Oracle Application Server Single Sign-On (SSO) Authentication

 

Introduction
Oracle Application Server Single Sign-On (SSO) Authentication provides a centralized authentication mechanism that allows users to access multiple Oracle applications with a single set of credentials. By integrating Oracle APEX with Oracle Application Server SSO, organizations can streamline user login experiences, improve security through unified identity management, and reduce the complexity of managing multiple user accounts. This approach is ideal for enterprises seeking seamless and secure access across their application ecosystem.

Oracle Application Server Single Sign-On (SSO) Authentication in Oracle APEX allows users to log in once and gain access to multiple applications without re-entering credentials. This is achieved by integrating APEX with Oracle Application Server’s SSO infrastructure, which manages user identities centrally and provides seamless authentication across connected applications.

To configure Oracle Application Server SSO Authentication, start by ensuring that your Oracle Application Server environment is set up with the SSO component enabled and properly configured. This includes having the Oracle Internet Directory (OID) or another LDAP directory as the user store, and the WebGate or mod_osso agent installed and configured on your web server to intercept and authenticate requests.

In Oracle APEX, navigate to your application and go to Shared Components > Authentication Schemes. Click Create, then select Based on a Preconfigured Scheme from Gallery. Choose Oracle Application Server Single Sign-On from the list and proceed.

Configure the authentication scheme by specifying parameters such as:

• The SSO login and logout URLs provided by your Oracle Application Server environment.
• The HTTP header name (usually REMOTE_USER) where the authenticated username is passed by the SSO agent.
• Any additional attributes or user mapping settings required to align the SSO username with APEX user records.

Once configured, set this scheme as the current authentication method for your application. When a user accesses the application, the Oracle Application Server SSO will check if they are already authenticated. If not, the user is redirected to the centralized login page. Upon successful login, the SSO agent passes the user’s identity to APEX via HTTP headers, allowing APEX to create a session for that user without requiring further authentication.

You can also define a Post-Authentication Procedure in PL/SQL within APEX to load additional user information, roles, or preferences based on the SSO user identity.

This setup allows enterprises to enforce consistent security policies, simplify password management, and provide a unified user experience across Oracle applications. It also supports advanced features like single logout, session management, and auditing through the Oracle Application Server.

Care must be taken to ensure that communication between the web server, SSO infrastructure, and APEX is secure, typically using HTTPS and proper firewall rules. Additionally, mapping between the SSO user and APEX user accounts should be maintained to provide appropriate authorization within the application.

By implementing Oracle Application Server Single Sign-On Authentication, Oracle APEX applications benefit from centralized identity management and seamless user access, improving both security and user convenience.

Oracle APEX supports authentication through Oracle Application Server Single Sign-On (SSO), allowing users to log in once and access multiple applications without re-entering credentials. This method delegates authentication to the Oracle AS SSO Server, ensuring centralized authentication across enterprise applications.

 

Prerequisites for Using Oracle AS SSO Authentication

To use this authentication scheme, the following conditions must be met:

• Partner Application Registration – Your site must be registered as a partner application with the Oracle AS SSO server.
• Oracle 9iAS SSO Software Developer Kit (SDK) – This authentication scheme only appears if the SDK is installed in your database.
• SSO Server Setup – The Oracle AS SSO server must be properly configured to handle authentication requests.

 

How Oracle AS SSO Authentication Works

1. User Requests Access – When a user accesses an APEX application for the first time in a new browser session, APEX redirects them to the Oracle AS SSO login page.
2. SSO Authentication – The user logs in using SSO credentials, and the Oracle AS SSO server verifies their identity.
3. Redirect to APEX – Once authenticated, the SSO server redirects the user back to the APEX application.
4. Session Management – The APEX engine retrieves the user identity and grants access to the application.
5. Continued Access – The user remains authenticated until they log out or terminate their session.

 

Limitations and Modern Alternatives

• Legacy Technology – Oracle AS SSO is an older authentication method and requires specific Oracle infrastructure. 
• Requires Additional Setup – Applications must be manually registered as partner applications, which can be complex.
• No Integrated Login Page – Authentication is fully handled by the SSO server, limiting customization options.

Recommended Modern Alternatives

• SAML 2.0 Authentication – Secure and widely adopted Single Sign-On protocol for enterprise authentication.
• OAuth2 & OpenID Connect (OIDC) – Supports authentication via identity providers like Oracle Identity Cloud Service (IDCS), Microsoft Entra ID (formerly Azure AD), and Google.
• Social Sign-In – Allows users to authenticate with Google, Facebook, or other social providers.

