SAML Support for Apigee

Not applicable

HI Team,

IBM has a security product which can be used for SAML2.0 SSO integrations. IBM wants to develop quick SAML2.0 SSO connectors of this security product for various service providers. apigee is one such service provider for which IBM wants to develop such connector between IBM Product which act as the Identity Provider and various partners(Service Provider) using SAML 2.0.

The purpose of these connectors is to make SAML2.0 SSO integration easy and quick.

We(Persistent) are IBM contractors and working on this connector development project with IBM.

Kindly do let us know whether

1.Free trial of apigee SAML 2.0 SSO feature.

2.If it doesnt support,we'd like to know the pricing details to purchase paid account with SAML 2.0 capability.

Could you please let us know required process in setting up SAML with Apigee

0 7 854
7 REPLIES 7

Did you try a trial account and the policies were not available?

I just checked one of my trial orgs and the policies appeared ready for use. I think it should work for you.

Handy link to SAML docs: http://docs.apigee.com/api-services/content/saml

Hi Carlos Thanks for the headsup.

I am having trial account and activated API management.

I can see only OATH and want to configuration setting to configure SAML 2.0??We are havinh=g IBM identity provider and want to set Apigee as Service Provider.

Please confirm.. when you are editing a proxy and want to add a policy to a flow, you are only seeing the OAuth policies and not the SAML policies, as shown below? There is no automatic configuration for SAML. You will need to configure the proxy.

2881-samlpolicies.png

What

  • Inbound authentication and authorization: Validate SAML Assertion policy The SAML policy type enables API proxies to validate SAML assertions that are attached to inbound SOAP requests. The SAML policy validates incoming messages that contain a digitally-signed SAML assertion, rejects them if they are invalid, and sets variables that allow additional policies, or the backend services itself, to further validate the information in the assertion.
  • Outbound token generation: Generate SAML Assertion policy The SAML policy type enables API proxies to attach SAML assertions to outbound XML requests. Those assertions are then available to enable backend services to apply further security processing for authentication and authorization.

Not applicable

I have added the Validate assertion as mention in pIc

apigeeee2.png

Then how to proceed with that????.apigeeee3.png

Have you examined the documentation on the sAML policy? http://docs.apigee.com/api-services/content/saml

If so, what specifically is the problem?

I Checked the documentation.

As per it when you hav Validate Assertion it acts as SP and we have IBM Identity provider which will send the assertions and Apigee will validate(act as SP) in our use case.

So we dont need Generate SAML assertion part right??? If we are to configure only as SP.

Hi Dino,

I am trying to add ValidateSAMLAssertion Policy to the default helloworld application in apigee. Following is the sample XML code i have written to validate assertion: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ValidateSAMLAssertion ignoreContentType="true" name="Validate-SAML-Assertion-1"> <Source name="request"> <Namespaces> <Namespace prefix="samlp">urn:oasis:names:tc:SAML:2.0:protocol</Namespace> <Namespace prefix="saml">urn:oasis:names:tc:SAML:2.0:assertion</Namespace> </Namespaces> <XPath>/samlp:Response/saml:Assertion</XPath> </Source> <TrustStore>myKeystore</TrustStore> <RemoveAssertion>false</RemoveAssertion> <DisplayName>ValidateSAMLAssertion</DisplayName> </ValidateSAMLAssertion>

What should be the issuer and assertion consumer service endpoint for this application that we need to share with identity provider to send SAML Assertion?