APEX

Hi Everyone,
This is what we are attempting to do. We are migrating a Forms based application to Apex.
Our Forms based application allows two possible ways to authenticate - 1) either with a Smart Card (external id) and an Oracle Database username; or, 2) with just an Oracle database username.
For customers who have Smart Cards, the process uses SSO, OID and the RAD to allow the Smart Card (with a meaningless External Id) to be mapped to an Internal Id that is meaningfull to our application in two ways.
First, the internal id is a valid Oracle Database Username that controls whether or not the customer can establish a database session. Secondly, the exact same internal id is used extensively in custom code to control customer navigation and item level access.
For those customers without Smart Cards, they come into the Forms session straight away with their Oracle Database username (internal id).

We need to use the same model when we migrate the Forms application to ApEx. We need to allow both authentication methods to get through the front door but will only be using the internal id to control what happens once the user has been allowed inside the app. Therefore we need a mechanism to map the External Smart Card Id to an Internal Id (Oracle database username). We realize that once in the app, the customer will be operating under the permissions given to the Parsing Schema - which is different than their Oracle database username. However all of our custom logic is based on controlling what the customer can do based on their individual internal username (which just happens to corresponds to their current Oracle Database username.)

In order to enter ApEx with the Smart Cards, we thought we would have to use SSO and in order to use SSO, we have to pick the Application Express Engine as a Partnership app Authentication scheme.
But after that we do not have any equivalent to OID/RAD to map the external id to internal id. Please help. Any ideas are appreciated.
Regards,
Suma.