This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Edge UI: External authentication using client certificates (private cloud/on prem)

Posted on 08-30-2019 08:26 AM
mattz
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We have a private cloud/on prem setup and would like to authenticate Edge UI users using client certificates instead of id/password or SAML.

  • Is this possible through configuration similar to external authentication using id/password against an LDAP? If so, how?

Or

  • Is this possible by implementing a class, e.g. by implementing a class configurable as conf_security_externalized.authentication.implementation.class (similar to the external role mapper integration concept)? If so, what is the contract/interface of that class?
0 2 205
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I don't know about implementing a "class" . I am pretty sure there is no documented extension point for the Apigee Edge product that would allow you to implement a class that provides authentication for users who signin to the admin UI. It's possible that such a mechanism exists. I've been using the product for 7 years and I've never heard of it, so if it exists, it would be a pretty big secret. (I work with mostly mainstream commercial customers)

SAML is the mechanism for integrating an external IdP into Apigee Edge (as well as virtually every other system out there that supports federated identity).

I can imagine an IdP signin-page that authenticates the user (+client?) based on a certificate, rather than based on the traditional username/password credential. SAML doesn't stipulate that an IdP must accept a username/password pair as a credential.

But implementing that signin would be up to you. I don't know of a system that does this. Basically it would need to be a system that accepts certs as credentials, and then asserts identity to the SAML SP (Apigee Edge) via the standard SAML 2.0 protocol.

This is an interesting question, but it seems pretty unique.

What are you really trying to do? Can you provide more details?

Just as soon as I typed that, I remembered the FIDO Alliance and the goals there: passwordless user authentication. There's a tech note that describes how a FIDO Idp might accept a cert presented on a security key as user credentials, and then act as a sAML IdP to some SAML SP (like Apigee Edge). So maybe you can use Google Sign-in (which allows yubikey authn) as your SAML IdP. Maybe that will be interesting to you.

0 Likes

Posted on --/--/---- --:-- AM
mattz
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for your answer. Using the SSL client cert of the already authenticated user from the request ("javax.servlet.request.X509Certificate") is a very simple solution and works well for us for most applications (especially for those we develop inhouse, but also for many other applications we just integrate).

We don't have SAML infrastructure in place, so getting somthing with SAML going in a safe way would probably mean quite some work. But I will have a look in more detail.

The same is probably true for FIDO.

Again, for us the most simple solution would probably be if Apigee would let us officially implement the class to set as conf_security_externalized.authentication.implementation.class. I also could not find any documentation for this, but it would be nice if this changed 😉

BTW, our solution is on prem (private cloud) and we cannot (yet) use Google services like Google Sign-in.

Thanks anyway!

0 Likes