USE SAML Sign-In Authentication

Introduction
SAML (Security Assertion Markup Language) Sign-In Authentication in Oracle APEX enables secure, standards-based single sign-on (SSO) by allowing users to authenticate through an external identity provider (IdP). With SAML, users can log in once through their corporate identity system and access multiple applications without needing to re-enter credentials. This integration enhances security, simplifies user access, and ensures centralized control over identity management in enterprise environments.

SAML (Security Assertion Markup Language) Sign-In Authentication in Oracle APEX allows users to authenticate through a trusted external Identity Provider (IdP), such as Microsoft Entra ID (formerly Azure AD), Okta, or any other SAML 2.0-compliant provider. This method supports enterprise-level single sign-on (SSO), enabling users to sign in once and gain access to multiple systems without repeatedly entering credentials.

To configure SAML authentication in Oracle APEX, begin by setting up the Identity Provider (IdP). The IdP must be configured to recognize your Oracle APEX application as a Service Provider (SP). During this step, you will generate and exchange metadata between the IdP and APEX. The metadata includes the entity ID, assertion consumer service (ACS) URL, and public signing certificate.

In APEX, go to Shared Components > Authentication Schemes, then click Create and choose Based on a Preconfigured Scheme from Gallery. Select Social Sign-In. Although it’s labeled for social providers, APEX 21.2 and higher support SAML through this method. Provide a name like “SAML Enterprise Login.”

Configure the authentication scheme with the following details:

• Authentication Provider: Choose SAML 2.0.
• Identity Provider Metadata URL or upload the XML metadata file provided by your IdP.
• SP Entity ID: This uniquely identifies your APEX application as a service provider.
• ACS URL: This is the URL where the IdP will post the SAML response. APEX provides this value automatically, usually in the form https://<your-domain>/ords/wwv_flow.accept.

After setting these parameters, APEX will automatically register its public key and certificate if needed. Ensure your web server is accessible using HTTPS, as SAML requires secure transport for the assertion data.

In the authentication scheme, you can define how to extract the username from the SAML response. Most IdPs send it in the NameID field, but you can also use custom attributes such as email, username, or UPN. Use the Username Attribute Mapping field in APEX to define how this data is read.

Example:

NameID

or

user.email

Set this new SAML authentication scheme as the current one for your application. Once active, when users attempt to access your app, they will be redirected to the IdP login page. After successful authentication, the IdP sends a signed SAML assertion back to APEX, and the session is established.

You can use the Post-Authentication Procedure to run custom PL/SQL logic once the user has been authenticated. This is useful for assigning roles, initializing session variables, or logging activity.

Example:

BEGIN

  SELECT role INTO :APP_ROLE FROM app_users WHERE username = :APP_USER;

END;

Be sure to test the flow end to end. Use the IdP’s diagnostic tools and logs if authentication fails, and confirm that the APEX app correctly receives the SAML assertion.

SAML authentication in Oracle APEX provides robust security, eliminates password fatigue, and improves user experience by enabling federated identity management. It is a powerful option for organizations that require centralized access control and seamless single sign-on integration with their enterprise infrastructure.

SAML (Security Assertion Markup Language) Sign-In allows delegated authentication to an external SAML identity provider (IdP). This enables single sign-on (SSO), allowing users to authenticate once and gain access to multiple applications without repeated logins.

 

Key Features of SAML Authentication

• Single Sign-On (SSO) – Users log in once and can access multiple systems without re-entering credentials.
• Secure Identity Federation – Enables authentication via a trusted identity provider (IdP).
• Standardized Protocol – Uses an XML-based framework for secure authentication across different platforms.
• Improved User Experience – Reduces password fatigue and enhances security by minimizing multiple logins.

 

Prerequisites for Using SAML Sign-In

Oracle Database Version – SAML authentication requires:

• Oracle Database 19c (Database Release Update 19.9.0.0.0 or later)
• Oracle Database 23ai
  If your database does not meet these requirements, the SAML Sign-In authentication scheme will not be available.

Configured SAML Identity Provider (IdP) – Your organization must have a SAML-compliant IdP, such as:

• Oracle Identity Cloud Service (IDCS)
• Microsoft Entra ID (formerly Azure AD)
• Okta
• Google Workspace
• Any other IdP supporting SAML 2.0

Service Provider (SP) Configuration – Oracle APEX must be registered as a service provider with the IdP to enable authentication.

