ORDS/APEX SSO with
IDCS (OCI Gen 2 Private Subnet)
In this
BLOG, I will outline steps to achieve Single Sign on with Oracle IDCS while the
ORDS/APEX Installation are in OCI Gen2 Private Subnet. There are some
additional steps than where APEX is in OCI Cloud and is deployed as APEX Cloud
service that is in public domain.
Assumptions:
You have installed the DBaas(18c) in OCI Gen2 using Private VCN in OCI Gen2
ORDS deployment is in Oracle Weblogic Server 12c that is also installed in private VCN
Using Oracle IDCS for SSO
Traffic to ORDS is from LBaaS with your company’s own certificate
You have developed or created several applications in APEX with APEX app builder
You have uninstalled the Default APEX installation from CDB and installed 19.1 in PDB of DBaaS
- You have configured NAT Gateway to talk to world from the private subnet
If you are
in same situation as above, here are the steps to achieve the SSO. Please note
that you can always use Webogic to authenticate for ORDS which another way of
is achieving the same. However, this is simple and effective approach.
Step1:
Please create a separate wallet than the default TDE wallet that DBaas already
have and is referenced in sqlnet.ora with following command.
mkdir -p
/u01/app/oracle/tools/apex_ords/wallets
orapki
wallet create -wallet /u01/app/oracle/tools/apex_ords/wallets -pwd Wha##Passw0rd
-auto_login
Step2:
This step will download the certificate of your IDCS. There are two ways to do
it. However, please make sure that you only do the other certificates than
*.identity.oraclecloud.com. What other certificate? You can find the other two
certificates with analyzing the site with SSLLabs.com.
OPENSSL Method:
Use
following command as this is very easy and fail-safe method. If you have
installed GitBash on your WINDOWS machine, then you could use that otherwise
you can make use of the DBaaS server where APEX is installed. If you have MAC then terminal will do.
openssl s_client
-showcerts -connect xxxx.identity.oraclecloud.com:443
Please
ignore first certificate and chose second and third and save them in a file
call cert1 and cert2. Select or copy starting from BEGIN
and ends with END Certificate and save then in two separate file or you can
save them together in one file but make sure that there is no space or
anything. A single certificate file looks like one shown in the example below.
Browser Method:
Use any browser to open the IDCS Console. Example here is
from chrome browser. Indicated
with red square below. I have masked my client’s
IDCS for security.
Now go to Certificate path TAB. Please note the highlighted
one.
You will have to do this exercise twice as indicated in two screen shots
below.
First Selection:
Second Selection:
Now click “View Certificate”
Go to detail
tab and then copy to file then follow three more next and one finish to complete the
process. So do it twice and you will have two certificate.
Step3:
Add these cert1 and cert2 to the oracle wallet with following commands.
orapki
wallet add -wallet /u01/app/oracle/tools/apex_ords/wallets -trusted_cert -cert
/tmp/cert1 -pwd Wha##Passw0rd
Make Sure
you got them using following command:
orapki
wallet display -wallet /u01/app/oracle/tools/apex_ords/wallets
It will
display something like this:
Step4:
Please login to the DBaaS PDB DB and apply ACL and Wallet Location with
following commands
BEGIN
DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(host
=> '*', lower_port => 443,upper_port => 443,ace =>
xs$ace_type(privilege_list => xs$name_list('http'), principal_name =>
'APEX_190100', principal_type => xs_acl.ptype_db));
END;
/
BEGIN
DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(host
=> '*', ace => xs$ace_type(privilege_list =>
xs$name_list('connect','resolve'), principal_name => 'APEX_190100',
principal_type => xs_acl.ptype_db));
END;
/
BEGIN
DBMS_NETWORK_ACL_ADMIN.APPEND_WALLET_ACE (
wallet_path => 'file:/u01/app/oracle/tools/apex_ords/wallets',
ace => xs$ace_type(privilege_list => xs$name_list('use_client_certificates'),
principal_name => 'APEX_190100',
principal_type => xs_acl.ptype_db));
END;
/
You can
check the contents before and after as:
SELECT acl,
principal, privilege, is_grant,TO_CHAR(start_date, 'DD-MON-YYYY') AS
start_date, TO_CHAR(end_date, 'DD-MON-YYYY') AS end_date FROM dba_network_acl_privileges ORDER BY acl,
principal, privilege;
Select *
from dba_wallet_acls;
Step5: Now
login to your WLS server where ORDS is
deployed and copy wallets from DBaaS server that was created above in Step 2 to
the same path in WLS server.
