Solved: Username aliases for Org users in Edge

zubermohammad · 11-27-2016 03:22 AM

Hi All,

We have an OPDK installation of Apigee Edge. We need to integrate the user management of Edge be it Org users or Developers through a third party system.

For Developers we have a username field which we can use as an alias and create users with a UUID.

But Org users management APIs don't provide such option.

The documentation page here says that we can use part of email address before @ as username.

But when I try to login edge with just username part say "mohammed.zuber" a part of email id "mohammed.zuber@xxx.com" which was used to register this account, Edge is giving an error saying invalid username password combination.

Do we have any configurations or any other way in which we can use a UUID as an alias to login edge?

zubermohammad

Thanks @gbhandari, your answer was helpful.

Just to be clearer on the solution, we have used Apigee's external authentication feature.

Apigee allows the user authentication to be moved to external Active Directory/LDAP.

There are two options available for this.

1. Indirect Binding

With indirect binding authentication, the user enters a credential, such as an email address, username, or some other attribute, and Edge searches authentication system for this credential/value. If the search result is successful, the system extracts the LDAP DN from the search results and uses it with a provided password to authenticate the user. The key point to know is that indirect binding authentication requires the caller (e.g., Apigee Edge) to provide external LDAP admin credentials so that Edge can "log in" to the external LDAP and perform the search. You must provide these credentials in an Edge configuration file.

2. Direct Binding

With direct binding authentication, Edge sends credentials entered by a user directly to the external authentication system. In this case, no search is performed on the external system. Either the provided credentials succeed or they fail (e.g., if the user is not present in the external LDAP or if the password is incorrect, the login will fail). Direct binding authentication does not require you to configure admin credentials for the external auth system in Apigee Edge (as with indirect binding authentication).

For more details on configuring and using external authentication refer to the link below:

https://docs.apigee.com/sites/docs/files/ApigeeEdgePrivateCloud-ExtAuthConfig.pdf

Hope this will be helpful to others!

Thanks.

View solution in original post

gaurav_bhandari

@Mohammed Zuber

APIGEE Edge LDAP server can be integrated with third party system for user authentication. So basically the process is:-

1) When you add the user to the EDGE , then you require to give emailID, First Name, Lastname and Default Password.

2) After adding the user to EDGE, give proper role to the user for any ORG

3) After this, the user can login using the some ID or say UUID. This is possible only if the email ID is mapped to UUID.

So what actually will happen is that, say when the user enters unique ID and Password, the LDAP will send these details to third party system and if the authentication is succesfull, the third party will send the email ID. This email ID will be used by LDAP server to check the role assigned to the user in the ORG.

Also, the default password that one uses to add the user(STEP 1) and the actual password that the user types can be different.

gaurav_bhandari

@Mohammed Zuber

APIGEE Edge LDAP server can be integrated with third party system for user authentication. So basically the process is:-

1) When you add the user to the EDGE , then you require to give emailID, First Name, Lastname and Default Password.

2) After adding the user to EDGE, give proper role to the user for any ORG

3) After this, the user can login using the some ID or say UUID. This is possible only if the email ID is mapped to UUID.

So what actually will happen is that, say when the user enters unique ID and Password, the LDAP will send these details to third party system and if the authentication is succesfull, the third party will send the email ID. This email ID will be used by LDAP server to check the role assigned to the user in the ORG.

Also, the default password that one uses to add the user(STEP 1) and the actual password that the user types can be different.

zubermohammad

Thanks @gbhandari, your answer was helpful.

Just to be clearer on the solution, we have used Apigee's external authentication feature.

Apigee allows the user authentication to be moved to external Active Directory/LDAP.

There are two options available for this.

1. Indirect Binding

With indirect binding authentication, the user enters a credential, such as an email address, username, or some other attribute, and Edge searches authentication system for this credential/value. If the search result is successful, the system extracts the LDAP DN from the search results and uses it with a provided password to authenticate the user. The key point to know is that indirect binding authentication requires the caller (e.g., Apigee Edge) to provide external LDAP admin credentials so that Edge can "log in" to the external LDAP and perform the search. You must provide these credentials in an Edge configuration file.

2. Direct Binding

With direct binding authentication, Edge sends credentials entered by a user directly to the external authentication system. In this case, no search is performed on the external system. Either the provided credentials succeed or they fail (e.g., if the user is not present in the external LDAP or if the password is incorrect, the login will fail). Direct binding authentication does not require you to configure admin credentials for the external auth system in Apigee Edge (as with indirect binding authentication).

For more details on configuring and using external authentication refer to the link below:

https://docs.apigee.com/sites/docs/files/ApigeeEdgePrivateCloud-ExtAuthConfig.pdf

Hope this will be helpful to others!

Thanks.