Note:
- This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Integrate Oracle APEX with Identity Domains using Delegated Authentication
Introduction
Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) provides identity and access management features such as authentication, single sign-on (SSO), and identity lifecycle management for Oracle Cloud as well as Oracle and non-Oracle applications, whether SaaS, cloud-hosted, or on-premises.
Objective
This tutorial walks you through the high-level steps for configuring SSO on APEX applications using OCI IAM (Identity Domains) as an IDP which provides security controls like MFA, Adaptive Security, Reporting, and so on. Additionally, we will also use Active Directory (AD) credentials to authenticate the users using AD bridge Delegated Authentication feature of OCI IAM Identity Domains.
Prerequisites
- OCI IAM administrator access of any Identity Domain for partner app setup
- APEX 18+ with an application for authentication setup
- AD Bridge setup and Delegated Authentication enabled on OCI IAM Identity Domain (For Users/Groups synced from AD and you want the users to authenticate using Local AD credentials). For more details, see Setting Up a Microsoft Active Directory (AD) Bridge
Note:
We will assume that the AD Bridge setup is done and Delegated Authentication is enabled (so that users can leverage Local AD credentials for authentication with OCI IAM Identity Domains). The high level authentication flow in this case will be APEX uses OCI IAM as an IDP for authentication which in turn uses Active Directory for authentication via AD Bridge and hence allowing users to login to APEX using their Local AD credentials.
Once the AD Bridge and Delegated Authentication setup is done, follow the steps in this tutorial to set up APEX SSO with Identity Domains.
Task 1: Install a sample application in APEX
Login to your APEX Workspace to create a sample app for which we will use OCI IAM as an IDP for SSO. To create an app on APEX, click on App Builder and execute the following steps.
-
Click Create Application.
-
Select the From a File option.
-
Select the Copy and Paste option and select Sales as shown in the following images.
Task 2: Register a Confidential Application in OCI IAM
We will register a Confidential Application in the OCI IAM Domain. For this tutorial example, we have used the default domain.
-
Log in to Identity Domains under Identity and Security and click Applications.
-
Select Confidential Application and then click Launch Workflow.
-
Enter a Name for your application and then click Next.
-
Select Authorization Code as the Grant Type and then click Next.
-
Add the Redirect URL in this format: https://guid-demodb.adb.region.oraclecloudapps.com/ords/apex_authentication.callback. For example: https://guid-demodb.adb.us-ashburn-1.oraclecloudapps.com/ords/apex_authentication.callback.
-
Leave the Logout URL blank.
-
Add the Post Logout URL in this format: https://guid-demodb.adb.region.oraclecloudapps.com/ords/f?p=your_apex_number_here.
Note: Make a note of this URL, it must match exactly when added later in the APEX Authentication Scheme Post-Logout URL.
-
Click Finish.
-
Click Edit application and enable Enforce grant as Authorization under Authentication and Authorization (This will be used later to control Access to the APEX app).
-
Click Activate Application.
-
Copy the Client ID and Secret which we will use in the configuration on APEX Side.
Task 3: Create a new Web Credential in your APEX workspace
-
From your created application, click Shared Objects.
-
Click Credentials.
-
Click Create.
-
Add the details as mentioned below and then click Create.
Tip: Use the Client ID and Secret that we got from the confidential application.
-
Assign a user to this application.
Task 4: Create a new Authentication Scheme in APEX for the sample app
-
From the Shared Objects, click on the Authentication Schemes options and then click Create.
-
Select the Based on a pre-configured scheme from the gallery option and then click Next.
-
Add the details as shown in the following image and then click Create. The Discovery URL will be
https://[idcs-service-url]/.well-known/openid-configuration/
. -
Now click on the created IDCS Authentication Scheme - Current.
-
Click on the Post-Logout URL tab, select the Go-To, URL option. In the URL field, paste the APEX application URL from Task 2 step 7. This URL must match the IDCS Post Logout Redirect URL.
-
Under Security Attributes, update the details and click Apply Changes.
-
(Optional) In the Source field, add the following PL/SQL code.
Note: This is only required if you want to control authorization, in cases where we want to change the features or behavior of an app based on the groups a user belongs to. For more details, see the Controlling Authorization section at the end of this tutorial.
procedure load_dynamic_groups as l_group_names apex_t_varchar2; begin -- -- add all group names to l_group_names -- for i in 1 .. apex_json.get_count('groups') loop apex_string.push ( p_table => l_group_names, p_value => apex_json.get_varchar2 ( p_path => 'groups[%d].name', p0 => i )); end loop; -- -- save group names in session -- apex_authorization.enable_dynamic_groups ( p_group_names => l_group_names ); end;
-
(Optional used for step 7) Under Login Processing, add the following details and save.
Task 5: Test login to the APEX application
-
Click on the Run Page option as shown in the following image.
-
Enter the credentials on the prompted login screen. For this tutorial, the account used for authentication is synced from the Local Active Directory and the password resides in the Active Directory. OCI IAM will collect the username and password and get them validated against Active Directory.
-
Click on the Allow option prompted on the screen.
The application landing page is displayed.
Controlling Authorization
You can control authorization by enabling the Enforce Grant as Authorization check box on the Confidential app configured for SSO which will only allow users/groups assigned to this app to be able to access the APEX application. This is shown in step 9 of Task 2.
The other way to control authorization is to use a PL/SQL procedure within the Authentication scheme as shown above in step 7,8 of Task 4. After successful authentication, the userinfo_endpoint
will be called and the results will be made available to the Post-Authentication procedure. The JSON results are converted to list of groups and stored in an APEX session built-in for group management, which can later be tied up with the Authorization scheme under Shared components to provide access to the application based on the group membership of the Users.
Related Links
Acknowledgments
Author - Aqib Javid Bhat (Senior Cloud Engineer)
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Integrate Oracle APEX with Identity Domains using Delegated Authentication
F78176-01
February 2023
Copyright © 2023, Oracle and/or its affiliates.