Re: Apex, ORDS3, Tomcat7, Windows Server, SAML 2.0, and Amazon

From: Bill Ferguson <wbfergus_at_gmail.com>
Date: Mon, 4 Feb 2019 07:16:47 -0700
Message-ID: <CADEE6ZOwLExT_Fbe7q179Y1FdyYNwkEFmyqf7C-j-_W3n2eF5g_at_mail.gmail.com>

Thank you both for your answers. It gives me a little clearer idea on what aspects I need to look at as I progress on this later this year.

Bill Ferguson

On Wed, Jan 30, 2019 at 8:14 AM Ilmar Kerm <ilmar.kerm_at_gmail.com> wrote:

> I just migrated our APEX applications to SAML2 authentication also. On the
> server side it looks pretty similar:
> * Tomcat - just to run ORDS, and listens only on localhost
> * Apache HTTP server - to do SAML2 authentication (mod_auth_mellon) -
> authentication result is written to HTTP header that is passed via
> Tomcat/ORDS to APEX app, and APEX app uses HTTP header authentication
> scheme. And mod_ssl. You can also add mod_security and whatnot.
>
> For high availability, we actually have multiple of these apache+tomcat
> servers and then an additional external loadbalancer in front.
>
> But SAML2 authentication works via client browser, Apache+ORDS+APEX do not
> need to talk to the identity provider directly. Identity provider is a
> separate service, it can be set up in the Windows domain infrastructure
> (ADFS), but probably your company has purchased this service from an
> external identity provider (Okta, Auth0, or other).
>
> On Wed, Jan 30, 2019 at 3:15 PM Bill Ferguson <wbfergus_at_gmail.com> wrote:
>
>> Hi all,
>>
>> I currently have an environment of Windows Server 2012 R2, Oracle 12.1,
>> Apex 5, and Tomcat7 (with organizational wildcard certificate). I am also
>> only using LAP authentication, as I have never in around 15 years been able
>> to get the LDAPS authentication to work, and our LDAP administrators seem
>> to be even more lost than I am. Also, later this year I am tasked with
>> migrating my two systems to the Amazon cloud.
>>
>> So with that basic info out of the way, the IT network security Nazi's
>> finally noticed that I am doing cleartext password authentication, and told
>> me to convert to LDAPS. They don't care that the LDAP admins are clueless
>> as to why I have always been unable to get Apex to authenticate, they just
>> demand it get done.
>>
>> Since I am also tasked with migrating everything to the Amazon cloud, my
>> agency also has the mandatory requirement that all authentication in the
>> cloud has to be done with SAML 2.0. So rather than waste my time with
>> LDAPS, just to switch in a couple months to SAML, I'd rather spend my time
>> productively with SAML.
>>
>> And this is where I have a bunch of questions. Some may be easy, or even
>> apparent, but I've been trying to wrap my head around how it will al work
>> in the Amazon cloud and been completely befuddled.
>>
>> First off, I haven't found anything on the web about SAML in the Windows
>> environment with Tomcat. The best resource I found is witha Linux
>> environment, but along with the Tomcat webserver, he also is using the
>> Apache HTTP server. This appears to me as he is using two web servers? This
>> seems so confusing and unnecessary, but I'm probably missing something.
>> Could it be bacause of the requirement to use the 'mellon' packages (and
>> something else, I forget which one), the only way to get them integrated
>> into the environment is with the Apache HTTP server, and then Tomcat itself
>> is then needed to complete the communication to Apex?
>>
>> Next question would be if anybody has any experience with all of this as
>> it pertains to a cloud environment, preferably the Amazon cloud. In this
>> regard I am confused about how the parts work together. The Oracle database
>> part residing in the cloud I understand, I'm having problems figuring out
>> how the Tomcat webserver, URL addressing and authentication would work.
>>
>> Will I keep a machine running locally with the Tomcat web server, which
>> will communicate to the Amazon cloud, determine it is a new connection for
>> the day, then relay the authentication request back to Tomcat to then
>> contact the 'identity provider' (is that an Active Directory server or a
>> LDAP server?), get a token, then attach that token to all communication
>> back and forth to the database? Or does the Tomcat installation reside in
>> the cloud as well (requiring a different Amazon configuration, CHS vs AWS)?
>>
>> Am I making any sense of this, or am I simply more lost than I know I
>> already am? Thanks for any and all constructive assistance or suggestions.
>>
>> --
>> -- Bill Ferguson
>>
>
>
> --
> Ilmar Kerm
>

-- 
-- Bill Ferguson

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Feb 04 2019 - 15:16:47 CET

This message: [ Message body ]
Next message: Mark J. Bobak: "Re: ords/tomcat help"
Previous message: Bill Ferguson: "Re: ords/tomcat help"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message