Here is how to do it:
A. Register the APEX application with Microsoft
1. Go to Microsoft Application Registration Portal. Note that you need a Microsoft account, such as an Outlook.com email account, to login and use this portal:
https://apps.dev.microsoft.com/
2. Add an app (enter a descriptive name, your users will see this name during the consent prompt in step 20 below). An Application ID gets generated. Click "Generate New Password" to generate a password.
3. Click "Add platform" and choose "Web". Enter the APEX callback URL as the "Redirect URL", for the APEX 5.2 Early Adopter this is:
https://apexea.oracle.com/pls/apex/apex_authentication.callback
4. Add the URL of the APEX app as the "Home Page URL":
https://apexea.oracle.com/pls/apex/f?p=your_app_alias:10
5. Click "Save"
B. Setup APEX Credentials
6. In APEX, go to Shared Components and click on "Credentials"
7. Create a new Credential and give it a name (for example "Azure OpenID Credentials"). Select "OAuth2 Client Credentials Flow" as the credential type.
8. Add the Application ID from step 2 above as the "Client ID", and the password from step 2 above as the "Client Secret".
9. Save the credentials.
C. Setup APEX Authentication Scheme
10. Go to Shared Components and click on "Authentication Schemes"
11. Create a new authentication scheme and give it a name (for example "Azure AD OpenID"). Select "Social Sign-In" as the scheme type.
12. As credential store, select the credentials created in step 9 ("Azure OpenID Credentials").
13. As authentication provider, select "OpenID Connect Provider".
14. As discovery URL, use the following:
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
15. As scope, type "email" (without the quotes)
16. As username attribute, type "email" (without the quotes)
17. Save the authentication scheme.
D. Test the Login
18. Go to the home page of your application:
https://apexea.oracle.com/pls/apex/f?p=your_app_alias:10
19. You should be redirected to a Microsoft login page. Log in with a Microsoft account (such as yourname@outlook.com).
20. You should be prompted to allow the APEX application to log you in and retrieve your email address to identify you. Accept this.
21. You should see the home page of your APEX application, and the value of APP_USER should now be equal to the email address you logged in with at Microsoft.
Switching between authentication schemes in the same APEX session
APEX version 5.2 also includes a new attributte for authentication schemes called "Switch in Session" that can be either Enabled or Disabled. If enabled, the current session's authentication scheme can be changed by passing APEX_AUTHENTICATION=scheme name in a URL's request parameter.
You can use this to present users with multiple login options. For example, you can have the standard APEX Authentication (or your own table-based authentication) set as the current authentication scheme, and then add another button to the login page which switches the authentication scheme to the Microsoft scheme (or Facebook, or Google, etc).
The screenshot above shows an example of a standard APEX login page where I have added an extra button (called "LOGIN_MICROSOFT"), set the icon CSS class to "fa-windows" to get the Windows logo on the button, and set the action attribute of the button to redirect to page 10 (the home page of the application) and also setting the request of the link to "APEX_AUTHENTICATION=name_of_microsoft_auth_scheme". Clicking this button should redirect to a Microsoft page for login, and then redirect the user back to the requested page.
11 comments:
cool stuff, thanks for sharing !
Please when this verion (5.2) will be available to dowload?
I have tried the Social Sign-In with office365 account and received the following error for sign in.
Error processing request.
Contact your application administrator.
I tried to setup up Social Sign-In with Office365 account and encountered an error at login.
Error processing request.
Contact your application administrator.
There is not enough message to debug further.
Has this been tested on apex.oracle.com that has since been updated? I tried implementing and got
Error processing request.
Contact your application administrator
Debug is just giving me a bad argument in the http get.
Thanks,
Scott
Can confirm it works for outlook account.
Not for office 365 accounts on apex.oracle.com.
Hi,
This worked perfectly after I created the Oracle Wallet for my internal application in Oracle APEX. However, when I signed out, it redirected to a Microsoft page that
ask which account to sign out. How can I directly sign out and redirect to a public page in Oracle APEX?
Thanks.
It does not works for me.
"An unexpected internal application error has occurred."
If you don't mind please provide the video tutorial on youtube.
Hi Andy, could you provide the tutorial?
Hi,
Is it possible to accomplish the same authentication with on-premise AD FS server and how?
When registering application we cannot register link with "?" in the URL.
regards,
andrej
Sadly this does not work
We're unable to complete your request
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
Post a Comment