Apigee as a SAML Identity Provider

10 7 3,643

Introduction

Security Assertion Markup Language (SAML) is an XML based open data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

Apigee Edge enables you to authenticate and authorize apps that are capable of presenting SAML tokens. A SAML token is a digitally signed fragment of XML that presents a set of "assertions". Apigee can function as a service provider (SP) or an Identity Provider (IDP) and provides policies for SAML Assertion generation and validation.

In this article we will build a sample application where Apigee functions as an Identity Provider (IDP) and Salesforce as a service provider (SP). The high level flows are as shown below

saml-idp.jpg

Installation

The steps for installation and configuration required to run this example is as listed below.

Certificates

One of the first thing you will have to do is to generates the certificates that will be used for digital signatures. You can use openssl to create certificates as shown below.

$ mkdir certs

$ cd certs

$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 730

This will create the files key.pem and cert.pem.

Then create a descriptor.properties files

$mkdir META-INF

then add the following to the file /META-INF/descriptor.propertiescert.pemkey.pem

Then generate a jar containing your keypair and certificates

jar -cf idpKeystore.jar cert.pem key.pem

Add decriptor.properties to your jar

$ jar -uf idpKeystore.jar META-INF/descriptor.properties

Now create a keystore for your environment.

$ curl -H "Content-Type: text/xml" \https://api.enterprise.apigee.com/v1/o/{org_name}/environments/{env_name}/keystores \-d '<KeyStore name="idpKeystore"/>' -u myname:mypass

Now upload the jar file to the keystore

$ curl -X POST -H "Content-Type: multipart/form-data" \-F file="@idpKeystore.jar" \ "https://api.enterprise.apigee.com/v1/o/{org_name}/environments/{env_name}/keystores/idpKeystore/keys?alias={key_alias}&password={key_pass}" \-u myname:mypass

Next we will first do the necessary configurations in Salesforce.

Salesforce (Service Provider) Setup

  1. Sign up for a free developer account at https://developer.salesforce.com/
  2. Login and select Security Controls -> Single Sign-On Settings

step2.png

3. Check the SAML enabled check box shown on the screen and add the SAML Single sign-on settings as shown below and hit save.

step3.png

4. Register a your sub domain in Salesforce

step4.png

5. Enable login with your SAML configuration

step5.png

6. Logout and access Salesforce using your registered domain. You will see the SAML login option on the page.

step6.png

Apigee (IDP) Setup

7. Download the proxy source code from https://github.com/shahbagdadi/apigee-saml-idp

8. Change the setConfig.js with configuration for your environment

9. cd to the apigee-saml-idp folder and deploy the proxy using

python tools/deploy.py -n apigee-saml-idp -u userid:password -o org -e env -d . -p /

10. Open your Salesforce domain and click the “ApigeeSAML” button to authenticate and login using Apigee as an IDP

Comments
Not applicable

Awesome! I'm trying these steps now.

cladius_fernand
Participant V

Thanks for the tutorial. What values are required to be entered in salesforce on the SSO Settings page for : Issuer and EntityId?

Not applicable

Entity Id : https://saml.salesforce.com

Issuer will be your end point on Apigee i.e http://org-env.apigee.net

sgilson
Participant V

@shah The images are all missing. Is there any way to add them back?

Stephen

Not applicable

I am going to refer to @Birute Awasthi. Is something can be done to get back the missing images?

Thanks.

--Pradeep

davidmehi
Staff

Screenshots, proxy code and other information is available at:

https://github.com/shahbagdadi/apigee-saml-idp

Not applicable

I tried this command { $ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 730 } in openssl tool. It created two files like cert.pem and key.pem in openssl bin folder. Finally i uploaded the jar file in apigee website { upload a jar file to a keystore link }.I got this response

HTTP/1.1 400 Bad Request

Connection:
keep-alive
Content-Length:
229
Content-Type:
application/json
Date:
Tue, 21 Jun 2016 07:30:22 GMT
Server:
Apigee Router
<code>{
  "code": "messaging.config.beans.KeyParseFailure",
  "message": "Failed to parse the Key file : keystore",
  "contexts": [],
  "cause": {
    "message": "Invalid rsa key, reason - bad decrypt",
    "contexts": []
  }
}

can anyone point out what the problem is?

Thanks in advance

Version history
Last update:
‎03-27-2015 05:29 PM
Updated by: