Recently someone asked me how he could implement multiple authentication schemes for his APEX application. He would like to use (some kind of) Single Sign-on authentication and - as an alternative - an Application Express Authentication. The problem is ... you can only define one Authentication Scheme being "Current" for an application! So how can we solve this issue?
First, we need te be aware that multiple applications can share their authentication by using the same cookie. Thus if you specify "MYCOOKIE" as the Cookie Name in Application A as well as in Application B, you can switch from A to B and back without the need of logging in again. It doesn't matter what Authentication Scheme Type you are using!
Knowing this, we are halfway our solution. We need two Applications. One - the "real" application - using the Application Express Authentication, let's name this one "LAUNCHPAD". And another one using the Single Sign-on Authentication, named "SSO", with just one page named "HOME". Both using the same Cookie Name as described above.
On the login page of LAUNCHPAD we also define a button "Connect using SSO". This will issue a redirect to the page "SSO:HOME". Because we're not logged in yet, this will try to authenticate using the Single Sign-on Authentication. On the "SSO:HOME" page we just define one before header process that does a redirect to the "LAUNCHPAD:HOME" page. When the "SSO:HOME" page is being rendered, we are logged in, the cookie is set and we can safely redirect to the other application sharing the same cookie. Mission completed!
Using an After Authentication Application Process in the SSO app, we can even do some additional checks based on the username returned by the SSO function (e.g. 'Proxy-Remote-User') - eventually redirecting to "LAUNCHPAD:LOGIN_DESKTOP" is something is wrong (thus showing the option to log in using a username and password).
First, we need te be aware that multiple applications can share their authentication by using the same cookie. Thus if you specify "MYCOOKIE" as the Cookie Name in Application A as well as in Application B, you can switch from A to B and back without the need of logging in again. It doesn't matter what Authentication Scheme Type you are using!
Knowing this, we are halfway our solution. We need two Applications. One - the "real" application - using the Application Express Authentication, let's name this one "LAUNCHPAD". And another one using the Single Sign-on Authentication, named "SSO", with just one page named "HOME". Both using the same Cookie Name as described above.
On the login page of LAUNCHPAD we also define a button "Connect using SSO". This will issue a redirect to the page "SSO:HOME". Because we're not logged in yet, this will try to authenticate using the Single Sign-on Authentication. On the "SSO:HOME" page we just define one before header process that does a redirect to the "LAUNCHPAD:HOME" page. When the "SSO:HOME" page is being rendered, we are logged in, the cookie is set and we can safely redirect to the other application sharing the same cookie. Mission completed!
Using an After Authentication Application Process in the SSO app, we can even do some additional checks based on the username returned by the SSO function (e.g. 'Proxy-Remote-User') - eventually redirecting to "LAUNCHPAD:LOGIN_DESKTOP" is something is wrong (thus showing the option to log in using a username and password).
Comments