APEX SaaS with Auth0 Organizations

APEX SaaS with Auth0 Organizations


8 min read


Our goal for our APEX application is to create a single platform accessible to multiple businesses without any awareness of each other. Instead of creating individual cloned applications for specific customers, we aim to avoid these maintenance complexities.

Additionally, we require different branded log in screens, enabling each business to access their respective data. User roles will be consistently maintained across the system.

To meet these requirements, we plan to set up Users and Roles within the Identity Provider. Utilizing an API, all User management and Role assignments can be easily handled within APEX, eliminating the need for administrators to log in to the Identity Provider separately.

Advantages of Using an Identity Provider:

  • Centralized authentication and authorization management.

  • Seamless user experience with Single Sign-On (SSO) capability.

  • Enhanced security via multi-factor authentication options.

  • Streamlined user account provisioning and access control.

Auth0 provides a feature where organizations can be managed within the tenant. The diagram below shows an example flow. However, in our solution, we are going to bypass this first sign-in window and have APEX handle that side.

B2B Organizations Business Case diagram

The following steps describe how to set this up.


  1. Run the following in SQL Workshop


    From the results, just copy everything up to the callback phrase, e.g


    Paste this into Notepad as the Callback URL

  2. Obtain your APEX Home URL.. and paste it to Notepad as Home URL e.g.



  3. Now we need to Encode the Home URL for use later, so go here https://www.urlencoder.org/ and paste in the Home URL and replace the section of the full URL below



  4. click ENCODE and copy the encoded URL to Notepad as Encoded Login URL

  5. Append the below phrase to the Encoded Home URL in Notepad


    so that the end of the string looks like


Auth0 Configuration

  1. Sign up for Auth0 - see the plan details for more information. A trial account can access the Organization features, however, you'll need to upgrade your Auth0 account to use it in production.

  2. Once in the Dashboard, click on the top left and copy your AUTH0 Domain to Notepad as AUTH0 Domain. Mine is dev-ipga6 (obfuscated of course).

  3. Take this Domain (e.g dev-ipga6) & Country (e.g. uk) and create a discovery URL and save it in Notepad as the Discovery URL i.e.


    like this for example

  4. Once started, just follow the Create Application Wizard

  5. Choose Name = APEX Organizations and Regular Web Applications and click Create

  6. When the Quickstart tab shows, immediately change to the Organizations tab

  7. Click the Disable Grants Now button and Confirm

  8. Wait 30 Seconds before continuing

  9. Ensure that Business Users & No Prompt are selected. You can choose others, however, this blog is designed for this selection only.

  10. Click Save Changes

  11. Wait 30 Seconds before continuing

  12. Click Organizations in the side menu

  13. Click Create Organization

  14. Enter a lowercase Organization Name & Description

  15. Click Add Organization

  16. At the top, the Organization ID is displayed. Copy this to Notepad as Organization ID

  17. Click Save Changes

  18. Whilst still in Organizations, click Members and Add Member(s) from your users to this Organization. Tip: Use email addresses

  19. Click on Connections and click Enable Connections

  20. Select Username-Password-Authentication

  21. Click Enable Connection

  22. Keep Disable Auto-Membership selected

  23. Repeat the above steps for a second organization. For example here is another one I created

  24. Go back to Applications > Applications > APEX Organizations > Connections

  25. Click Enable Connections For Organizations

  26. Change to the Settings tab

  27. Copy the Client ID and Client Secret to Notepad

  28. Copy the Home URL from Notepad (Not the encoded one) to the Application Login URI e.g

  29. Copy the Callback URL from Notepad to the Allowed Callback URLs e.g.

  30. Allowed Logout URLs paste in the home URL without any parameters i.e it ends with /home e.g

  31. Click Save Changes

  32. Click on Applications > APIs and copy the API Audience (next to Auth0 Management API) to the clipboard and then paste into Notepad as the API Audience.

    Note: The API Audience appears in my PL/SQL code below, however, the code assumes how it's named. If you see any audience issues, please adjust the PL/SQL code accordingly

  33. Click on Auth0 Management API

  34. Click on Machine To Machine Applications and Authorize the APEX Organizations application

  35. On the Permissions (Under APEX Organizations application, just might have to click the Up Chevron), select the following three permissions and click Update



    These permissions allow us to use the Management API to find the Roles our user is assigned to

  36. Click on User Management > Roles > Create Role

  37. Create three test roles (for demonstration, you can remove them later)

  38. Click on User Management > Users

  39. Click the three dots/ellipses next to your Username and change your password (IDK why. I had to do this before the first login)

  40. Click on your Username > Roles

  41. Assign all roles you just created to your username

APEX Configuration

  1. In APEX click App Builder > Workspace Utilities > Web Credentials > Create

    Use the following table:
    Name: ORGS
    Client ID or Username: Paste Client ID from Notepad
    Client Secret or Password: Paste Client Secret from Notepad
    Verify Client Secret or Password: Paste Client Secret from Notepad

