20.4.3.4 HTTP Header Variable

Authenticate users externally by storing the username in a HTTP Header variable set by the web server.

Note:

To ensure the security and performance of your development environment, this functionality is not available in Oracle APEX instances running in Oracle Cloud.

• About HTTP Header Variable
  
• Setting Up HTTP Header Variable
  

20.4.3.4.1 About HTTP Header Variable

HTTP Header Variable supports the use of header variables to identify a user and to create an Oracle APEX user session. Use HTTP Header Variable authentication scheme if your company employs a centralized web authentication solution like Oracle Access Manager which provides single sign-on across applications and technologies. User credential verification is performed by these systems and they pass the user's name to APEX using a HTTP header variable such as "REMOTE_USER" (which is the default).

20.4.3.4.2 Setting Up HTTP Header Variable

To set up HTTP Header Variable:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authentication Schemes.
5. On the Authentication Schemes page, click Create.
6. Select Based on a pre-configured scheme from the gallery and click Next.
7. Under Name:
   1. Name - Enter the name used to reference the authentication scheme by other application developers.
   2. Scheme Type - Select HTTP Header Variable.
8. Under Settings:

   To learn more about a specific field, see field-level Help.

   1. HTTP Header Variable Name - Specifies the name of the HTTP header variable which contains the username. If not specified, REMOTE_USER will be used. The HTTP header variable is a variable set by the web server.
   2. Action if Username is Empty - Specifies the action which should be performed if the username stored in the HTTP header variable is empty. Options include:

      • Redirect to Built-In URL - Initiates a login by the web server. This Built-In URL has to be setup to be protected by the web server, in order to force a login when called. After login, the web server must store the validated username in the HTTP header variable, so it is available to the authentication scheme. The Built-In URL is:

        /apex/apex_authentication.callback

        Where The prefix /apex/ depends on your server configuration.

      • Redirect to URL - Initiates a login on an external server which then sets the validated username in the HTTP header variable. The external server should redirect back to the application using the URL generated by the #CALLBACK# placeholder to complete authentication in the application.

      • Display Error - Displays the specified error message and no login will be performed in the application.

   3. Verify Username - Specifies how often the username stored in the HTTP header variable is verified. Options include:

      • Each Request - Will expect that the CGI variable is always set as soon as the login has been performed by the web server. If the username is not identical to the one stored in the current APEX session, the session will be invalidated and a new login will be initiated. This is the most secure option because it detects logouts or username changes.

      • After Login - Will only verify and store the username in the APEX session after the web server has performed the login and calls the callback to complete authentication in the application. For callback see "Action if Username is Empty" configuration.

   4. Logout URL of SSO Server - If the authentication scheme is based on Oracle Access Manager or similar servers, you can use this attribute to specify a URL to log out of the central single sign-on server. The substitution parameter %POST_LOGOUT_URL% will be replaced by an encoded URL to the login page of your application.

      Oracle Access Manager based SSO example:

      /oamsso/logout.html?end_url=%POST_LOGOUT_URL%

9. Click Create Authentication Scheme.