Oracle APEX Builder Social Sign-on

Oracle APEX Builder Social Sign-on

·

4 min read

I have used Oracle APEX Social Sign-On extensively. It is more convenient for users and moves the responsibility for managing passwords from developers to the experts. You can also use Social Sign-On to log into APEX Builder. If you are a developer, this saves time. If you are an administrator, it eliminates password sharing and allows access to be cut off immediately.

In this short, I will show you how to configure Office 365 authentication for APEX Builder.

Microsoft AD Configuration

First, create an 'App registration' in Microsoft Azure Active Directory. You will need to be an administrator of your Office 365 Tenant to complete these steps.

  1. Log in to portal.azure.com and navigate to 'Azure Active Directory'.
  2. From the menu on the left-hand side, select 'App registrations'; you should see a list of any existing registrations Screen Shot Showing Azure Active Directory App registrations page
  3. Click '+ New Registration'
  4. Enter a name for the registration, then choose which types of Microsoft accounts should be allowed to log in. This should be 'Accounts in this organizational directory only' for APEX Builder access. Then, enter the Redirect URI and click 'Register'. The Redirect URI is typically the same URL you use to access apex builder with /apex_authentication.callback appended to the end, e.g. https://www.example.com/ords/apex_authentication.callback Screen Shot Showing AD App Registration Creation Page
  5. ✏️ Take note of the 'Application (client) ID'. Screen Shot Client ID for new AD App Registration
  6. Choose 'Certificates & secrets' from the left side menu, then click '+ New client secret'
  7. Enter a name and expiration for the secret, then click 'Add' Screen Shot Showing Creation of AD App Registration Credentials
  8. ✏️ Take note of the client secret 'Value' (not the 'Secret ID') Screen Shot Showing AD App Registration Client Secret

Warnings

⚠️ Take note of how to switch APEX Builder authentication back to its default setting. If something goes wrong, you may not be able to log in to APEX Builder unless you can switch back.

Set the Current Authentication Method:

-- Run from a schema with the APEX_ADMINISTRATOR_ROLE role
begin
  apex_instance_admin.set_parameter
    ('APEX_BUILDER_AUTHENTICATION','METHOD');
  commit;
end;

Values for METHOD: APEX (APEX Accounts), DB (Database Accounts - Default used by OCI Autonomous and APEX Services), SOCIAL (Social Sign-In)

Get the Current Authentication Method:

SELECT apex_instance_admin.get_parameter('APEX_BUILDER_AUTHENTICATION')
FROM    sys.dual;

⚠️ Make sure you create an APEX Account that matches your Microsoft email address and assign access to all appropriate workspaces. For example, in the below screenshot, I have created an APEX user ''. This matches my Office 365 email address. You do not have to set a password for these users. APEX uses them to Authorize you and decide if you are a Workspace Administrator, Developer, etc. ⏰ Also, remember to set up at least one user to access the INTERNAL workspace (or Administration Services on Oracle OCI Autonomous or APEX Service). Screen Shot Showing Oracle APEX Accounts Setup for Social Sign-on access to APEX Builder

Oracle APEX Configuration

  1. Log in to the INTERNAL workspace of your APEX instance. If you are using Autonomous or APEX Cloud Service, then login to 'Administration Services'
  2. Navigate to Manage Instance > Security > Development Environment Authentication Schemes and click the pencil icon next to 'Social Sign-In' Screen Shot Showing Development Environment Authentication Schemes for Oracle APEX Builder
  3. Complete the form per the screenshot below and click 'Make Current Scheme'. Note: 'Client ID' comes from step 5 above, and 'Client Secret' comes from step 8 above. Screen Shot Showing Single Sign-on Settings for Oracle APEX Builder
  4. Click OK when presented with the popup warning, then log out of APEX Builder.
  5. Navigate back to your APEX Builder URL; if not already logged into Office 365, you will be directed to Microsoft to log in. You will then be presented with a list of Workspaces that you have access to. Screen Shot Showing List of Available Workspaces for Oracle APEX Single Sign-on User
  6. Choose a workspace, and you will be re-directed to APEX Builder in that Workspace.
  7. To switch workspaces, click your name in the top right corner and click 'Change Workspace'. Screen Shot Showing APEX Builder Switch Workspace

Considerations

  • ⏰ Remember to keep track of when the Active Directory secret expires. Create a new secret in AD and update the APEX Builder Authentication Scheme well before the expiration date

🔗 Read More