 

How SAML Sign-In Works in Oracle APEX

1. User Requests Access – The user attempts to access an Oracle APEX application.
2. Redirect to IdP – The application redirects the user to the configured SAML identity provider (IdP).
3. User Authentication – The user logs in with corporate credentials at the IdP.
4. Assertion Exchange – The IdP generates a SAML assertion (a secure token containing user identity details) and sends it back to APEX.
5. Session Establishment – APEX validates the assertion and establishes an authenticated session for the user.
6. Application Access – The user is granted access and can navigate the application without further authentication.

 

Benefits of Using SAML Sign-In in Oracle APEX

• Stronger Security – Centralized authentication helps enforce multi-factor authentication (MFA) and security policies.
• Seamless User Experience – Users do not need to remember multiple passwords for different applications.
• Enterprise Integration – Easily connects to corporate identity management systems for user authentication.
• Regulatory Compliance – Meets security standards like GDPR, HIPAA, and SOC 2 by using a federated authentication approach.

 

Modern Authentication Recommendation

Oracle recommends SAML or OAuth2/OIDC authentication over traditional database or APEX account authentication for production environments. SAML provides strong security, seamless access management, and integration with enterprise identity providers, making it a preferred choice for cloud and enterprise applications.

 

To set up a SAML Sign In authentication scheme in your application:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

The Shared Components page appears.

1.    Under Security, select Authentication Schemes.

2.    On the Authentication Schemes page, click Create.

3.    Select Based on a pre-configured scheme from the gallery and click Next.

4.    Under Name:

a.    Name - Enter the name used to reference the authentication scheme by other application developers.

b.    Scheme Type - Select SAML Sign In.

4.    Under Settings:

1. Use SAML Attributes of - Select Instance.
2. Convert Username To Upper Case - Configure whether the attribute values for the username should be converted to upper case.

Click Create Authentication Scheme.

Conclusion
Implementing SAML Sign-In Authentication in Oracle APEX provides a powerful and flexible solution for organizations looking to streamline access across multiple systems. By connecting APEX with a trusted identity provider, developers can offer a secure and seamless user experience while reducing administrative overhead. SAML authentication strengthens access control, supports enterprise SSO strategies, and aligns APEX applications with modern security standards.

 

 

Oracle Application Server Single Sign-On (SSO) Authentication

 

Introduction
Oracle Application Server Single Sign-On (SSO) Authentication provides a centralized authentication mechanism that allows users to access multiple Oracle applications with a single set of credentials. By integrating Oracle APEX with Oracle Application Server SSO, organizations can streamline user login experiences, improve security through unified identity management, and reduce the complexity of managing multiple user accounts. This approach is ideal for enterprises seeking seamless and secure access across their application ecosystem.

Oracle Application Server Single Sign-On (SSO) Authentication in Oracle APEX allows users to log in once and gain access to multiple applications without re-entering credentials. This is achieved by integrating APEX with Oracle Application Server’s SSO infrastructure, which manages user identities centrally and provides seamless authentication across connected applications.

To configure Oracle Application Server SSO Authentication, start by ensuring that your Oracle Application Server environment is set up with the SSO component enabled and properly configured. This includes having the Oracle Internet Directory (OID) or another LDAP directory as the user store, and the WebGate or mod_osso agent installed and configured on your web server to intercept and authenticate requests.

In Oracle APEX, navigate to your application and go to Shared Components > Authentication Schemes. Click Create, then select Based on a Preconfigured Scheme from Gallery. Choose Oracle Application Server Single Sign-On from the list and proceed.

Configure the authentication scheme by specifying parameters such as:

• The SSO login and logout URLs provided by your Oracle Application Server environment.
• The HTTP header name (usually REMOTE_USER) where the authenticated username is passed by the SSO agent.
• Any additional attributes or user mapping settings required to align the SSO username with APEX user records.

Once configured, set this scheme as the current authentication method for your application. When a user accesses the application, the Oracle Application Server SSO will check if they are already authenticated. If not, the user is redirected to the centralized login page. Upon successful login, the SSO agent passes the user’s identity to APEX via HTTP headers, allowing APEX to create a session for that user without requiring further authentication.

