Social Sign-in has been around since APEX version 18. And with small differences, the main concepts regarding Single Sign On in APEX using Facebook, Google, Microsoft, OKTA or any other 3rd party authentication provider have been the same. There are numerous blog post I have read and videos watched during the time. If your setup is a standard one, most of the time you will be able to integrate OKTA authentication for your users in no more than 5 minutes. My goal is to show the basic steps to do it and point out the pitfalls you might get into.
On OKTA side
- Go to https://www.okta.com/free-trial/ and create your free account.
- Log into your account
- Navigate to
Applications,Applications - Click on
Create a new app integration - In the form which is opened, select the following options:
OIDC - OpenID ConnectWeb application
- In the next part, add some more information:
- App integration name – chose appropriate name for your OKTA Integration Applciation
- Logo (Optional) – select a logo, which will be used on the OKTA site
- Sign-in redirect URIs –
https://apex.oracle.com/pls/apex/apex_authentication.callback. The first part –https://apex.oracle.com/pls/apex, is your applications base URI. You don’t need to enter the full application URL here (for examplehttps://apex.oracle.com/pls/apex/demo_workspace/r/demo_app/). The second part –apex_authentication.callbackis used for the AJAX callbacks from OKTA, once the user is authenticated. - Sign-out redirect URIs(Optional) – enter an address where you want your users to be redirected (for example
https://google.com/orhttps://apex.oracle.com/pls/apex/demo_workspace/r/demo_app/logout), once the are logged out of your APEX application. Note that the same Logout URL should be entered in APEX (Post-Logout URLin yourAuthentication Schemesettings), otherwise the Logout redirect would not work. - All the other settings are left as they are.
- Once the previous step is done, you will have your new Application Integration created. The most important things here are the
Client IDandClient secret, which will be later used in APEX to link your APEX application to the OKTA one.
On APEX side
- Go to
Shared Components,Security,Web Credentials - Click on
Createbutton - Enter the following details:
- Name(Value Required):
OKTA SSO - Static Identifier:
OKTA_SSO - Authentication Type:
OAuth2 Client Credentials Flow - OAuth Scope:
profile,email - Client ID or Username:
Client IDfromClient Credentialsin OKTA - Client Secret or Password:
Client SecretfromClient Credentialsin OKTA - Verify Client Secret or Password:
Client SecretfromClient Credentialsin OKTA - Valid for URLs:
- Prompt On Install:
- Comments:
- Name(Value Required):
- Now Go to
Shared Components,Security,Authentication Schemes - Click on
Createbutton - In the wizard form, enter the following details:
-
Create Scheme:
Based on a pre-configured scheme from the gallery -
Name:
OKTA SSO Authentication -
Scheme Type:
Social Sign-In -
Credential Store:
OKTA SSO, as created in the previous steps -
Authentication Provider:
OpenID Connect Provider -
Discovery URL:
https://${yourOktaOrg}/.well-known/openid-configuration, where${yourOktaOrg}is replaced with your OKTA URL, likehttps://dev-999999-admin.okta.com/.well-known/openid-configuration(see https://developer.okta.com/docs/concepts/auth-servers/#org-authorization-server-discovery-endpoints for more details) -
Scope:
profile,email -
Authentication URI Parameters:
-
Username:
#email# -
Convert Username To Upper Case:
-
Additional User Attributes:
given_name,family_name -
Map Additional User Attributes To:
G_OKTA_FIRST_NAME,G_OKTA_LAST_NAME -
Verify Attributes:
Yes
-
Additionally you might want to configure a pre or post-authentication procedures, executed together with your OKTA login.
In my demo application I have selected to use the email, first name and last name of my user from OKTA. First name and Last name are given_name and family_name user attributes in OKTA.
- Additional User Attributes:
given_name,family_name- Map Additional User Attributes To:
G_OKTA_FIRST_NAME,G_OKTA_LAST_NAME
I have created three Application items to store the values – G_OKTA_FIRST_NAME, G_OKTA_LAST_NAME and G_USER_FULL_NAME. The values I get from OKTA are First Name and Last Name and my Post_Authentication procedure is calculating a Full Name out of them.
In Source, enter the following PL/SQL code:
procedure post_authentication is
begin
:G_USER_FULL_NAME := initcap(:G_OKTA_FIRST_NAME||' '||:G_OKTA_LAST_NAME);
end post_authentication;
Then in Login Processing, Post-Authentication Procedure Name enter post_authentication, which is the name of the procedure we just created.
What could go wrong?
Short answer: Lots of things. But not necessarily.
If things don’t go as planned, you might look at the following settings in your setup:
Proxy – In case your organisation is using one in its internal network (where your APEX and Oracle database are), make sure you have it in your Instance settings too:
- Log in to
Oracle Application Express Administration Services. - Click
Manage Instance. - Under
Instance Settings, clickSecurity. - Locate the
Securitysection. - In
Instance Proxy, enter the address of the proxy to be used for the entire instance.
Wallet – If you are accessing OKTA over HTTPS, you might need to configure your database wallet. An error you might see in your logs, regarding wallet usage is:
ORA-29273: HTTP request failed
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 380
To test for such wallet issue, run the following script in your APEX SQL Commands window:
select apex_web_service.make_rest_request(
p_url => 'https://dev-999999-admin.okta.com/.well-known/openid-configuration',
p_http_method => 'GET' ) from dual;
If you don’t get an error, but a JSON response as a result, then you are fine.
