Re: Apex, ORDS3, Tomcat7, Windows Server, SAML 2.0, and Amazon

I just migrated our APEX applications to SAML2 authentication also. On the server side it looks pretty similar:
* Tomcat - just to run ORDS, and listens only on localhost * Apache HTTP server - to do SAML2 authentication (mod_auth_mellon) - authentication result is written to HTTP header that is passed via Tomcat/ORDS to APEX app, and APEX app uses HTTP header authentication scheme. And mod_ssl. You can also add mod_security and whatnot.

For high availability, we actually have multiple of these apache+tomcat servers and then an additional external loadbalancer in front.

But SAML2 authentication works via client browser, Apache+ORDS+APEX do not need to talk to the identity provider directly. Identity provider is a separate service, it can be set up in the Windows domain infrastructure (ADFS), but probably your company has purchased this service from an external identity provider (Okta, Auth0, or other).

On Wed, Jan 30, 2019 at 3:15 PM Bill Ferguson <wbfergus_at_gmail.com> wrote:

> Hi all,
>
> I currently have an environment of Windows Server 2012 R2, Oracle 12.1,
> Apex 5, and Tomcat7 (with organizational wildcard certificate). I am also
> only using LAP authentication, as I have never in around 15 years been able
> to get the LDAPS authentication to work, and our LDAP administrators seem
> to be even more lost than I am. Also, later this year I am tasked with
> migrating my two systems to the Amazon cloud.
>
> So with that basic info out of the way, the IT network security Nazi's
> finally noticed that I am doing cleartext password authentication, and told
> me to convert to LDAPS. They don't care that the LDAP admins are clueless
> as to why I have always been unable to get Apex to authenticate, they just
> demand it get done.
>
> Since I am also tasked with migrating everything to the Amazon cloud, my
> agency also has the mandatory requirement that all authentication in the
> cloud has to be done with SAML 2.0. So rather than waste my time with
> LDAPS, just to switch in a couple months to SAML, I'd rather spend my time
> productively with SAML.
>
> And this is where I have a bunch of questions. Some may be easy, or even
> apparent, but I've been trying to wrap my head around how it will al work
> in the Amazon cloud and been completely befuddled.
>
> First off, I haven't found anything on the web about SAML in the Windows
> environment with Tomcat. The best resource I found is witha Linux
> environment, but along with the Tomcat webserver, he also is using the
> Apache HTTP server. This appears to me as he is using two web servers? This
> seems so confusing and unnecessary, but I'm probably missing something.
> Could it be bacause of the requirement to use the 'mellon' packages (and
> something else, I forget which one), the only way to get them integrated
> into the environment is with the Apache HTTP server, and then Tomcat itself
> is then needed to complete the communication to Apex?
>
> Next question would be if anybody has any experience with all of this as
> it pertains to a cloud environment, preferably the Amazon cloud. In this
> regard I am confused about how the parts work together. The Oracle database
> part residing in the cloud I understand, I'm having problems figuring out
> how the Tomcat webserver, URL addressing and authentication would work.
>
> Will I keep a machine running locally with the Tomcat web server, which
> will communicate to the Amazon cloud, determine it is a new connection for
> the day, then relay the authentication request back to Tomcat to then
> contact the 'identity provider' (is that an Active Directory server or a
> LDAP server?), get a token, then attach that token to all communication
> back and forth to the database? Or does the Tomcat installation reside in
> the cloud as well (requiring a different Amazon configuration, CHS vs AWS)?
>
> Am I making any sense of this, or am I simply more lost than I know I
> already am? Thanks for any and all constructive assistance or suggestions.
>
> --
> -- Bill Ferguson
>

-- 
Ilmar Kerm

--
http://www.freelists.org/webpage/oracle-l