In order to protect a critical application (Oracle EBS), we went the AzureAD/OAuth2 pre-authentication way.
This mean that the users needs to have a valid M365 session in their browser to reach the application. They can then log in (again) and use the application.
The issue I'm facing is that Oracle EBS makes a large usage of java applications through JNLP. Once you download and launch the jnlp, the application doesn't start, because it cannot reach the application endpoint. This is caused by java not having the "oauth session" needed to access the application. the java application is actually redirected to the Microsoft login page. (The web-base application use the same url as the java applications. both uses for example https://my-ebs-app.organization.com/)
So I need a form of "App Tunnel" or ACL to allow thos JNLP to actually reach the application server for the users who have a valid oauth2 session.
Any Idea on a solution to this issue ?
one possible solution to the issue you're facing is to use a reverse proxy or application gateway that can handle the authentication and forwarding of requests to the Oracle EBS application server. This allows you to establish a secure connection between the client and the reverse proxy, while the proxy handles the authentication and forwards the requests to the application server.
Here's a high-level overview of how this solution could work:
Set up a reverse proxy or application gateway (e.g., Nginx, Apache HTTP Server, Azure Application Gateway) in front of the Oracle EBS application server.
Configure the reverse proxy to handle the authentication part using Azure AD and OAuth2. This typically involves configuring the proxy to validate the OAuth2 access tokens or session cookies from the M365 session.
When a client tries to access the Oracle EBS application through the JNLP, they will be redirected to the reverse proxy for authentication.
Once the client's M365 session is validated and authenticated, the reverse proxy can create a separate session or token specific to the Oracle EBS application.
The reverse proxy then forwards the requests from the client to the Oracle EBS application server, including the necessary authentication information (e.g., session token) required by the Java applications in the JNLP.
(Edited by Leslie Hubertus to remove spam link)
Thanks for the link and the hint. I've tried setting up the App Tunnel feature but it seems I'm missing something in the process.
I've asked our integrator to help me with this point, so hopefully it will be sorted shortly.
Have you established persistence at all for this? It's been quite a bit, but I think that, if you want to pass a token from one VIP (auth) to another (app), you will need universal persistence on the VIPs so that the BIG-IP knows it's the same application flow. Also, did you follow any reference guide or doc for this build?
Can you show your policy?
Well I have only a single VIP. For now I've setup the APM Policy on the VS that host the Oracle EBS service. Maybe that's not the right way to do it. But as stated above I've asked our integrator to send me someone knowledgeable about APM to help me sort this out.