In case you have the error, you can download the root certificate from OKTA’s website, add it to your Oracle database Wallet and add the path to your wallet in APEX Administration Services.
Full article on Wallet and integration in APEX could be found in the following places:
- https://apex.oracle.com/pls/apex/germancommunities/apexcommunity/tipp/6121/index-en.html
- https://fuzziebrain.com/content/id/1711/
- https://fuzziebrain.com/content/id/1725/
ACL – Especially when you are in a private network with hardened security, a possible reason for connectivity problems might be the Access Contol Lists (or ACLs). One thing you could try is add OKTA website to the ACL. Check
DBMS_NETWORK_ACL_ADMIN.CREATE_ACLandDBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACEprocedures for more details as well as the following article:
- https://pretius.com/configuration-of-oracle-database-and-apex-application-use-of-google-service-account-the-google-workspace-friendly-application-series/ – although it is an article, related to Google integration, the principle in ACL configuration is the same.
Firewall – Similar situation to the other connectivity issues, but on network level. The only way to check it is to work woth your network team and see if inbound and outbound traffic to OKTA is allowed.
Share your story
You had trouble integrating OKTA? And found the solution?
Share it with me and I will update this blog post so it is in help to the other members of our great APEX community.
Additional resources
- https://www.jmjcloud.com/blog/its-time-for-a-new-name-for-apex-social-sign-in
- http://www.grassroots-oracle.com/2019/01/social-sign-in-authentication-scheme.html
- https://www.insum.ca/saml2-single-sign-on-with-oracle-application-express/
- http://c2anton.blogspot.com/2019/09/what-info-is-available-from-my-apex.html
- http://c2anton.blogspot.com/2019/06/oracle-apex-social-sign-on-with.html
- https://www.slideshare.net/msewtz/oracle-apex-social-login
APEX App Lab - Blog 
hi I am getting an error after adding the certificate to the ssl cert… i logged into okta via the social and got error processing request … i checked the error log and saw that
– ora_sqlerrm: ORA-29273: HTTP request failed
ORA-06512: at “APEX_200200.WWV_FLOW_WEB_SERVICES”, line 1157
ORA-06512: at “APEX_200200.WWV_FLOW_WEB_SERVICES”, line 757
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at “SYS.UTL_HTTP”, line 380
ORA-06512: at “SYS.UTL_HTTP”, line 1148
ORA-06512: at “APEX_200200.WWV_FLOW_WEB_SERVICES”, line 735
ORA-06512: at “APEX_200200.WWV_FLOW_WEB_SERVICES”, line 998
ORA-06512: at “APEX_200200.WWV_FLOW_WEB_SERVICES”, line 1346
ORA-06512: at “APEX_200200.WWV_FLOW_WEBSERVICES_API”, line 608
ORA-06512: at “APEX_200200.WWV_FLOW_AUTHENTICATION_SOCIAL”, line 85
ORA-06512: at “APEX_200200.WWV_FLOW_AUTHENTICATION_SOCIAL”, line 459
ORA-06512: at “APEX_200200.WWV_FLOW_AUTHENTICATION_SOCIAL”, line 651
ORA-06512: at “APEX_200200.WWV_FLOW_AUTHENTICATION_NATIVE”, line 422
ORA-06512: at “APEX_200200.WWV_FLOW_AUTHENTICATION_NATIVE”, line 1259
ORA-06512: at “APEX_200200.WWV_FLOW_PLUGIN”, line 3213
ORA-06512: at “APEX_200200.WWV_FLOW_PLUGIN”, line 3810
can u help me fix this
LikeLike
Hi Jay,
Did you try the part with the ACL setup (https://pretius.com/configuration-of-oracle-database-and-apex-application-use-of-google-service-account-the-google-workspace-friendly-application-series/) ?
You could also try to modify your ACL with any of the two methods described in the following articles (depending on your database version):
https://tedstruik-oracle.nl/ords/f?p=25384:1058::::::
… or
https://oracle-base.com/articles/12c/fine-grained-access-to-network-services-enhancements-12cr1
You probably already know, but for those settings you will need some admin privileges, so you might need to reach out to your DBA if you are in a corporate environment.
LikeLike
In APEX 19.2, Oracle has restricted the number of calls made to web service to default 1000 on a 24 hour rolling count. If this is exceeded then APEX can’t reach out to Okta web service.
LikeLike
Wasn’t aware of that. Thanks for pointing out. It’s worth checking in the documentation regarding such limits. Have you found a solution in your case?
LikeLike
Hi,
I set up OKTA Integration.
It’s working fine.
Steps: When I login it’s login to apex but if we sign out from apex it’s again back to okta login screen, it’s fine but when we login again then it’s redirect to “Your session has ended” screen.
LikeLike
Hi Plamen,
App is showing “Your session has expired” message with “LOGIN AGAIN” and “CANCEL” button after it exceed the value given in “Maximum Session Idle Time in Seconds” attribute.
Can we change the redirect location in “LOGIN AGAIN” button? currently it is redirecting to
1) OKTA login page if OKTA is logged out
2) Home page of application if OKTA is already logged in some other tab. In this case, I want to logout from my app and redirect to some XYZ URL.
How can we achieve this ?
Thanks in advance
LikeLike