Hi all , can you please confirm that Apigee Edge 4.17.05 supports the following list of features?
1) Policy integration with Active Directory. We neeed to retrieve user attributes.
2) Policy generate access token bearer oauth2 for a specific user and scope (user token).
3) Policy to enrich http header parameters (in case of user token usage) forwarding the api request to the final back end. The attributes to be enriched are the ones retrieved from Active Directory (previous point 1).
4) Interface Agreement of the API to use for publishing API Proxy with soap endpoint.
5) possibility to add custom attributes on organization (in order to retrieve them when an API is invoked by using token application)
Thank you
Cosimo
Solved! Go to Solution.
Yes, all of those things are supported.
Yes, all of those things are supported.
Please @Dinofor each point can you add a link to offcial documentation that explain how meet it?
Thank you
Cosimo
Done. You're welcome!
Hi @Dino thank you a lot.
Just one question on point 2. We don't need to verify that the user exists in LDAP and we don't need to link user attributes to the access token. We need to store on database the user name and the scope. We verify the saml signature, the saml issuer, the expiration date of the saml. After this check we need to generate access token and associate it to the subject of the saml assertion (is an user name). When i use this token in order to invoke an API we need to retrieve the username and retrieve from LDAP the attributes of this user.
Furthermore, is it possible to use mysql as database instead of cassandra?
Thank you
Cosimo
What you describe should work. But there may be a better way. I suppose that you will not want to call LDAP each time the token is presented. It may be easier to call to LDAP when the token is generated; you can then attach attributes to the token; these attributes can be values that you retrieved from LDAP.
It is not possible to use MySQL to store the tokens. Apigee Edge OPDK uses Cassandra, for now. There is no possibility to swap this out. We may make a change in the product, in the future, to allow a different store, but we have no plans to do so at this time.
Hi @Dino we need to implement gran type saml.
In the answer to point 2) you say "OAuthV2 policy with Operation:GenerateAccessToken creates tokens, including user tokens." If you mean to use gran type = passoword it does not work for our scenario because we have to generate the access token just starting from saml assertion or jwt. Just the username of the user is available and the password not.
We need saml and jwt gran type to exchange a signed saml assertion or signed jwt for an user access token. How can be implemented those gran types in Apigee.
Thanks
Cosimo
If you use the OAuthV2 policy with Operation:GenerateAccessToken, with grant_type=password, you should know that Apigee Edge itself does not validate the username and password. As a proxy designer, you are responsible for configuring the logic to verify the user creds before invoking the OAuthV2 policy with Operation:GenerateAccessToken and grant_type=password . I cannot recall now whether the policy with password grant_type requires an actual password. But if the policy does require a password, it will be checking for presence only; it will not be verifying the password. Therefore in the event the policy requires the presence of a password, you can set any dummy value to satisfy the policy's internal validations.
Also, I think @Srinandan Sridhar has built a proxy that exhibits RFC7522 SAML grant type. It may even be posted here on community.apigee.com. Nandan?
Here is the link for RFC7522: https://github.com/srinandan/rfc7522-saml-profile
Hi @Dino are all these features available also in apigee 4.15.01?
User | Count |
---|---|
7 | |
2 | |
2 | |
2 | |
1 |