Oracle recommends transitioning to a modern Single Sign-On method, such as SAML or OAuth2, for enhanced security, flexibility, and support for cloud-based identity providers.

Learn how to set up Single Sign-On authentication.

To set up Oracle Application Server Single Sign-On:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

The Shared Components page appears.

1. Under Security, select Authentication Schemes.
2. On the Authentication Schemes page, click Create.
3. Select Based on a pre-configured scheme from the gallery and click Next.
4. Under Name:
1. Name - Enter the name used to reference the authentication scheme by other application developers.
2. Scheme Type - Select Oracle Application Server Single Sign-On.
5. Under Settings:

a.    Partner Application Name - If you authenticate with Oracle Application Server Single Sign-On and your application is a registered partner application with SSO, then enter exactly the same name you used when registering the partner application with SSO.

 

b.    If you are relying on APEX to be the registered partner application, leave this field blank.

 

c.    Logout URL of SSO Server - Enter the logout path of the Single Sign-On Server (for example https://login.example.com/sso/logout). On logout of your application, APEX will use this value, concatenate '?p_done_url=' and the application's login url, and use the resulting URL to log out of Single Sign-On before redirecting back to your application.

Finally,  Click Create Authentication Scheme.

Conclusion
Implementing Oracle Application Server Single Sign-On (SSO) Authentication in Oracle APEX enhances both security and usability by centralizing authentication processes. It simplifies user management, reduces password fatigue, and enables consistent enforcement of access policies. When properly configured, SSO integration ensures that users can efficiently and securely navigate multiple Oracle applications without repeated logins, delivering a smoother and more professional user experience.

 

Set Up DAD Credentials Verification in Oracle APEX

 

Introduction
Setting up DAD (Database Access Descriptor) credentials verification in Oracle APEX allows applications to delegate user authentication to the Oracle HTTP Server or Oracle REST Data Services. This method relies on the web server to authenticate users before passing requests to APEX, enabling seamless integration with enterprise security systems and simplifying user management. Configuring DAD credentials verification ensures that APEX trusts the authenticated identity provided by the external layer, streamlining access without requiring additional login prompts within the application.

Setting up DAD (Database Access Descriptor) credentials verification in Oracle APEX involves configuring the Oracle HTTP Server (OHS) or Oracle REST Data Services (ORDS) to handle user authentication before requests reach the APEX engine. This approach shifts the responsibility for verifying user credentials to the web server layer, allowing APEX to trust that incoming requests are from authenticated users. It is commonly used in enterprise environments that require centralized authentication and single sign-on capabilities.

To begin, ensure that your Oracle HTTP Server or ORDS is properly configured with a DAD. The DAD defines how the web server connects to the database, manages connection pooling, and handles security parameters. Configuration files such as mod_plsql.conf (for OHS) or ords.conf (for ORDS) contain the settings for the DAD, including the database service, connection details, and authentication methods.

In your DAD configuration, enable and configure the authentication method you intend to use, such as Basic Authentication, LDAP, or Kerberos. For example, in OHS, you might define an authentication realm and associate it with the DAD to require users to provide valid credentials before forwarding the request to the database.

Once the DAD is configured to verify credentials, switch to Oracle APEX. Navigate to Shared Components > Authentication Schemes and create a new scheme. Choose No Authentication (Using DAD) as the scheme type. This tells APEX not to perform its own authentication but to trust the identity verified by the DAD layer.

Set the new scheme as current for your application. Now, when users access your APEX application, the web server will prompt for credentials (if not already authenticated) and verify them according to the configured method. Once verified, the user’s session is established in APEX without requiring a second login.

Because APEX relies on the web server for authentication, you can use the server’s features to manage user roles, access control, and password policies. You can also configure Single Sign-On (SSO) solutions at this layer, providing a seamless login experience across multiple applications.

It is important to note that since APEX itself does not authenticate users in this setup, you should ensure that the web server and network environment are secured appropriately. Use HTTPS to encrypt credential transmission, and restrict access to trusted users.

