Skip to Main Content
Feature Request FR-4186
Product Area Security
Status ROADMAP

13 Voters

Auto-Provisioning APEX Developer Accounts via SCIM

duncanmein Public · Jan 8 2025

Idea Summary
Implement SCIM (System for Cross-domain Identity Management) support in Oracle APEX to enable automatic provisioning and deprovisioning of developer accounts. This would allow seamless integration with identity providers (e.g., Azure Active Directory, Oracle IDCS, or any SCIM-compliant system).

When a user is added to a designated group in the identity provider, SCIM triggers the creation of an APEX Workspace developer account. Conversely, when a user is removed from the group, their APEX account is automatically deactivated or deleted. This eliminates manual account management, enhances security by aligning with centralised identity controls, and ensures scalability for dynamic team structures and aid with any accreditation / Secure By Design.

Use Case
When a new developer joins my organisation, their APEX Workspace developer account needs to be automatically provisioned. Currently, this requires manual creation, which can delay access and increase administrative effort. To streamline the process, APEX should support SCIM (System for Cross-domain Identity Management) for automatic provisioning of developer accounts, integrating with various identity providers (Azure AD, IDCS, Okta etc)

Preferred Solution (Optional)
Desired Workflow:

  • A new user is added to a designated group in the identity provider.
  • SCIM automatically provisions the APEX Workspace developer account for that user, granting appropriate access and emails the newly created user with a link to access the workspace.
  • If the user is removed from the group, their APEX developer account should be automatically deleted.

Key Requirements:

  • Oracle APEX must support the SCIM 2.0 protocol for user and group synchronisation.
  • The solution should work generically across SCIM-compliant identity providers (e.g., Azure AD, IDCS, Okta).
  • Provide an administrative interface in APEX to configure SCIM settings.
  • Support flexible mapping of identity provider attributes to APEX user attributes (e.g., group, role, email, username).
  • Include logging for SCIM provisioning events to ensure transparency and troubleshooting capabilities.
This is currently on the roadmap for a future release of Oracle APEX.

Comments

Comments

  • rizwanarshad OP 8 months ago

    This is the missing piece of our jigsaw puzzle.

    We have SCIM provisioning enabled for other applications that we use (Postman, LastPass) and being able to do this with APEX would be a great feature.

  • filip.huysmans OP 4 months ago

    Is it also possible to provide an extension on the openid connect and oauth2 authorization schemes to include this.  So we can control what happens with the different actions of SCIM and we can then link this to our custom tables?

  • nickwnj OP 3 weeks ago

    I built a SCIM server for APEX which can be customized. 

    https://github.com/nickwnj/APEX-SCIM-v2

  • marcelo osorio kosky OP 3 weeks ago

    Very good idea…. but I have a question, since apex have several methods of login… Is this pointing only to native accounts? do we have options to integrate with other method like custom?

    Regards,

    Marcelo