We have been getting requests for custom authentication methods based around prorpietary headers/logic. The following attachments describe the oracle COREid product.

B19006.pdf - high level overview of how the product works
B19008v2.pdf - details of authentication protocol (p. 85 - 92)
B19013.pdf - documentation about API

Likely the most important part is assuming a user is who the HTTP_OBLIX_UID header says they are. The COREid server and the firewall should protect the server from unauthorized access.