Hi,
I need help with ideas on how to analyse an issue we're facing with APEX SSO using MS Azure AD, on ODA 19c with APEX 23.2.
We've used this in multiple environments previously (both 11g and 19c), but when deploying to a new environment we're apparently missing a configuration step we can't track down.
The error we're facing is a message from the MS layer, presented after spinning for a little over 20 seconds.
“We couldn’t sign you in. Please try again.”

Using Tim's setup guide as a checklist of items
https://oracle-base.com/articles/misc/azure-ad-authentication-for-oracle-apex-applications
Wallet
Copied from another environment where SSO is functional, using -auto_login
APEX Wallet path
Pointing to the location of the wallet on the DB server, using the format prescribed.
No wallet password present.
select APEX_INSTANCE_ADMIN.GET_PARAMETER('WALLET_PATH') pth from dual;
file:/u01/app/oracle/admin/wallet/certificate/apex
ACL
Present for both URLs, matching what we have in a functional environment.
select a.host
,count(distinct p.principal) cnt_ace
,listagg(distinct p.principal, ',') within group (order by principal) schemas
from dba_host_acls a
left outer join dba_host_aces p
on a.host = p.host
where a.host like '%micro%'
group by a.host;
HOST CNT_ACE SCHEMAS
------------------------------ ---------- ---------------------------
graph.microsoft.com 2 APEX_220100,APEX_230200
login.microsoftonline.com 2 APEX_220100,APEX_230200
The following returns successfully in SQL Workshop, interestingly with or without the wallet path.
select apex_web_service.make_rest_request(
p_url => 'https://graph.microsoft.com/v1.0/me'
,p_http_method => 'GET'
,p_wallet_path => 'file:/u01/app/oracle/admin/wallet/certificate/apex'
) from dual;
Trying the same for login.microsoftonline.com actually returns an ACL complaint.
ORA-29273: HTTP request failed
ORA-06512: at "APEX_230200.WWV_FLOW_WEB_SERVICES", line 1325
ORA-06512: at "SYS.UTL_HTTP", line 1288
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at "SYS.UTL_HTTP", line 651
ORA-06512: at "SYS.UTL_HTTP", line 1278
ORA-06512: at "APEX_230200.WWV_FLOW_WEB_SERVICES", line 1313
ORA-06512: at "APEX_230200.WWV_FLOW_WEB_SERVICES", line 1514
ORA-06512: at "APEX_230200.WWV_FLOW_WEBSERVICES_API", line 661
I suspect this is due to the redirect identified by those more knowledgeable than me in the ways of networking via
curl -vk https://login.microsoftonline.com/
It can be resolved by adding *.office.com to the ACL list as observed here, but this is not required in environments where SSO is working, despite the same behaviour observed in SQL Workshop.
Web Credentials
Copied from functional environments, pertinent settings:
Authentication Type: OAuth2 Client Credentials Flow
Client ID/Secret: (present)
When we had wrong credentials, different errors were presenting.
Authentication Scheme:
Copied from functional environments, pertinent settings:
Credential Store: (pointing to above)
Authentication Provider: Generic OAuth2 Provider
Authorization Endpoint: https://login.microsoftoneline.com/…
Token Endpoint: https://login.microsoftoneline.com/…
User Info Endpoint URL: https://graph.microsoft.com/v1.0/me
Authentication Method: Basic Authentication and Client ID in Body
Scope: User.Read
Troubleshooting
Nothing present in apex_debug_messages, and I'm struggling to thing of other tests that could be performed to determine where the problem lies.
Our weakest point of understanding is how to verify the wallet.
I'm fairly confident the ACLs and APEX configuration is ok, and certainly matches the pattern in working environments.
Scott