Welcome to the second step in the process of configuring Oracle APEX for smart card authentication. In my previous post I demonstrated how to configure an Apache HTTPD server to query a smart card and place the user’s certificate Common Name into a header variable named SSL_CLIENT_S_DN_CN. In this post I will describe how to configure APEX workspaces to map the Common Name to a specific user account.
In this architecture, APEX workspace accounts are based on the Common Name stored on the client PKI certificate. Workspace administrators may create, modify, or delete accounts as required, and control membership in workspace user groups. If a user has an account within more than one workspace of an APEX instance, then they are presented with a list of appropriate workspaces to choose from when they log in.
To configure APEX workspaces for HTTP header authentication, complete the following steps in the “INTERNAL” workspace as an administrator:
- Pre‐create at least one administrator‐level user in the INTERNAL workspace whose username corresponds to the HTTP header paradigm you intend to use (e.g. “PUBLIC.JOHN.Q.123456789” for Common Name or “123456789@mydomain” for User Principal Name) so that you will be able to connect to the INTERNAL workspace when the authentication configuration is complete. Select “Manage Workspaces” from the main dashboard, then “Manage Developers and Users” from the Workspace Actions list. Click the “Create User” button and enter the new username, email address for the user. Select “INTERNAL” for the Workspace. Click “Create User”.
- When the new internal administrator account has been created, return to the Instance Administration dashboard by clicking on the Oracle Application Express logo in the top left corner.
- Now configure the workspace (and by extension all workspaces in the APEX instance) for HTTP header authentication. Select “Manage Instance” from the main dashboard. Select “Security” from the Instance Settings menu. Select the “Authentication Control” tab.
- Select “HTTP Header Variable” from the Development Environment Authorization Schemes section.
- Enter the HTTP header variable name that will contain the username into the HTTP Header Variable Name field. Click “Make Current Scheme” and the click “OK” when prompted to confirm the change.
Note: Changing the authentication scheme can render APEX inaccessible if parameters on the web server are not configured correctly. You can always reset the INTERNAL workspace authentication scheme to the original default (username/password) by running the following command as the
SYS database user:
SQL> execute apex_instance_admin.set_parameter('APEX_BUILDER_AUTHENTICATION','APEX');
My next post will look at how to authenticate to an APEX application using a smart card.