Can Apigee connect to an IDP server to get the tokens and the same IDP used for 2 different databases?

asurajpai
Participant V

We would like to know if Apigee be able to connect to an IDP server to get the tokens and the same IDP used to connect for two different databases?

The main requirement would be to create one user login and all underlining system authorization would become seamless.

0 7 821
7 REPLIES 7

asurajpai
Participant V

Hi @sarthak, can you please help me out here with this case.

@asurajpai I can try to help. But can you clarify the question above?

Are you trying to connect to an external IDP to authorize the API calls? What sort of IDP is this? What protocol Apigee should talk to the backend with? Ldap/AD/Oauth etc.?

sarthak
Participant V

@asurajpai Did you have a comment and deleted that? I got an email but don't see it here. Figured it out how to do it?

asurajpai
Participant V

I had sent an Ask an Expert request

Ohh ok .. Feel free to post the details of your question here. I want to know: "Are you trying to connect to an external IDP to authorize the API calls? What sort of IDP is this? What protocol Apigee should talk to the backend with? Ldap/AD/Oauth etc.?"

asurajpai
Participant V

Right now Customer uses IS-RETAIL ERP on HANA (one instance) and a separate HANA instance for customer data/real time stock.

They development a number of mobile html5 apps that access services from these two systems as “one app”

  • Services from IS RETAIL ERP are exposed as ODATA via NW Gateway
  • Services from Native HANA are exposed as ODATA via HANA XS
  • Currently users are set up in Active Directory which is then synced with Ping Identity as the IDP

    SAP GRC Access Control is linked to these and provisions valid/risk assessed users into IS RETAIL ERP.

    Currently any access to Native HANA is done based on a common “service” account for XS calls (they have been examining moving to SAML integration as they have recently moved to latest HANA Support Pack)

    Right now they use Apigee and NW Gateway but NW Gateway is wrongly set up to access both ERP ODATA services but also HANA XS - and this doesn’t follow our recommended “pattern” whereby we recommended webdispatcher

    It has been recommended webdispatcher as a proxy set up…

    However……Customer would like to make use of their strategic Apigee platform and guarantee a better user experience (and hence the discussion about SAML assertion to both systems in a coordinated manner which currently we cannot provide)

    Ideally Customer want a user once provisioned - to see POs in Europe on ERP and then also in HANA (making use of analytic privileges rather than service account access)

    The question is @sarthak ; could Apigee remove the need for a webdispatcher (its additional overhead system they currently don’t use and doesn’t solve the user experience/authorization issue below) and could it provide the aligned SAML assertion etc ?

    @asurajpai

    Apigee does provide an ability for performing SAML assertions for outbound requests. Please refer :

    http://docs.apigee.com/api-services/reference/saml-assertion-policy

    If the webdispatcher functionality needs to be replicated from within the edge, then the custom functionality would need to be developed using javascript/java and then invoking that using an appropriate callout policy.

    Similarly a service callout policy can be used to the IDP service. Could you please elaborate on what the webdispatcher functionality is ? That would enable us to advise if any out of the box functionality can help or if something needs to be developed and invoked through a callout.