APEX SAML Sign-In Setup

November 11, 2023 | 8 minute read
Dinesh Maricherla
Principal Solution Engineer
Text Size 100%:

As mentioned in this blog, Oracle APEX is a low code application development framework from Oracle that can run on an existing Oracle Database on OCI (Both DBCS or Autonomous database). It is a three-tier application – consisting of a client tier (the browser), the middle tier (the APEX application engine) and the data tier (back-end databases and REST APIs on top of various systems and data stores). However, on OCI managed APEX instance, the middle tier is managed service, and you just use the interface to build and consume custom applications. It is also an included service as part of OCI database license.

 Default authentication for APEX users is against the OCI database using database credentials. Customers might have a need to integrate APEX with a Single Sign-On solution. Oracle APEX supports the use of Security Assertion Markup Language (SAML) and OpenID Connect for authentication. In this blog, we will setup SAML single sign-on authentication for an APEX instance (Service Provider) with OCI IAM as the Identity Provider. APEX instance when configured with SAML, doesn't have to maintain account information, the identity provider bears this burden.

SAML is an XML-based protocol for exchanging security information between software entities on the Web. SAML security is based on the interaction of asserting and relying parties. SAML provides single sign-on capabilities; users can authenticate at one location and then access service providers at other locations without having to log in multiple times.

For this setup, we need to configure autonomous database to use ORDS running in a customer managed environment. The reason being the default ORDS on Autonomous Database, you cannot modify any of the ORDS configuration options. Installing and configuring a customer managed environment for ORDS allows us to edit the ORDS configuration, in this case our SAML configuration. We will use a Tomcat server to host ORDS. Let’s get started.

The architecture is as below.

Oracle APEX Architecture

Apex Instance Setup:

(Follow the steps mentioned in the documentation to create an APEX Instance.)

We will create an autonomous database instance, it includes a dedicated instance of Oracle APEX

Autonomous DB

Navigate to the APEX instance from the OCI console. Login to OCI console and browse to “APEX Instances” from Developer Services menu item.

APEX Instance

Once the APEX instance is ready, launch the instance from the instance page. It will open the APEX instance in a different tab in a browser, log in with Admin user and password.  Now the APEX instance is ready, follow the steps mentioned in this document to install and configure Oracle REST Data Services(ords) . We can run ords on standalone mode or on a server weblogic/tomcat. In this case we are using a tomcat server.

Once the configuration and installation is done. On the Tomcat Server access the ords application on a secure port. For me it is https://xxx.xxx.xx.xxx:xxxx/ords/apex_admin for APEX Administration Services and https://xxx.xxx.xx.xxx:xxxx/ords/r/apex/workspace-sign-in for APEX workspace sign in. APEXSSO is the workspace that I have created for this configuration.

APEX Sign In Page

OCI IAM (IDP) SAML Setup:

  1. Login to OCI console and browse to OCI IAM Identity domain that you want to use for APEX Integration.

    OCI IAM Domains

     

  2. Select the domain and click on Integrated Applications menu to add a SAML application.

    ADD SAML Applicartion

     

  3. Create the SAML application as shown below. Provide the Entity ID and Assertion consumer URL. Example: https://<DNSName/Hostname/IPaddress:PORT>/ords/apex_authentication.saml_callback  (it would be same for both Entity ID and Assertion consumer URL)

    OCIIAMSSOConf

    make sure to check the “Include signing certificate in signature”

    IncludeSigningCert

    Save the configuration and download the signing cert.

    DownloadSigningCert

     

  4. Activate the application.
  5. Copy the Identity Domain URL from the domain. Example : https://idcs-xxxxxxxxxxxxxxxxxxx.identity.oraclecloud.com:443
  6. Create a user at Identity Domain to test the login.

    OCI IAM User

  7. Add the user to the SAML Application.

SAML Application

Configuration at APEX Application (SP):

At the APEX Administration Services page, steps for SAML configuration are as below:

  1. Navitate to Manage Instances, Security and Authentication Control.

    Authentication Control

     

  2. Edit the SAML configuration.

    SAMLAuth

     

  3. Provide the details as mentioned in the documentation. As shown below provide the Issuer and certificates for APEX attributes.

    ApexAttribute

  4. Navigate to the Identity Domain and capture the Identity Domain URL (Step 5 from OCI IAM SAML Setup steps) and we will download the signing certificate (Step 3 from OCI IAM SAML Setup steps) from the Application that we have created. Provide the sign-in /sign-out URL's as shown: https://idcs-$IDCS_INSTANCE_ID/identity.oraclecloud.com/fed/v1/sp/sso. sign-inURL : Example https://idcs-xxxxxxxxxxxxxxxxxxx.identity.oraclecloud.com/fed/v1/idp/sso. Provide a Sign-Out URL as well, which would be like the Sign-In URL provided, Example: https://idcs-xxxxxxxxxx.identity.oraclecloud.com/fed/v1/idp/slo

    APEXAttributes

     

  5. Make sure Enable SAML for Applications is enabled. Click on Apply Changes. Note: If we want, we can enable SAML Authentication for all users by click on “Make Current Scheme”.  When we do that all users including Admin User would need to log in via the IDP, in our case it is OCI Identity Domain.

    Enable SAML For Application

     

Apex Application Configuration: In this example, we use Sample Charts as an APEX application.

  1. Navigate to Shared Components at the application (sample-charts).

    Shared Componenta

     

  2. Go to Authentication Schemes, to change the scheme to SAML sign-in

    Authentication Scheme

     

  3. Change the authentication schema to SAML sign-in

    Change Authentication Scheme

     

  4. Apply Changes. We are done with the configuration. Let's test the configuration now.
  5. Go to URL for the application : https://xxxxxxx:xx/ords/r/apexsso/sample-charts/
  6. Sign-in to the application, the user will be redirected Identity login page of the IDP. Provide the credentials

    IDP Redirect

     

  7. On a successful login, we will be redirected back to the application authenticated.

    SuccessFul Authentication

     

Note: APEX supports Just in Time (JIT). A complete use-case would be a user setup in Azure AD should log into Apex Application with Azure AD credentials. The user gets provisioned into the OCI Identity Domains the first time the user logs-in because of JIT configuration. For this to work, we need to setup Identity Lifecycle Management Between OCI IAM and Azure AD and do JIT Provisioning from Azure AD to OCI IAM

Dinesh Maricherla

Principal Solution Engineer

Dinesh Maricherla is a security professional at Oracle working as a Principal Solution Engineer. Dinesh strives to stay abreast of the latest trends and best practices within the dynamic field of security.


Previous Post

A routing scenario, is an asymmetric traffic path allowed in OCI?

Andrei Stoian | 5 min read

Next Post


Seven key insights into your Fusion Cloud Applications implementation journey

Bala Mahalingam | 8 min read