For advanced scenarios, you can define a Post-Authentication Procedure in APEX to initialize session state based on the authenticated user or to log user activity. Example:

BEGIN

  apex_util.set_session_state('USER_ROLE', get_user_role(:APP_USER));

END;

Setting up DAD credentials verification enables you to leverage existing enterprise authentication infrastructure while keeping Oracle APEX applications lightweight and focused on business logic. This separation of concerns improves security, simplifies user management, and supports scalable, integrated application deployments.

DAD (Database Access Descriptor) Credentials Verification allows Oracle APEX applications to authenticate users using Oracle Database native authentication. This method is useful for small-scale applications, prototypes, or environments where database accounts are already managed separately.

How DAD Authentication Works

• Uses Oracle Database user accounts for authentication.
• The username is retrieved from the DAD configuration or prompted using basic authentication.
• APEX stores the authenticated user in the APP_USER substitution variable.
• Users only log in once per browser session unless forced to re-authenticate.

Prerequisites

Before setting up DAD authentication, ensure that:

• Each user has a valid Oracle Database account.
• A PL/SQL DAD (Database Access Descriptor) is configured for basic authentication.
• The Oracle HTTP Server (OHS) or Embedded PL/SQL Gateway is correctly set up to support authentication.

 

Step-by-Step Guide to Setting Up DAD Authentication in Oracle APEX

Step 1: Navigate to Authentication Schemes

1. Open App Builder.
2. Select the application where you want to configure authentication.
3. On the Application Home page, click Shared Components.
4. Under Security, select Authentication Schemes.

 

Step 2: Create a New Authentication Scheme

1. Click Create to add a new authentication scheme.
2. Select Based on a pre-configured scheme from the gallery, then click Next.

 

Step 3: Configure Authentication Settings

1. Enter the Authentication Scheme Name:

• Choose a meaningful name for the scheme (e.g., DAD Credentials Verification).
1. Select the Authentication Scheme Type:
• Choose No Authentication (Using DAD).
2. Configure Username Handling:
• Username Field: Enter the username to be used in the APEX session.
• If left empty, APEX will use the database session user (usually APEX_PUBLIC_USER).

 

Step 4: Finalize and Apply the Authentication Scheme

1. Click Create Authentication Scheme to save the settings.
2. Set the newly created scheme as Current to activate it.

 

Validating the Configuration

After setting up DAD authentication:

• Access the application and verify that authentication is working correctly.
• Check the APP_USER value by creating a simple SQL report with: 

SELECT :APP_USER FROM DUAL;

• Ensure that session tracking and access control work as expected.

 

Considerations and Best Practices

When to Use DAD Authentication

• Prototyping & Internal Testing – Quick and easy authentication setup.
• Small Applications – When user accounts are limited and manageable.
• Pre-Existing Oracle Accounts – If database users are already maintained separately.

Limitations of DAD Authentication

• Not Scalable – Manually managing user accounts in the database is difficult for large applications.
• Limited Security – Credentials are sent in plain text unless SSL is enabled.
  Single Sign-On (SSO) Compatibility Issues – May not integrate well with enterprise SSO solutions. 
• rowser Session Dependency – Users must re-authenticate if the browser session expires.

 

Alternative Authentication Methods

For more secure and scalable authentication, consider:

• LDAP Authentication – Uses directory services for centralized user management.
• OAuth2 / SAML Authentication – Secure token-based authentication for modern applications. 
• ustom Authentication – Allows full control over user authentication logic.

 

DAD Credentials Verification in Oracle APEX provides a simple and lightweight authentication method, primarily useful for testing and small applications. However, it is not recommended for production environments requiring scalability and enhanced security.

For long-term solutions, consider LDAP, OAuth2, or custom authentication mechanisms.

To set up Oracle APEX Accounts:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

The Shared Components page appears.

1. Under Security, select Authentication Schemes.
2. On the Authentication Schemes page, click Create.
3. Select Based on a pre-configured scheme from the gallery and click Next.
4. Under Name:
1. Name - Enter the name used to reference the authentication scheme by other application developers.
2. Scheme Type - Select Oracle APEX Accounts.

Click Create Authentication Scheme.

Conclusion
Configuring DAD credentials verification in Oracle APEX provides a robust way to centralize authentication outside of the application while maintaining secure and controlled access. This approach leverages existing infrastructure for user validation, reduces the complexity of managing user credentials in APEX, and improves the user experience by enabling single sign-on scenarios. Proper setup of DAD credentials verification ensures that your APEX applications remain secure and integrated within your organization’s authentication ecosystem.