11.7 Integrating an External Identity Provider

While APEX Accounts are easy and built-in, you might already manage users and roles with an external identity provider. If so, create a Social Sign-in type Authentication Scheme and after authentication dynamically enable the groups users belong to.

This scheme type authenticates users with Google, Facebook, or any provider supporting OpenID Connect or OAuth 2.0. You can use the Identity and Access Management (IAM) service on Oracle Cloud Infrastructure (OCI) to experiment with setting it up. The basic OCI IAM features shown here work in an Always Free OCI tenancy as well. Using another external identity provider requires similar steps.

Assume you create an IAM domain called WoodsHR for use by the Woods HR app in this section. Among other identity-related artifacts, an IAM domain contains users, groups, user/group assignments, and integrated application clients. To easily compare APEX Accounts with an external identity provider, configure the same users and roles.

Tip:

Other IAM features beyond these basics may require a paid tenancy.

• Defining Users in an IAM Domain
  Define your IAM domain users on the User management tab.
• Creating Groups in an IAM Domain
  OCI Identity and Access Management (IAM) uses the term "group" instead of role. Create groups on your domain's User management tab.
• Assigning IAM Domain Users to Groups
  Assign users to a group on the Users tab of the group edit page.
• Configuring Confidential App for APEX
  A domain's Integrated applications tab lists applications you allowed to authenticate through it.
• Defining Credential for Identity Provider
  Before defining the Social Sign-in Authentication Scheme to use your external identity provider, start by defining the Web Credential it requires in Workspace Utilities.
• Authenticating with an External Provider
  With the web credential defined, create a new Social Sign-in Authentication Scheme that references the Web Credential protecting the OAuth client ID and secret for the confidential app used for authentication.
• Enabling Groups in Post-Auth Procedure
  To use the groups defined in your external identity provider, write a post authentication procedure and configure your Social Sign-in Authentication Scheme to invoke it.
• Sourcing App Groups from Custom Code
  When using ENABLE_DYNAMIC_GROUPS in a post-authentication procedure to set the groups the current user belongs to, as shown below, set the Source for Role or Group Schemes application security setting to Custom Code.
• Switching Authorization Rules to Custom
  When using ENABLE_DYNAMIC_GROUPS, edit your authorization schemes to change their Type to Custom.
• Making Social Sign-in the Current Scheme
  To try out a new authentication scheme at runtime in your application, make it the current scheme.
• Experiencing External Identity Provider
  With all the changes ready, run the app to test out authentication using the external identity provider.