Tomcat installation reside in
the cloud as well (requiring a different Amazon configuration, CHS vs AWS)?
Am I making any sense of this, or am I simply more lost than I know I
already am? Thanks for any and all constructive assistance or suggestions.
--
-- Bill Ferguson
