This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee Edge Integration with Active Directory for External Auth provider

Posted on 07-28-2016 04:32 PM
Alok_Chugh2
New Member
Reply posted on --/--/---- --:-- AM

Hi,

We are working on integrating Active Directory as an external authentication provider for our on-prem Apigee deployment (private cloud v 4.16.05). I have followed the "Apigee Edge Private Cloud External Auth" document provided by Apigee. Here are some of the things that have worked and some that have not quite worked:

1) One of the important things that we have seen is when installing Apigee private cloud, we need to make a user that already exists in AD as the sysadmin for Apigee installation. If Apigee is built using a local user as sysadmin(one that resides in Apigee LDAP only), then we can't change and make Apigee to use a sysadmin that resides in AD.

2) Tried both direct and indirect binding recommended in the Ext Auth doc and it works fine.

3) Tried dynamic role mapping using custom code (one that implements ExternalRoleMapperService service) and dynamic role mapping did not work. Only the static role mapping works alright, as in the user should already have been pre-allocated a role in Apigee using Mgmt API or Edge UI. The dynamic role mapping based on the AD group membership of users did not work.

4) Trying to use username e.g. cn, samaccountname etc. as the login, rather than email also does not work. So e.g john.doe@myorg.com as login works fine but not jdoe.

So summarizing, AD as an external auth provider works fine for both direct and indirect binding and with email address as the login name.

Has anyone been able to make points 3 & 4 i.e. dynamic role mapping and samaccountname as usernames work?

0 7 2,684
Topic Labels
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
mschreuder
Staff
Reply posted on --/--/---- --:-- AM

hi @Alok.Chugh2

On your point (4), yes you should be able to get that working. The main things are:

  • use indirect bind
  • ensure there is a field in your external AD that contains the user's email address from Apigee's LDAP
  • set the value for the property "externalized.authentication.user.store.user.email.attribute" to the name of the field in your external AD that contains the user's email address
  • set the value for the property "externalized.authentication.user.store.user.attribute" to the name of the field in your external AD that contains the non-email username

For example, in Apigee you set up john.doe@myorg.com

In your external AD, you add a user with userPrincipalName of jdoe, you also add a property called, say, apigeeUserEmail and you set that to john.doe@myorg.com.

In your Apigee config, you set:

externalized.authentication.user.store.user.email.attribute=apigeeUserEmail 
externalized.authentication.user.store.user.attribute=userPrincipalName

What happens is when a user enters jdoe as the username, the authentication first does the indirect bind using jdoe on userPrincipalName. Assuming that succeeds, it the queries your external AD for the contents of apigeeUserEmail and there it gets john.doe@myorg.com and then uses that to find the user's role in Apigee LDAP.

Hopefully this makes sense and will help get you sorted for that part of your question.

I'm not familiar with the dynamic role mapping side, hopefully someone else can help solve that one.

0 Likes

Posted on --/--/---- --:-- AM
Alok_Chugh2
New Member
In response to mschreuder
Reply posted on --/--/---- --:-- AM

Hi @mschreuder

Thanks for your response. I did try out these settings with both direct and indirect binding but was not successful.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi Alok.Chugh2

Answer to your questions

3. Apigee doesn’t support dynamic roles mapping. Apigee allows custom role creation, creating equivalent custom roles and match/map them to customer specific will be implemented through ExternalRoleMapperService implementation.

4. Apigee supports username/ id login, which requires little tweak in the properties

Below are the two attributes it require user.attribute defines username property and user.email.attribute which is the email attribute name.(email attribute is requires for seamless authorization)

a. externalized.authentication.user.store.user.attribute=sAMAccountName

b. externalized.authentication.user.store.user.email.attribute=userPrincipalName

Thanks

Gopi

0 Likes

Posted on --/--/---- --:-- AM
Alok_Chugh2
New Member
In response to
Reply posted on --/--/---- --:-- AM

Hi @gopi

Thanks for your response.

I did not quite understand your point # 3.First I created a custom developer role using Edge UI. And then tried to assign it to a user during authorization/role mapping stage via custom code that implements ExternalRoleMapperService. This is what I called dynamic role allocation. However, it did not work. I could only use the roles for the user which was allocated by Edge UI and not by the custom code. Could you please elaborate your point further.

For point # 4, and referring to "Apigee Edge Private Cloud Ext Auth.pdf" - section "Additional config required in event of different sysadmin credentials" and "sub-section Editing the Edge management UI credential" , as per the instructions we had to change the ADMIN_EMAIL to the username or sAMAccountName. But once, I do that and run /opt/apigee/apigee-setup/bin/setup.sh, it throws error. Probably it does not like non-email address names for ADMIN_EMAIL.

I tried skipping this step before and tried:

a. externalized.authentication.user.store.user.attribute=sAMAccountName

b. externalized.authentication.user.store.user.email.attribute=userPrincipalName

but it did not work.

Thanks

Alok

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi Alok,

IMO Point 3 supposed to work by the way you mentioned, Hope you map your custom role per apigee specification which is new NameSpacedRole ("customRole", new OrganizationNamespace(orgName)).

Point 4, Is the edge UI works for your sysadmin email address(not username), If so you just need change the user.attribute as mentioned above and run the setup to generate ui config file to make UI working.

Thanks

Gopi

0 Likes

Posted on --/--/---- --:-- AM
Alok_Chugh2
New Member
In response to
Reply posted on --/--/---- --:-- AM

Hi @gopi

For point # 3 I tried both

results.add(new NameSpacedRole("MyCustomRole", new OrganizationNamespace("my-org")));

&

results.add(new NameSpacedRole("MyCustomRole", SystemNamespace.get()));

However, post login I see only the pre-allocated role for the user and not the dynamic role which custom code allocated. Has this feature been tested for private cloud v 4.16.05? Please suggest as we are blocked on this module for our Prod deployment plan.

Also, a different observation, we have to handle authorization of sysadmin user in custom code as well, otherwise sysadmin can't login to the Edge UI. Had to add following code in order to handle authorization for sysadmin.

if(userName.equalsIgnoreCase("sysadmin@myorg.com")) { //If Username is sysadmin

if (requestedNameSpace instanceof SystemNamespace) {

results.add(new NameSpacedRole("orgadmin", SystemNamespace.get()));

results.add(new NameSpacedRole("sysadmin", SystemNamespace.get()));

} else if (requestedNameSpace instanceof OrganizationNamespace) {

orgName = ((OrganizationNamespace) requestedNameSpace).getOrganization();

results.add(new NameSpacedRole("orgadmin", new OrganizationNamespace(orgName)));

results.add(new NameSpacedRole("sysadmin", SystemNamespace.get()));

}

}

0 Likes

Posted on --/--/---- --:-- AM
anilgomore
New Member
Reply posted on --/--/---- --:-- AM

Hi @Gopi,

I am facing the similar issue. I am always getting userName as sysadmin id not the actual logged in user. Because of this roles are only getting set for sysadmin id and not for the actual user.

public synchronized Collection<NameSpacedRole> getUserRoles(String userName, String password, NameSpace requestedNameSpace) {

0 Likes