External authentication question

Hello,
I am running an apex app in a secured environment. The authentication is handled by the environment, and a username passed to apex pages in a server variable, which I am able to use to set apex_application.g_user. Now, the user is only able to access apex pages via the security proxies, which make sure that the user is authenticated, etc. All page requests go through these security proxy servers.
Now, my question is this: I've set the g_user in a custom page sentry function. I don't know a whole lot about this stuff, and so just deleted all of the session-verification stuff from the function that I copied, and return true always. Because, I'm thinking, the security proxies take care of all that. Is that okay? Or should I set that value somewhere else, and leave things that I don't understand alone? If so, where?
Here's my page_sentry function:
create or replace FUNCTION custom_Page_Sentry_Func (p_htmldb_user VARCHAR2 DEFAULT 'APEX_PUBLIC_USER' )RETURN BOOLEAN AS
l_authenticated_username VARCHAR2(256) := nvl(UPPER(OWA_UTIL.GET_CGI_ENV('HTTP_IV_USER')),'NOT_AF_AUTH');
IS_USER NUMBER := 0;
L_CURRENT_SID NUMBER;
BEGIN
--The server is behind the login system, so if the ApEx pages are shown, the login has succeeded (and we will find the cookie)
-- If logged in user is not a user (doesn't exists in USERS table)
-- THEN create a record in the table
SELECT COUNT(*)
INTO IS_USER
FROM USERS
WHERE USERNAME = l_authenticated_username ;
IF IS_USER = 0 THEN
INSERT INTO USERS (USERNAME,SSN) VALUES (l_authenticated_username,'111111111');
END IF;
apex_application.g_user := l_authenticated_username;
RETURN TRUE;
END custom_Page_Sentry_Func;
Thanks, -warren

I am setting g_user so that I can see auditing info in the DB, etc.
The database won't be aware of that value unless you set it into a context, e.g., by using dbms_session.set_identifier or some such device. You would pass v('APP_USER') into such a call that you could run as the VPD block of your application (edit application securiyt attributes to find that field).
But my apex "user" is APEX_PUBLIC_USER, same user for everyone. I'm not going to inadvertantly change that by calling the things that get called in the nmlt (or whatever it's called) page sentry function with my externally authenticated username, am I?
Correct.
Scott

Similar Messages

  • External Authentication general-type questions

    Greetings all,
    I was recently shown how to get Oracle to allow Windows NT Authentication the way SQL 2005 etc. can. I was able to get it working. It's actually simple, you just have to have this line in your SQLNET.ORA file:
    SQLNET.AUTHENTICATION_SERVICES = (NTS)
    and make sure a couple initialization parameters are set (OS_AUTHENT_PREFIX to NULL and REMOTE_OS_AUTHENT to TRUE - the first can't be changed once the database is built!).
    My first question is does Oracle support external authentications to operating systems other than NT, i.e. SUN, UNIX, LDAP etc? And is it a similar architecture?
    Secondly, the only ways I've ever connected to Oracle are 1) through SQL*Plus, 2) Using OLE DB from Windows and 3) Using ODBC.
    Is external authentication supported when logging in any way other than through OLE DB? If so, how?
    Appreciating any general information!
    Thanks
    Joe

    1. The name of the product is SQL Server not SQL. SQL is a language.
    2. Oracle supports all major forms of internal and external authentication. The ones you listed and many more. The docs are at http://tahiti.oracle.com
    3. External authentication is support across the board. But you've got to be working with a database holding nothing more important than your mother's cookie recipes to think that operating system authentication in a Windows environment is secure: It is not.
    Your first responsibility, unless you are just playing games at home or in school, is to secure the data and that means an environment more secure than the one you've chosen.

  • Question on External Authentication Plug-in

    I have 2 windows domains with no global catalog server. The documentation shows how to setup external authentication plug-in when you have just one domain. Can anyone provide a link on how to setup the plug-in when you have more than one domain? Thanks for your help.

