Integrate Oracle APEX with Identity Domains using Delegated Authentication


Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) provides identity and access management features such as authentication, single sign-on (SSO), and identity lifecycle management for Oracle Cloud as well as Oracle and non-Oracle applications, whether SaaS, cloud-hosted, or on-premises.


This tutorial walks you through the high-level steps for configuring SSO on APEX applications using OCI IAM (Identity Domains) as an IDP which provides security controls like MFA, Adaptive Security, Reporting, and so on. Additionally, we will also use Active Directory (AD) credentials to authenticate the users using AD bridge Delegated Authentication feature of OCI IAM Identity Domains.


  1. OCI IAM administrator access of any Identity Domain for partner app setup
  2. APEX 18+ with an application for authentication setup
  3. AD Bridge setup and Delegated Authentication enabled on OCI IAM Identity Domain (For Users/Groups synced from AD and you want the users to authenticate using Local AD credentials). For more details, see Setting Up a Microsoft Active Directory (AD) Bridge


Task 1: Install a sample application in APEX

Login to your APEX Workspace to create a sample app for which we will use OCI IAM as an IDP for SSO. To create an app on APEX, click on App Builder and execute the following steps.

  1. Click Create Application.

    Image 1

  2. Select the From a File option.

    Image 2

  3. Select the Copy and Paste option and select Sales as shown in the following images.

    Image 3

    Image 4

Task 2: Register a Confidential Application in OCI IAM

We will register a Confidential Application in the OCI IAM Domain. For this tutorial example, we have used the default domain.

  1. Log in to Identity Domains under Identity and Security and click Applications.

    Picture 4

  2. Select Confidential Application and then click Launch Workflow.

    Picture 5

  3. Enter a Name for your application and then click Next.

    Picture 6

  4. Select Authorization Code as the Grant Type and then click Next.

    Picture 7

  5. Add the Redirect URL in this format: For example:

  6. Leave the Logout URL blank.

  7. Add the Post Logout URL in this format:

    Note: Make a note of this URL, it must match exactly when added later in the APEX Authentication Scheme Post-Logout URL.

    Picture 31

  8. Click Finish.

    Picture 8

  9. Click Edit application and enable Enforce grant as Authorization under Authentication and Authorization (This will be used later to control Access to the APEX app).

    Picture 10

  10. Click Activate Application.

    Picture 9

  11. Copy the Client ID and Secret which we will use in the configuration on APEX Side.

    Picture 11

Task 3: Create a new Web Credential in your APEX workspace

  1. From your created application, click Shared Objects.

    Picture 12

  2. Click Credentials.

    Picture 13

  3. Click Create.

    Picture 14

  4. Add the details as mentioned below and then click Create.

    Tip: Use the Client ID and Secret that we got from the confidential application.

    Picture 15

  5. Assign a user to this application.

    Picture 22

Task 4: Create a new Authentication Scheme in APEX for the sample app

  1. From the Shared Objects, click on the Authentication Schemes options and then click Create.

    Picture 16

    Picture 17

  2. Select the Based on a pre-configured scheme from the gallery option and then click Next.

    Picture 18

  3. Add the details as shown in the following image and then click Create. The Discovery URL will be https://[idcs-service-url]/.well-known/openid-configuration/.

    Picture 19

  4. Now click on the created IDCS Authentication Scheme - Current.

  5. Click on the Post-Logout URL tab, select the Go-To, URL option. In the URL field, paste the APEX application URL from Task 2 step 7. This URL must match the IDCS Post Logout Redirect URL.

    Picture 30

  6. Under Security Attributes, update the details and click Apply Changes.

    Picture 27

    Picture 28

  7. (Optional) In the Source field, add the following PL/SQL code.

    Note: This is only required if you want to control authorization, in cases where we want to change the features or behavior of an app based on the groups a user belongs to. For more details, see the Controlling Authorization section at the end of this tutorial.

    procedure load_dynamic_groups as
      l_group_names apex_t_varchar2;
      -- add all group names to l_group_names
      for i in 1 .. apex_json.get_count('groups') loop
          apex_string.push (
            p_table => l_group_names,
            p_value => apex_json.get_varchar2 (
                           p_path => 'groups[%d].name',
                           p0     => i ));
      end loop;
      -- save group names in session
      apex_authorization.enable_dynamic_groups (
          p_group_names => l_group_names );

    Picture 20

  8. (Optional used for step 7) Under Login Processing, add the following details and save.

    Picture 29

Task 5: Test login to the APEX application

  1. Click on the Run Page option as shown in the following image.

    Picture 23

  2. Enter the credentials on the prompted login screen. For this tutorial, the account used for authentication is synced from the Local Active Directory and the password resides in the Active Directory. OCI IAM will collect the username and password and get them validated against Active Directory.

    Picture 24

  3. Click on the Allow option prompted on the screen.

    Picture 25

The application landing page is displayed.

Picture 26

Controlling Authorization

You can control authorization by enabling the Enforce Grant as Authorization check box on the Confidential app configured for SSO which will only allow users/groups assigned to this app to be able to access the APEX application. This is shown in step 9 of Task 2.

The other way to control authorization is to use a PL/SQL procedure within the Authentication scheme as shown above in step 7,8 of Task 4. After successful authentication, the userinfo_endpoint will be called and the results will be made available to the Post-Authentication procedure. The JSON results are converted to list of groups and stored in an APEX session built-in for group management, which can later be tied up with the Authorization scheme under Shared components to provide access to the application based on the group membership of the Users.


Author - Aqib Javid Bhat (Senior Cloud Engineer)

More Learning Resources

Explore other labs on or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.