- mkdir -p /u01/app/oracle/tools/apex_ords/wallet
- Using WINSCP with PUTTY(Bastion Server with Tunnels) to download the wallet contents from DBaaS server to your laptop and then upload to WLS server. You can do this directly from DBaaS server to WLS if you have set up the equivalency between some user.
Step6: Login to your ORDS installation with apex_admin and fill in the wallet
location in instance setting as:
https://xxx.yourcompany.com/ords/apex_admin
Note: Please make sure that the path entry should be "file:/u01/app/oracle/tools/apex_ords/wallets"
Step7: Test that your APEX and Wallet works using
following commands after connection to PDB in DBaaS
select apex_web_service.make_rest_request('https://idcs-xxxxx.identity.oraclecloud.com/.well-known/openid-configuration/',
'GET') from dual;
This should return something like:
Also you can test UTL_HTTP as:
select utl_http.request(url => 'https://idcs-xxxx.identity.oraclecloud.com/ui/v1/adminconsole/',
wallet_path => 'file:/u01/app/oracle/tools/apex_ords/wallets') from dual;
Step8: Login to ORDS and select the application
that your development team deploy and you are planning to connect to SSO with
IDCS. You will note the application ID and the URL – such as https://yourcompanyLBaas.yourdomain.com/ords/f?p=206
Step9: Login to IDCS and navigate to Application
tab and then create application. Details below.
Here The example should be for above screen:
Redirect URL:
https://LBaaS.yourdomain.com/ords/apex_authentication.callback
Logout URL:
https://idcs-xxx.identity.oraclecloud.com/oauth2/v1/userlogout
Post Logout URl:
https://LBaaS.yourdomain.com/ords/f?p=206
Please note that, I have selected the Trusted application and added the
Trust Certificate for our WLS and LBaaS. We are now good to create application.
Once done, please add users here from your IDCS to match the user those are
authorized in APEX application. You can go group route as well. You will
navigate to application then the user or group tab and add the user.
Step10: Please note down your Client ID and Client
Secret from the application that you have created in IDCS – weather at the time
of creation or later by browsing the IDCS application that was created in step
9. Something like:
Client ID
3c415501ce9c094a8cb0009ebe4f5c894fabc
Client Secret
88994ec41a-4d2e-4708-9416-5a94927c42eezxx
Step11: Login back to your ORDS using workspace
administrator user. Here we will create the Web
Credentials and an authentication scheme and tie them together.
Create Web Credentials:
https://LBaaS.yourdomain.com/ords/
Here you will provide a name for the Web Credential and copy
and paste the Client ID and Client Secret in Red Square below. Once all
required information is typed in click create.
Authentication Scheme:
Here I will create authentication scheme for the application
ID - such as 206 and tie it together
with Web Credentials created above.
Navigate to App Builder à
Application à
Shared Components à
Authentication Scheme
Details about above Screen(Masked contents are client specific):
Name: Any Name that you will then set as the
Authentication Scheme for the Applicatiom – Such as APEXAuthenticationSchemForApp
Scheme Type: Select “Social Sign In”
Credential Store: Select the one I created before -
APEXSSOStore
Authentication Provider: Select “OpenID Connect Provider”
Discovery URL:
https://idcs-xxx.identity.oraclecloud.com/.well-known/openid-configuration/
Scope: profile
Username Attribute: sub -- Because we can use the emails and regular
username
Once all the information is entered, click create
Authentication Scheme at top right.
Step12: Navigate to:
Application Builder à
Shared Components àAuthentication
Scheme à
Select the one was created earlier and make it Current Authentication Scheme
Make sure that you have the users in application at
Application Access Control and IDCS application user tab matching.
Navigate to App Builder à
Shared Components àApplication
Access Control
Check users here:
Click allow (Only asks on first attempt) and now you will be directed to IDCS login page
as:
Enjoy !!
