I have used Oracle APEX Social Sign-On extensively. It is more convenient for users and moves the responsibility for managing passwords from developers to the experts. You can also use Social Sign-On to log into APEX Builder. If you are a developer, this saves time. If you are an administrator, it eliminates password sharing and allows access to be cut off immediately.
In this short, I will show you how to configure Office 365 authentication for APEX Builder.
Microsoft AD Configuration
First, create an 'App registration' in Microsoft Azure Active Directory. You will need to be an administrator of your Office 365 Tenant to complete these steps.
- Log in to portal.azure.com and navigate to 'Azure Active Directory'.
- From the menu on the left-hand side, select 'App registrations'; you should see a list of any existing registrations
- Click '+ New Registration'
- Enter a name for the registration, then choose which types of Microsoft accounts should be allowed to log in. This should be 'Accounts in this organizational directory only' for APEX Builder access. Then, enter the Redirect URI and click 'Register'. The Redirect URI is typically the same URL you use to access apex builder with
/apex_authentication.callbackappended to the end, e.g.
- ✏️ Take note of the 'Application (client) ID'.
- Choose 'Certificates & secrets' from the left side menu, then click '+ New client secret'
- Enter a name and expiration for the secret, then click 'Add'
- ✏️ Take note of the client secret 'Value' (not the 'Secret ID')
⚠️ Take note of how to switch APEX Builder authentication back to its default setting. If something goes wrong, you may not be able to log in to APEX Builder unless you can switch back.
Set the Current Authentication Method:
-- Run from a schema with the APEX_ADMINISTRATOR_ROLE role begin apex_instance_admin.set_parameter ('APEX_BUILDER_AUTHENTICATION','METHOD'); commit; end;
Values for METHOD:
APEX (APEX Accounts),
DB (Database Accounts - Default used by OCI Autonomous and APEX Services),
SOCIAL (Social Sign-In)
Get the Current Authentication Method:
SELECT apex_instance_admin.get_parameter('APEX_BUILDER_AUTHENTICATION') FROM sys.dual;
⚠️ Make sure you create an APEX Account that matches your Microsoft email address and assign access to all appropriate workspaces. For example, in the below screenshot, I have created an APEX user 'JON@CLOUDNUEVA.COM'. This matches my Office 365 email address. You do not have to set a password for these users. APEX uses them to Authorize you and decide if you are a Workspace Administrator, Developer, etc. ⏰ Also, remember to set up at least one user to access the INTERNAL workspace (or Administration Services on Oracle OCI Autonomous or APEX Service).
Oracle APEX Configuration
- Log in to the INTERNAL workspace of your APEX instance. If you are using Autonomous or APEX Cloud Service, then login to 'Administration Services'
- Navigate to Manage Instance > Security > Development Environment Authentication Schemes and click the pencil icon next to 'Social Sign-In'
- Complete the form per the screenshot below and click 'Make Current Scheme'. Note: 'Client ID' comes from step 5 above, and 'Client Secret' comes from step 8 above.
- Click OK when presented with the popup warning, then log out of APEX Builder.
- Navigate back to your APEX Builder URL; if not already logged into Office 365, you will be directed to Microsoft to log in. You will then be presented with a list of Workspaces that you have access to.
- Choose a workspace, and you will be re-directed to APEX Builder in that Workspace.
- To switch workspaces, click your name in the top right corner and click 'Change Workspace'.
- ⏰ Remember to keep track of when the Active Directory secret expires. Create a new secret in AD and update the APEX Builder Authentication Scheme well before the expiration date