    Yes it is possible,
    >i want to know if its possible or not in a very easy and efficiant way<
    ……well I think so, but one could argue about the „easy & efficient” part of it……..
    Anyway here are a few possibilities:
    https://help.apple.com/logicpro/mac/10/#lgcp215834c2
    ……don’t know of any trial possibilities………
    Cheers!

  • OID External Authentication Plugin - Conceptual question

    Hi-
    Does anyone know the answer to this: If I enable the External Authentication Plugin for OID (to AD) does that mean that if I have any accounts in OID which do not exist in AD, they won't be able to authenticate?
    Also, if anyone knows of some conceptual documentation on this, please let me know. All I could find was how to install it, but not how it works. (do I need to match users on CN or uid or what?)
    Thanks

    Hi,
    Once you are done with user accounts synchorinzation successfully using dipassistant tool from edirectory to OID. Inorder to update/flush the user accounts password that which are synchronized to OID, in such case OID eDirectory External Authenctiation plugin will be used (oidspediri.sh file) located under <ORACLE_HOME>ldap/admin. Provide th neccessary eDirectory Details.
    Regards,
    ABP

  • External Authentication Solution?

    I am looking for an external authentication solution for Web AS (ABAP Specifically but the whole AS would be preferable)
    i.e. Our External Authetication system sits in front of SAP that does Auth then passes username in a HTTP Header to SAP..
    So far we have these previous solutions
    1. SAP WAS Java -> Using Header Authenticaion Module
    2. SAP Netweaver -> Using ITS Standalone configured for PAS and SNC
    So For SAP Web AS We need to do this for the ABAP side of things and I from what I can gather from the documentation the only mechanism to do this is to either :
    a) use ITS Standalone in front of the SAP Web AS ABAP or,
    b) use the current J2EE solution using Header Authentication Module.???
    Now we cannot install ITS Standalone so that is out it is then up to the J2ee solution.
    My question is : The documentation refers to Integrated Java -> Does this mean that the Java is installed by default? or does it have to be installed separately?
    I have installed the Web AS Preview Installation (ABAP) 2004s  but I've put it in this forum as it's more general type concept question
    Ideally we'd like to have an ICM SSO solution so that we just deal with one point but I don't know if this is possible?

    Raff,
    Thank you for your reply.  We checked with our server configuration and it does appear to have OpenSSL enabled.
    extension=openssl.so
    Apache Version
    Apache/2.2.11 (Unix) PHP/5.2.9 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.7m mod_apreq2-20051231/2.6.0 mod_perl/2.0.3 Perl/v5.8.7
    Other than the original apache error log message, we are not  getting any error messages in the php error log to indicate a problem.  I am making the call from an https://URL  with a valid certificate.  I get the same error message as before. 

  • Essbase security Migration from native mode to external authentication

    Hi!!
    I want some guidance on setting up security, all the users are currently in Native user mode and Native groups.
    Now we want to migrate to external mode, current version of hyperion is 11.1.1.3, any steps to follow in
    this direction would be really helpful.
    What is the best way of migrating huge user base from native directory to setting up for external authentication,
    this is the first time move from native to external authentication, If anyone who has done this will be helpful.
    steps to setup , maxl based migration will be helpful or utility based.
    Thanks

    When you say native mode do you mean that that essbase security is in native mode and you want to convert to shared services security mode,or do you mean you are using shared services securtiy with native users and you want to use an external directory like MSAD.
    For your question ::
    Yes the first piece is correct, our security is in native mode.
    and we want to convert to shared services security mode,
    The request involves moving from essbase native mode to Shared services native user mode (moving all the existing users, groups and existing provisioning)
    The next stage is moving from Shared services native user mode to external directory. (moving all the existing users, groups and existing provisioning)
    Your input will guide me in the direction.
    Thanks