You can also define a Post-Authentication Procedure in PL/SQL within APEX to load additional user information, roles, or preferences based on the SSO user identity.

This setup allows enterprises to enforce consistent security policies, simplify password management, and provide a unified user experience across Oracle applications. It also supports advanced features like single logout, session management, and auditing through the Oracle Application Server.

Care must be taken to ensure that communication between the web server, SSO infrastructure, and APEX is secure, typically using HTTPS and proper firewall rules. Additionally, mapping between the SSO user and APEX user accounts should be maintained to provide appropriate authorization within the application.

By implementing Oracle Application Server Single Sign-On Authentication, Oracle APEX applications benefit from centralized identity management and seamless user access, improving both security and user convenience.

Oracle APEX supports authentication through Oracle Application Server Single Sign-On (SSO), allowing users to log in once and access multiple applications without re-entering credentials. This method delegates authentication to the Oracle AS SSO Server, ensuring centralized authentication across enterprise applications.

 

Prerequisites for Using Oracle AS SSO Authentication

To use this authentication scheme, the following conditions must be met:

• Partner Application Registration – Your site must be registered as a partner application with the Oracle AS SSO server.
• Oracle 9iAS SSO Software Developer Kit (SDK) – This authentication scheme only appears if the SDK is installed in your database.
• SSO Server Setup – The Oracle AS SSO server must be properly configured to handle authentication requests.

 

How Oracle AS SSO Authentication Works

1. User Requests Access – When a user accesses an APEX application for the first time in a new browser session, APEX redirects them to the Oracle AS SSO login page.
2. SSO Authentication – The user logs in using SSO credentials, and the Oracle AS SSO server verifies their identity.
3. Redirect to APEX – Once authenticated, the SSO server redirects the user back to the APEX application.
4. Session Management – The APEX engine retrieves the user identity and grants access to the application.
5. Continued Access – The user remains authenticated until they log out or terminate their session.

 

Limitations and Modern Alternatives

• Legacy Technology – Oracle AS SSO is an older authentication method and requires specific Oracle infrastructure. 
• Requires Additional Setup – Applications must be manually registered as partner applications, which can be complex.
• No Integrated Login Page – Authentication is fully handled by the SSO server, limiting customization options.

Recommended Modern Alternatives

• SAML 2.0 Authentication – Secure and widely adopted Single Sign-On protocol for enterprise authentication.
• OAuth2 & OpenID Connect (OIDC) – Supports authentication via identity providers like Oracle Identity Cloud Service (IDCS), Microsoft Entra ID (formerly Azure AD), and Google.
• Social Sign-In – Allows users to authenticate with Google, Facebook, or other social providers.

Oracle recommends transitioning to a modern Single Sign-On method, such as SAML or OAuth2, for enhanced security, flexibility, and support for cloud-based identity providers.

Learn how to set up Single Sign-On authentication.

To set up Oracle Application Server Single Sign-On:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

The Shared Components page appears.

1. Under Security, select Authentication Schemes.
2. On the Authentication Schemes page, click Create.
3. Select Based on a pre-configured scheme from the gallery and click Next.
4. Under Name:
1. Name - Enter the name used to reference the authentication scheme by other application developers.
2. Scheme Type - Select Oracle Application Server Single Sign-On.
5. Under Settings:

a.    Partner Application Name - If you authenticate with Oracle Application Server Single Sign-On and your application is a registered partner application with SSO, then enter exactly the same name you used when registering the partner application with SSO.

 

b.    If you are relying on APEX to be the registered partner application, leave this field blank.

 

c.    Logout URL of SSO Server - Enter the logout path of the Single Sign-On Server (for example https://login.example.com/sso/logout). On logout of your application, APEX will use this value, concatenate '?p_done_url=' and the application's login url, and use the resulting URL to log out of Single Sign-On before redirecting back to your application.

Finally,  Click Create Authentication Scheme.

Conclusion
Implementing Oracle Application Server Single Sign-On (SSO) Authentication in Oracle APEX enhances both security and usability by centralizing authentication processes. It simplifies user management, reduces password fatigue, and enables consistent enforcement of access policies. When properly configured, SSO integration ensures that users can efficiently and securely navigate multiple Oracle applications without repeated logins, delivering a smoother and more professional user experience.