AD based role mapping in On premise private cloud

Not applicable

After implementing the external auth role mapping, is there a way to automatically give people access to Apigee Edge if they belong to a certain AD group? Adding people one by one is cumbersome.

Solved Solved
0 3 443
1 ACCEPTED SOLUTION

There are generally two approaches to this: Implement a custom role mapper, or write a custom job to synchronize group membership between the two systems. The former is covered in the external authentication documentation with an overview and code sample. For the latter, a simple custom script could read users from AD and make management API calls to ensure that all users (and only users) in your source AD groups are present on the Apigee side in whichever role is appropriate. You would need only read access to AD to determine group membership. The API calls to create or delete users and alter role membership are covered in the management API documentation at http://docs.apigee.com/management/apis.

View solution in original post

3 REPLIES 3

There are generally two approaches to this: Implement a custom role mapper, or write a custom job to synchronize group membership between the two systems. The former is covered in the external authentication documentation with an overview and code sample. For the latter, a simple custom script could read users from AD and make management API calls to ensure that all users (and only users) in your source AD groups are present on the Apigee side in whichever role is appropriate. You would need only read access to AD to determine group membership. The API calls to create or delete users and alter role membership are covered in the management API documentation at http://docs.apigee.com/management/apis.

So just to clarify here, if I implement the custom role mapper in Apigee and someone belongs to one of the AD groups that I map to a role, they will automatically be able to log in? There is no other customization I have to make to the mapper?

For instance, user A belongs to group 1. Group 1 is mapped in the external role mapper class. They have never logged in to Apigee before nor been added as a user, but once they navigate to the management server and log in for the first time, their membership to group 1 allows them to get in successfully?

That's correct. The mapper's purpose is to map existing AD groups onto existing Apigee groups so that Apigee can determine group membership from the AD side rather than from internal user IDs.