Primary Note for Oracle Application Express (APEX) Authentication
(Doc ID 1094413.1)
Last updated on FEBRUARY 09, 2023
Applies to:Oracle Application Express (APEX) - Version 1.5 and later
Oracle Database Cloud Exadata Service - Version N/A and later
Gen 1 Exadata Cloud at Customer (Oracle Exadata Database Cloud Machine) - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Oracle Database Cloud Service - Version N/A and later
Information in this document applies to any platform.
This note answers or addresses the most common questions or issues encountered about Oracle Application Express (APEX) and authentication. In addition to the Support Notes below, supplemental information can be found here:
Documentation, White Papers and Demos
Documentation and downloads for earlier releases of Application Express (formerly known as HTML DB) can be found here.
The information contained in this article targets product administrators, installers and developers alike.
Please do not confuse APEX Authentication with APEX Authorization. These are independant of each other and
should not be treated as one. Authentication is 'can I access the APEX development / runtime instance'. Whereas
Authorization is 'is this APEX user authorized to perform this action in an APEX application'
Different methods of Authentication at runtime.
When accessing an APEX application at runtime, the default method of authentication is to use the APEX 'out the box' authentication. This type of authentication validates against APEX user credentials stored in an internal repository.
In most cases, APEX 'out the box' authentication will suit most people. However this is not to say other types of authentication methods can be used. This section will give references to 'How To' documents of the popular non 'out the box' authentication methods.
Single Sign On (SSO)
<Note 562807.1> Configuring an APEX Application to Use SSO With SDK in Separate Schema.
<Note 1233515.1> Troubleshooting and Verifying APEX SSO Configuration Setup Steps.
<Note 562840.1> Troubleshooting Apex SSO Related Error ERR-7620.
Configure an Application as an External Application in Oracle AS Single Sign-On click here
Configure an Application as a Partner Application in Oracle AS Single Sign-On click here
Currently, these are the supported / Certified Identity Management combination for using SSO with APEX
- OracleAS 10g Release 2 (10.1.2.3) Identity Management (IDM).
- Oracle IDM 10g Release 3 (10.1.4.3).
- Oracle Middleware 11g Release 1 (11.1.1.x) IDM (OID / DIP) + OracleAS 10g Release 2 (10.1.2.3) IDM (SSO /OIDAS).
- Oracle Middleware 11g Release 1 (11.1.1.x) IDM (OID / DIP) + Oracle IDM Release 3 (10.1.4.3) (SSO /OIDAS).
Oracle Access Manager
Oracle Access Manager 11g is supported with APEX 4.1 and above. See the Integrating Oracle Application Express with Oracle Access Manager whitepaper for details.
<Note 1480284.1> Integrating APEX 4.1.1 with Oracle Access Manager 11g Using the APEX Listener with Weblogic Server
LDAP authentication can be configured using the LDAP Directory authentication scheme provided wth APEX.
- Starting with APEX 4.0, it is possible to use LDAP over SSL using the APEX_LDAP APIs. See <Note 2212921.1> - How to Configure APEX Applications for LDAP Authentication and Troubleshoot.
- Prior to APEX 5.0 it was a requirement that Workspaces use the APEX authentication scheme. Starting with it is now possible to use other types of authentication, including LDAP authentication, Workspaces in the APEX Development environment. See <Note 2035320.1> - How to Configure LDAP Authentication for Workspaces in APEX 5.0: for information on LDAP configuration.
Database username / password
This method will authenticate an APEX application with database username/password (eg scott/tiger) credentials
<Note 456482.1> How to Create an Authentication Scheme to Use a Database Userid / Password for APEX Applications
However, this would mean that ANY database user can access the APEX application, therefore giving access to the application to any database user regardless of if they are allowed to access it or not. Should you want to be more restrictive in this method, then this can be achieved by the following
<Note 428124.1> How To Use Database Authentication And Login Only With One specific Database User?
Public. No authentication required.
There maybe a requirement that NO authentication is required for the APEX application. Therefore, making it a public application. This can be achieved by the following
<Note 565396.1> How to Access Apex Application Without Defining Any User and Without Prompting for Login Credentials
Make an Application Public click here
Starting with APEX 18.1, Social Sign-in is available:
<Note 2430891.1> How To Authenticate APEX Application Using Google?
<Note 2693906.1> Trouble shooting APEX Social Sign-In Problems in APEX
The following Ask Tom video also demonstrates multiple connection methods:
Problems Accessing the APEX development Environment.
The above section has given ways on how to configure an APEX application to use different methods of authentication . However, there can be times when you can run into problems when trying to access the APEX development environment. The following section goes over the most common problems faced accessing the development environment with authentication problems.
Cannot Access APEX Instance after a new Install.
One of the most common problems is that after a new install, trying to access the APEX instance be it runtime or development, fails with the browser showing the message "
In the default profile in an Oracle Database 11g, the parameter PASSWORD_LIFE_TIME is set to 180. If you are using Oracle Database 11g with Oracle Application Express, this causes the password for APEX_PUBLIC_USER to expire in 180 days. As a result, your Oracle Application Express instance will become unusable until you change the password. As the password has expired, a new password needs to be set and this can be done by following <Note 283234.1> Receiving Failed to Login to APEX / HTMLDB Page - You Don't Have Permission to Access /pls/apex.
To prevent this behavior happening again, create another profile in which the PASSWORD_LIFE_TIME parameter is set to unlimited and alter the APEX_PUBLIC_USER account and assign it the new profile.
Cannot Login as APEX Internal ADMIN user.
There are occasions when the Internal APEX Administrator (admin) user password has been forgotten and therefore the ability to log into the APEX admin pages are lost. The following notes guides you in how to reset the APEX admin user.
<Note 361581.1> How to Change the ADMIN User Password for the Workspace INTERNAL
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|Different methods of Authentication at runtime.|
|Single Sign On (SSO)|
|Oracle Access Manager|
|Database username / password|
|Public. No authentication required.|
|Problems Accessing the APEX development Environment.|
|Cannot Access APEX Instance after a new Install.|
|APEX Instance no long accessible.|
|Cannot Login as APEX Internal ADMIN user.|