'Configuring Oracle APEX to use SAML authentication

I'm trying to configure Oracle APEX to use SAML with ForgeRock as the IDP. I'm running APEX 21.2.0 on Enterprise DB 21.3.0.0 and ORDS 21.4.1 (all images from the Oracle Container Registry). Worked through the docs here.

I think I'm just about there, I have the SAML config done in APEX, I've created a remote SP in ForgeRock and the app redirects as expected. Once I authenticate with ForgeRock IDM, I get redirected back to the apex_authentication.saml_callback endpoint then I get an error page. The APEX logs have the following error:

- ora_sqlerrm: ORA-19032: Expected XML tag , got no content
ORA-06512: at "SYS.XMLTYPE", line 310
ORA-06512: at line 1
ORA-06512: at "APEX_210200.WWV_FLOW_XML_SECURITY", line 1096
ORA-06512: at "APEX_210200.WWV_FLOW_XML_SECURITY", line 1307
ORA-06512: at "APEX_210200.WWV_FLOW_AUTHENTICATION_SAML", line 462
ORA-06512: at "APEX_210200.WWV_FLOW_AUTHENTICATION_NATIVE", line 1268
ORA-06512: at "APEX_210200.WWV_FLOW_PLUGIN", line 3500
ORA-06512: at "APEX_210200.WWV_FLOW_PLUGIN", line 4097
ORA-06512: at "APEX_210200.WWV_FLOW_AUTHENTICATION", line 1688

I can't seem to find anything useful about this error in a SAML authentication context. I'm guessing there's an issue processing the assertion. I double checked the certs and the assertion looks good in SAML Tracer so I'm stuck. Any ideas what I'm missing? Are there additional logs somewhere that might be more useful?



Solution 1:[1]

You'll need to apply the latest patchset for Apex 21.2 to get beyond this issue. It was fixed in Apex 21.2.2 but it's now up to 21.2.6. Even if you get beyond this issue it may not be all plain sailing depending on the IdP you are using. Some useful hints and help can be found on this thread

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Stephen Brennan