  • OracleAS SSO - Microsoft Active Directory External Authentication Plug-in

    hi ,
    I recently inherited support of a Oracle SSO/OID environment where we use AD and a external Authentication Plug-
    in to talk to it as user credentials are managed in AD,
    We have a lot of domain controllers for AD in our env , so my questions is
    1) How do I find out which AD server is the plugin currently referring to ,
    I need to know this info ASAP as lot of AD servers are getting decomissioned and I want to make sure the SSO env
    is not talking to a AD server that would get decomissioned soon

    hi,
    Look in the integration part in oidadmin. ActiveChgImp
    $ORACLE_HOME/bin/oidadmin
    or look for ad2oid.properties
    or look at this URL http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm
    is what I used to configure ours
    Regards

  • Shared Services External Authentication using LDAP in 9.3.1

    Hi,
    I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
    Questions:
    1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
    2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
    If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
    Any feedback would be much appreciated.
    Thanks,
    Lian

    Hi,
    Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
    Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
    Gee

  • External Authentication Against FND_USER Table

    About a month ago Paul Encarnation posted a question concerning external authentication. One to the methods being used was against the FND_USER table in Oracle Apps. I can see looking up the user account in FND_USER but what about the password? So if you are authenticating against the FND_USER table, please share how you are dealing with the password.
    Thanks.

    Hi,
    I have found the fnd_web_sec returns a boolean for a valid username / password combination but I'm still not sue how I can integrate this.
    Sorry for being thick but this is what I'm trying to do.
    I have an application built in htmldb that I want to be accessable from the e-business suite applications main menu. I've set this up and a user can select it how ever I have no authentication so even though its not assigned to you you can still goto the app by just entering the url. So when a user goes to that htmldb app I want to check that they have that resp assigned to them, this can be done with the following
    select 1 from apps.fnd_user_resp_groups ur, apps.fnd_user u
    where u.user_name = :APP_USER and u.user_id = ur.user_id
    and ur.responsibility_id = XXXX
    The two problems I have are:-
    If a user goings straight to the htmldb url I need to get them to log in and use the e-business suite login (we dont have SSO)
    Or if they are already in e-business suite and go to the htmldb app via the main menu page I need to pass that authentication across.
    I hope this makes sense.

  • Oracle Security - External Authentication

    The requirement is to enable the user to allow access to DB by making the user enter the user name and password only once while accessing the Cognos reports. (Cognos is a BI tool). So the user will enter the username and password at the time he accesses the Cognos application, after this there should not be any logons to access DB.
    Cognos stores the user name and password in a LDAP store (in NDS residing on Windows 2000 Advanced Server). So, the question is, can Oracle leverage on the user information stored in the LDAP for Cognos? The external authentication provided by Oracle suggests that if the user info store can be in LDAP provided it is in OID.
    Please let me know if this can be achieved and if so, where can I get details about the same.

    According to the 8.1.7 documentation:
    "Enterprise user security provides single sign-on to Oracle8i using interoperable X.509 v3 certificates over Secure Sockets Layer (SSL) v3, and supports the following LDAP-compliant directory services:
    Oracle Internet Directory Release 2.0.5 or later
    Microsoft Active Directory "
    So it sounds like they do not support Novell's LDAP implementation.
    Here's a page on managing Enterprise Users http://technet.oracle.com/docs/products/oracle8i/doc_library/817_doc/network.817/a85430/asomeus.htm
    Here's a page on managing OS Authentication -http://technet.oracle.com/doc/windows/server.815/a68694/output/ch10.htm
    I just finished writing a chapter on OS Authentication in my Oracle security book. I would stay away from OS Authentication unless you have a small number of users. I have not yet researched Enterprise Users, but the concensus seems to be that they provide a much more robust solution.