  2. Click Create

  3. Click Shared Components > Authorization Schemes > Create > Next

  4. Use the following details:

  5. Click Create to create a new Authorization Scheme and click Next

  6. Repeat the above steps to create Authorization Schemes for MANAGERS and SUPERUSERS (as appropriate)

  7. Click Shared Components > Security Attributes > Source for Role or Group Schemes and set it to Custom Code

  8. Click APEX Application > Shared Components > Application Items > Create

  9. In Name type G_SUB and click Create Application Item

  10. Click APEX Application > Shared Components > Application Items > Create

  11. In Name type G_ORG_ID and click Create Application Item

  12. Click APEX Application > Shared Components > Authentication Schemes > Create

  13. Click Next on Based on a pre-configured scheme from the gallery

  14. Use the following table
    Name: ORGS
    Scheme Type: Social Sign-In
    Credential Store: ORGS
    Discovery URL: Paste Discovery URL from Notepad
    Scope: email,profile
    Authentication URI Parameters: organization=&APP_AJAX_X01.
    Username: email
    Additional User Attributes: sub,user_id,name
    Map Additional User Attributes To: G_SUB

  15. Click Create Authentication Scheme

  16. Click on ORGS Authentication Scheme

  17. Set Switch in Session to Enabled

  18. In the Post-Logout URL, set Go To to URL

  19. Set URL to this:

    https://YOUR_AUTH0_DOMAIN.COUNTRY.auth0.com/v2/logout?returnTo=[ENCODED HOME URL]&client_id=[YOUR CLIENT ID]



    This should ensure that you can log out of APEX & AUTH0 and then return to the APEX Application's AUTH0 login page under the same Organization.

  20. In the Source > PL/SQL Code > paste the code below replacing the three constant default values with your credentials

    PROCEDURE p_post_processing
        l_token_clob     CLOB;
        l_clob          CLOB;
        j apex_json.t_values;
        l_domain CONSTANT VARCHAR2(32767) DEFAULT 'https://dev-ipga6.uk.auth0.com'; 
        l_client CONSTANT VARCHAR2(32767) DEFAULT 'nj7ERT';
        l_secret CONSTANT VARCHAR2(32767) DEFAULT 'd1VjYS';
        l_token  CLOB DEFAULT empty_clob;
        l_sub    VARCHAR2(32767) DEFAULT apex_util.url_encode(:G_SUB);
        l_group_names apex_t_varchar2;
        :G_ORG_ID := apex_json.get_varchar2('org_id');
            p_name_01        => 'Content-Type',
            p_value_01       => 'application/json' );
        l_token_clob := apex_web_service.make_rest_request(
            p_url => l_domain || '/oauth/token',
            p_http_method => 'POST',
            p_body => apex_string.format(
                        l_domain ));
        apex_json.parse(j, l_token_clob); 
        l_token := apex_json.get_clob(p_path=>'access_token',p_values=>j);
            p_name_01        => 'Accept',
            p_value_01       => 'application/json',
            p_name_02        => 'Authorization',
            p_value_02       => 'Bearer ' || l_token );
        l_clob := apex_web_service.make_rest_request(
            p_url => l_domain || apex_string.format('/api/v2/users/%0/roles',l_sub),
            p_http_method => 'GET' );
        apex_json.parse(p_values => j, p_source => l_clob);
       FOR i IN 1 .. apex_json.get_count(p_path=> '.', p_values=> j) 
            -- add all group names to l_group_names
             apex_string.push (
                      p_table => l_group_names,
                      p_value => apex_json.get_varchar2(p_path=>'[%d].name',p0=> i,p_values=>j) );   
       END LOOP;
        -- save group names in session
        apex_authorization.enable_dynamic_groups (
            p_group_names => l_group_names );
    END p_post_processing;
  21. On Page 1, add an Interactive Report region using the following SQL statement

    select *
     where apex_session_id = :APP_SESSION

    This will show you the AUTH0 Roles that have been translated into Dynamic Groups

  22. Optional: Add a test, you can add the MANAGERS, SUPERVISORS or SUPERUSERS APEX Authorization Schemes to APEX Components, to test that the Authorization is working correctly.


  1. Prepare your application URL like this



  2. Paste your URL into a browser tab & you'll see a Login Screen. Enter your AUTH0 User Credentials and click continue

  3. Once in your APEX application, you should see the Auth0 Roles, mapped to APEX Authorizations & correctly observed by APEX. You should also see three entries in your Interactive Report

  4. Sign out of APEX and you will see the Auth0 Login screen again, all set to log back into your APEX application.

  5. Next, try signing in with a different organization

  6. Auth0 will also provide you with the org_id when you login

    In the code above, we grab the org_id and store it in G_ORG_ID.
    This is significant should you wish to implement a VPD (as explained in my other SaaS blog).
    G_ORG_ID is also used within the signout URL, so on logout, it diverts the user back to their organization sign-in page.

  7. Next steps? You can distribute the URLs to your users or use a reverse proxy like Caddy to prettify your URLs. See more on this in my Caddy Blog.

  8. ENJOY!

What's the cover image in this blog? It's Saltburn Pier. Visit Yorkshire!

Thanks to Jon Dixon for pointing out the X01 method πŸ‘