{"id":659,"date":"2023-08-05T10:05:00","date_gmt":"2023-08-05T08:05:00","guid":{"rendered":"https:\/\/ilmarkerm.eu\/blog\/?p=659"},"modified":"2023-08-05T10:08:45","modified_gmt":"2023-08-05T08:08:45","slug":"azure-sso-from-oracle-apex-with-group-membership","status":"publish","type":"post","link":"https:\/\/ilmarkerm.eu\/blog\/2023\/08\/azure-sso-from-oracle-apex-with-group-membership\/","title":{"rendered":"Azure SSO from Oracle APEX with group membership"},"content":{"rendered":"\n<p>Tim has written an <a href=\"https:\/\/oracle-base.com\/articles\/misc\/azure-ad-authentication-for-oracle-apex-applications\">excellent blog post<\/a> on how to connect your APEX application with Azure SSO. I used this article as a base with my work, with a few modifications.<\/p>\n\n\n\n<p>You can also set <strong>Authentication provider<\/strong> to <strong>OpenID Connect Provider<\/strong>, then you only have to supply one Azure SSO configuration URL, everything else will be automatically configured. Documentation is <a rel=\"noreferrer noopener\" href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc#fetch-the-openid-configuration-document\" target=\"_blank\">here<\/a>. You can configure like that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authentication provider: OpenID Connect Provider<\/li>\n\n\n\n<li>Discovery URL:&nbsp;https:\/\/login.microsoftonline.com\/your_Azure_AD_tenant_UUID_here\/v2.0\/.well-known\/openid-configuration<\/li>\n<\/ul>\n\n\n\n<p>For Oracle Wallet setup, you can use my solution to <a href=\"\/blog\/2023\/08\/convert-linux-system-ca-trust-store-to-oracle-wallet-file\/\">automatically convert Linux system trusted certificates to Oracle Wallet format<\/a>.<\/p>\n\n\n\n<p>Another requirement for me was to make some Azure user group membership available for the APEX application. One option to query this from APEX is to make a post authentication call to Azure GraphQL endpoint <a rel=\"noreferrer noopener\" href=\"https:\/\/learn.microsoft.com\/en-us\/graph\/api\/user-list-memberof?view=graph-rest-1.0&amp;tabs=http\" target=\"_blank\">\/me\/memberOf<\/a>. For this to work, Azure administrator needs to grant your application <strong>User.Read<\/strong> privilege at minimum. Then \/me\/memberOf will list you only the group object ID-s that the logged in user is a member, but no group names nor other information (if you require to see group names, then your application also needs <strong>Group.Read.All<\/strong> permission, but for my case it required approvals and more red tape that I really did not want to go through).<\/p>\n\n\n\n<p>The solution below is to create APEX post authentication procedure that will store the Azure enabled roles in APEX user session collection APP_USER_ENABLED_ROLES. Afterwards you can use the collection in APEX application as you see fit, also use it in APEX authorization schemes.<\/p>\n\n\n\n<script src=\"https:\/\/gist.github.com\/ilmarkerm\/77c632513ad7c25ed01dd008d8352fe6.js\"><\/script>\n","protected":false},"excerpt":{"rendered":"<p>Tim has written an excellent blog post on how to connect your APEX application with Azure SSO. I used this article as a base with my work, with a few modifications. You can also set Authentication provider to OpenID Connect Provider, then you only have to supply one Azure SSO configuration URL, everything else will [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[21,4,63],"class_list":["post-659","post","type-post","status-publish","format-standard","hentry","category-blog-entry","tag-apex","tag-oracle","tag-security"],"_links":{"self":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts\/659","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/comments?post=659"}],"version-history":[{"count":3,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts\/659\/revisions"}],"predecessor-version":[{"id":662,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts\/659\/revisions\/662"}],"wp:attachment":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/media?parent=659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/categories?post=659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/tags?post=659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}