  • Creating Externally Authenticated users

    Greetings,
    We recently migrated our Security team from Windows XP to Windows 7. With this upgrade, they were forced to stop using the java Oracle 9i Enterprise Manager to manage security and database users. I was able to find the View->DBA tab in Oracle SQL Developer which allows for things like CREATE LIKE, CREATE, etc, but under the CREATE USER, I see nowhere where the tool allows for a user other than a normal database authenticated account. We have a few key databases where we must create externally authenticated users (EXTERNAL) and this just isn't an option. Is this functionality anywhere in the tool?
    Thanks
    Bradd

    We recently migrated our Security team from Windows XP to Windows 7. With this upgrade, they were forced to stop using the java Oracle 9i Enterprise Manager to manage security and database users. I was able to find the View->DBA tab in Oracle SQL Developer which allows for things like CREATE LIKE, CREATE, etc, but under the CREATE USER, I see nowhere where the tool allows for a user other than a normal database authenticated account. We have a few key databases where we must create externally authenticated users (EXTERNAL) and this just isn't an option. Is this functionality anywhere in the tool?
    I don't understand what you are trying to do.
    Post your full sql developer info and explain in detail what you mean; with an example if possible.
    You can create users in the DB the way you do with any tool: write the appropriate DDL for CREATE USER. For OS authentication you add the OS_AUTHENT_PREFIX to the user name.
    In sql developer create connections for those users using the connections dialog that you use for any other user. On that dialog there is a checkbox for OS authentication.
    See this article by Sue Harper and see if the example for local OS authentication she provides answers your question:
    http://www.oracle.com/technetwork/issue-archive/2008/08-may/o38sql-102034.html
    To configure local OS authentication for a new user, first find the value of the OS_AUTHENT_PREFIX database initialization parameter in your system's init.ora file. When you create this new user in the database, you must add this parameter value as a prefix to the OS username. The default value is OPS$, for backward compatibility with earlier database releases. (If the value is "", the OS username and the database username are the same, so you don't need to add a prefix to create the Oracle usernames.)
    Establish a basic connection with the HR schema as the SYSTEM user. Execute the following from the SQL worksheet, using your database's OS_AUTHENT_PREFIX prefix and substituting your own OS username for "sue":
    CREATE USER ops$sue IDENTIFIED EXTERNALLY;  GRANT Connect, resource to sue;     
    Now create a basic connection for this user from the New / Select Database Connection dialog box. Enter a connection name; select Basic for Connection Type ; fill in the Hostname and Port fields; select OS Authentication ; and provide a SID or Service name . Click Test and Connect as before.

  • Mass conversion to external authentication

    We are currently in the process of upgrading from Essbase 6542 to 715. We are also implementing external authentication. Tried ASM from OLAP Underground but it can?t convert to external authentication. Tried reading Admin/Tech doc?s to see if there was a utility application but found nothing. Did find that using EAS I can copy a single user from 6542 to 715 and convert to using external authentication but I can?t do more than one at a time. Is there any way to copy more than one user and convert to external authentication.

    Vince
    Don't feel you need to jump all at once - quite the contrary. Convert a few images to DNG as tests, work them through all the things you'd ever need to do, view them in all the programs you ever use, and check the metadata and the appearance in all those environments. Then you can answer the question for yourself.
    (When I decided to move over to DNG, it was after 2 weeks of putting all new shots through a DNG workflow. It wouldn't have been too much work to redo.)
    I'd archive the NEFs. You may never need them again, but space is cheap and you never know when you might want to test a program that won't read DNGs.
    John

