Page 1 of 12
FOR (APEX) APPLICATIONS
WITH AZURE AD
USING SAML V2
Author: Niels de Bruijn
Page 2 of 12
Most APEX environments run inside the corporate network. In some cases, you would like to also give
registered external users (like customers or partners) access over the internet to specific APEX apps
running on the internal APEX instance. To prevent ending up building your own user/password
management system including a registration process, most companies already utilize Azure AD, which
is the cloud version of Active Directory. The question here is: how can we securely authenticate
external users that are registered in Azure AD? There are various ways how you can achieve this (ie.
SAMLv2 or OAUTH2 being two of these). We will utilize the SAMLv2 standard as we only want to trust
Azure AD as Identity Provider using a secure channel (SSL) and "automatically" get the user ID
together with selected user attributes back as part of the HTTP header. This doesn't mean that using
OAUTH2 for Single Sign-On isn't an option. Each way has its own advantages and disadvantages.
This document will show you how to setup Single Sign-On using SAMLv2 against Azure AD.
Image 1: Enabling secure access for external users, registered in Azure AD.
Before starting the implementation, make sure that you already have setup an APEX environment as
well as an Azure AD subscription. Access to the APEX environment should be given through ORDS
on Tomcat. We will need Apache running on a server in the DMZ to enable access to the APEX
Page 3 of 12
- Use a firewall to restrict communications from the Internet with the Apache web server through
port 443 (HTTPS).
- Use a firewall to restrict communication from Apache web server to Tomcat through port
- By default, Tomcat already runs on port 8009 us