mellerbeck

Oracle APEX Azure SSO

Oracle APEX Azure SSO

Many have written about setting up Oracle APEX with Azure social sign in.

Here is my adventure –

Prerequisite – you need to have https setup for a callback

https://tech201.com/configure-oracle-apex-to-use-https/

This is the post that starts it all

https://oracle-base.com/articles/misc/azure-ad-authentication-for-oracle-apex-applications#add-web-credentials

Another useful post

http://www.grassroots-oracle.com/2019/01/social-sign-in-authentication-scheme.html

Wallet Setup

Download only the root certificates from these URLs. At the time of writing there were different root certificates for each URL. I saved the certificates as “digicert-root.cer” and “digicert-root2.cer”.

https://login.microsoftonline.com/

https://graph.microsoft.com/v1.0/me

To actually do this as shown here https://apex.oracle.com/pls/apex/germancommunities/apexcommunity/tipp/6121/index-en.html

You browse to https://login.microsoftonline.com/

And then drill down

Then you want to click on the root CA the DigiCert, then show the details and save the file.

Do this for the https://graph.microsoft.com/v1.0/me as well

Create a wallet on the database server.

mkdir -p /home/oracle/wallet
cd /home/oracle/wallet
 
orapki wallet create -wallet /home/oracle/wallet -pwd MyWalletPassword -auto_login

Add the certificates to the wallet. Don’t worry if they are already present.

$ORACLE_HOME/bin/orapki wallet add -wallet /home/oracle/wallet \
  -trusted_cert -cert "/tmp/digicert-root.cer" -pwd MyWalletPassword
  
$ORACLE_HOME/bin/orapki wallet add -wallet /home/oracle/wallet \
  -trusted_cert -cert "/tmp/digicert-root2.cer" -pwd MyWalletPassword

Configure Workspace Isolation

Social sign in uses web service calls, so we have to make sure the workspace can cope with lots of we service requests.

  • Log in to the “INTERNAL” workspace.
  • Manage Instance > Security > Workspace Isolation.
  • Set “Maximum Web Service Requests” to 1000000, or an appropriate value for your needs.
  • Click the “Apply Changes” button.

Configure APEX To Use the Wallet

Enter the wallet details for the APEX instance.

  • Log in to the “INTERNAL” workspace.
  • Manage Instance > Instance Settings.
  • Click on the “Wallet” tab.
  • Enter details.

    • Wallet Path: file:/home/oracle/wallet <- note the file in front
    • Wallet Password: MyWalletPassword (this can be blank for an auto-login wallet)
  • Click the “Apply Changes” button.

Create a network ACL

We create a network ACL for access to the two Azure URLs. Amend the ACL principal to the relevant value for your APEX version. I added resolve and http for good measure J

declare
  l_username varchar2(30) := 'APEX_200200';
begin
  dbms_network_acl_admin.append_host_ace(
    host => 'login.microsoftonline.com',
    lower_port => 443,
    ace  =>  xs$ace_type(privilege_list => xs$name_list('connect'),
                        principal_name => l_username,
                        principal_type => xs_acl.ptype_db));
 
  dbms_network_acl_admin.append_host_ace(
    host => 'graph.microsoft.com',
    lower_port => 443,
    ace  =>  xs$ace_type(privilege_list => xs$name_list('connect'),
                        principal_name => l_username,
                        principal_type => xs_acl.ptype_db));
  commit;
end;

 

Setup Azure AD

Now let’s get Azure setup

This is good, but not written instructions

https://blog.maxjahn.at/2020/03/using-azure-ad-for-authentication-for-oracle-apex-applications/

Open up the Azure portal and create an application, click New registration.

Next, you need to setup a client secret

Save the Client secret value, will need it later in apex.

Next, add your redirect URI. This is your server name with /ords/apex_authentication.callback

 

Then grab the Endpoint

Because we want to use the OpenID Connect metadata document

Also, grab the

Application (client) ID

Now, to allow access you need to go to Enterprise applications

Go to Users and groups, and add the appropriate users\groups

Add Web Credentials

Add the web credentials to access Azure AD.

  • Log into the workspace that owns the application.
  • Shared Components > Web Credentials
  • Click the “Create” button.
  • Add Details

    • Name: Azure
    • Static Identifier: AzureAD MyApp
    • Authentication Type: Basic
    • ClientID or Username: {Client ID from the Azure AD application}
    • Client Secret or Password: {Client Secret from the Azure AD application}
    • Verify Client Secret or Password: {Client Secret from the Azure AD application}
  • Click the “Create” button.

Next up is Authentication Scheme, drop down select the credential store

After you save the Authentication Scheme it will be named, Azure Schema – Current

letting you know it is operational for your App.

Now, if you run the app it will try to authenticate you with Azure

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s