  • Error while Configuring AD external authentication plug in

    Hi
    While configuring Active directory external authentication plug I am getting following error
    OID Active Directory Plug-in Configuration
    Please make sure Database and OID are up and running.
    Please enter Active Directory host name: clmad101.ad.company.com
    Do you want to use SSL to connect to Active Directory? (y/n) n
    Please enter Active Directory port number [389]: 389
    Please enter DB connect string:SQLPLUS sys/manager1 @infradb.ad.company-.com @md61nthiims1.ad.company.com:1521
    Please enter ODS password:
    Please enter confirmed ODS password:
    Please enter OID host name: md61nthiims1.ad.company.com
    Please enter OID port number [389]: 389
    Please enter orcladmin password:
    Please enter confirmed orcladmin password:
    Please enter the subscriber common user search base [orclcommonusersearchbase]:
    CN=Users,dc=ad,dc=company,dc=com
    Please enter the Plug-in Request Group DN:
    Please enter the exception entry property [(!(objectclass=orcladuser))]: (|(!obj
    ectclass=orcladuser))(cn=orcladmin))
    Do you want to setup the backup Active Directory for failover? (y/n) n
    Installing Plug-in Packages ...
    Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
    where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
    <logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
    <start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
    "-H" displays the SQL*Plus version banner and usage syntax
    "-V" displays the SQL*Plus version banner
    "-C" sets SQL*Plus compatibility version <v>
    "-L" attempts log on just once
    "-M <o>" uses HTML markup options <o>
    "-R <n>" uses restricted mode <n>
    "-S" uses silent mode
    Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
    where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
    <logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
    <start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
    "-H" displays the SQL*Plus version banner and usage syntax
    "-V" displays the SQL*Plus version banner
    "-C" sets SQL*Plus compatibility version <v>
    "-L" attempts log on just once
    "-M <o>" uses HTML markup options <o>
    "-R <n>" uses restricted mode <n>
    "-S" uses silent mode
    Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
    where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
    <logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
    <start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
    "-H" displays the SQL*Plus version banner and usage syntax
    "-V" displays the SQL*Plus version banner
    "-C" sets SQL*Plus compatibility version <v>
    "-L" attempts log on just once
    "-M <o>" uses HTML markup options <o>
    "-R <n>" uses restricted mode <n>
    "-S" uses silent mode
    Registering Plug-ins ...
    adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry
    adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry
    Done.
    Is there anythign wrong in the DB connect string??
    Thanks

    Did you check the debug information from the external auth plugin.?
    This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
    here an excerpt:
    D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
    ...enable the plug-in debugging. To do this, enter:
    > sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls
    To check the plug-in debugging log, enter:
    > sqlplus system/manager
    SQL> select * from ods.plg_debug_log order by id;
    (To delete the plug-in debugging log:
    > sqlplus system/manager
    SQL> truncate table ods.plg_debug_log
    To disable the plug-in debugging:
    > sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
    E) Dump the plug-in profile to make sure it is enabled and configured correctly:
    > ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"
    please take also a look into the DIPTESTER tool available in
    http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
    regards
    --Olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  • Plug-in Request Group field into the external authentication plug-in

    Hi all,
    I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
    I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
    Is possible to do this?
    Thank you.
    Message was edited by:
    user571491

    Hi all,
    I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
    I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
    Is possible to do this?
    Thank you.
    Message was edited by:
    user571491

  • External Authentication on Windows

    Guys, this is driving me crazy.
    I had an external user configured on my Oracle 9.2.0.5 database on a Windows 2003 Server.
    It was working, I use it to make dump backups.
    Now, without any change on any oracle param or bounce it just stoped working.
    I have two instances, for one it's working, for the other it's not.
    Both instances are on the same server (so I'm using the same sqlnet.ora file with NTS authentication).
    Today I removed and recreate the user on both instances, but I keep getting the same problem.
    create user "OPS$DOMAIN\ORABACKUP" identified externally
    default tablespace users
    temporary tablespace temp
    The parameters are the same on both instances:
    os_authent_prefix string OPS$
    os_roles boolean FALSE
    remote_login_passwordfile string EXCLUSIVE
    remote_os_authent boolean FALSE
    remote_os_roles boolean FALSE
    Do you have any ideas of why this could happen??
    Is there another parameter related to external authentication that I don't know?
    Thanks!

    Was there ever an answer on this, having problems with setup using same versions

Maybe you are looking for