1. Administration Guide
  2. Oracle APEX Administration Services
  3. Configuring Security
  4. Configuring Authentication Controls for an Instance
  5. Configuring Authentication Schemes for an Instance
  6. Editing SAML Sign In

3.4.7.3.6 Editing SAML Sign In

Delegates authentication to the Security Assertion Markup Language (SAML) Sign In authentication scheme.

Parent topic: Configuring Authentication Schemes for an Instance

3.4.7.3.6.1 About SAML Sign In

Oracle APEX supports the use of Security Assertion Markup Language (SAML). SAML is an XML-based protocol for exchanging security information between software entities on the Web. SAML security is based on the interaction of asserting and relying parties. SAML provides single sign-on capabilities; users can authenticate at one location and then access service providers at other locations without having to log in multiple times.

Note:

SAML support requires Oracle Database 19c (Database Release Update 19.9.0.0.0 or newer) or Oracle Database 21c. If your database does not meet these requirements, SAML Sign-In authentication scheme will not display.

Parent topic: Editing SAML Sign In

3.4.7.3.6.2 About Cross-Origin Resource Sharing when Using SAML

The SAML authentication end user flow requires Oracle REST Data Services (ORDS) to permit cross-origin requests from your Identity Provider to Oracle APEX. By default, ORDS does not allow cross-origin requests to its PL/SQL gateway including to Oracle APEX. You must configure ORDS to designate your Identity Provider as a trusted origin by setting security.externalSessionTrustedOrigins configuration parameter.

See Also:

Cross-Origin Resource Sharing Feature in Oracle REST Data Services Installation, Configuration, and Development Guide

Parent topic: Editing SAML Sign In

3.4.7.3.6.3 Configuring SAML Sign-In

Edit the SAML Sign-In authentication scheme for an instance. SAML stands for Security Assertion Markup Language.

To edit SAML Sign-In:

  1. Sign in to Oracle APEX Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Under Authentication Control, scroll down to Development Environment Authentication Schemes.
    The Status column indicates if the authentication scheme designated as Current.
  5. Find SAML and click Edit.
    The Edit Scheme page appears.
  6. Click Make Current Scheme to have applications identify and verify the user using this authentication scheme.
  7. Under Edit Authentication Scheme:
    • PL/SQL Code - Enter a PL/SQL anonymous block of code that contains procedures for pre- and post-authentication entry points. To improve performance, you can also store this code in a PL/SQL package in the database.
    • Pre-Authentication Procedure Name - Specify the name of a procedure to be executed after the login page is submitted and just before credentials verification is performed. The procedure can be defined in the PL/SQL Code attribute or within the database.

      Authentication schemes where user credentials checking is done outside of Oracle APEX typically do not execute the Pre-Authentiation procedure. Examples include HTTP Header Variable, Oracle Application Server Single Sign-On and custom authentication schemes that use APEX_AUTHENTICATION.POST_LOGIN instead of APEX_AUTHENTICATION.LOGIN.

    • Post-Authentication Procedure Name - Specify the name of a procedure to be executed by the Oracle APEX LOGIN procedure after the authentication step (login credentials verification). The LOGIN procedure will execute this code after it performs its normal duties, which include setting a cookie and registering the session, but before it redirects to the desired application page. The procedure can be defined in the PL/SQL Code attribute or within the database.
  8. Under SAML for Internal and Workspace Applications: APEX Attributes:
    • Enable SAML for Applications - Enable if workspace applications should be able to use SAML authentication. Note that you can enable any other authentication scheme for internal applications, but still use SAML in applications if this attribute is enabled.
    • Username Attribute - SAML responses can contain additional attributes about the user. If set, Oracle APEX uses that attribute's value as the username. By default, Oracle APEX uses the assertion subject's NameID attribute.
    • Certificate - Enter the primary certificate of the Oracle APEX side.
    • Private Key - Enter the private key of the Application Express side. Note that Oracle APEX does not display an existing private key, but you can enter a new one.
    • Alternative Certificate - Enter the alternative certificate of the Oracle APEX side.
    • Alternative Private Key - Enter the alternative private key of the Oracle APEX side. Note that Oracle APEX does not display an existing private key, but you can enter a new one.
  9. Under SAML for Internal and Workspace Applications: Identity Provider Attributes:
    • Issuer - Enter the Issuer attribute from the identity provider's metadata, for example:

      https://login.example.com/oam/fed

    • Signing Certificate - Enter the certificate from the identity provider's metadata.
    • Alternative Signing Certificate - Enter an alternative certificate from the identity provider's metadata.
    • Sign-In URL - Enter the identity provider's sign in URL.
    • Sign-Out URL - Enter the identity provider's sign out URL. If empty, it defaults to the sign in URL, which is normally sufficient.
  10. To save your changes, click Apply Changes.

Tip:

If your Oracle APEX instance is using the prerequisite Oracle Database release and Database Release Update and the SAML Sign-In authentication scheme does not appear, execute the following while connected to the database (or pluggable database) as SYSDBA: 

set serveroutput on
exec sys.validate_apex

Parent topic: Editing SAML Sign In