If you are trying to build in authentication in the API proxy itself, then Sure! - there are a couple ways to do it.
- "Customer managed" Apigee Edge installations allow the use of the LDAP policy. This can connect to any LDAP server in the enterprise, and can do queries/searches, and authentication of users. One scenario: an API call accepts an inbound OAuth2 token request with password grant, in which the username and password are sent in the form payload; the API Proxy in Apigee Edge uses the LDAP policy to authenticate the user, extract the set of groups the user belongs to, then creates a token containing the appropriate custom attributes.
- A second option is to enable ADFS; in this case AD accepts a WS-Trust Request-for-Security-Token. This is a web interface that requires an XML payload, see some details here. Apigee Edge can use ServiceCallout to send out that request and retrieve a JWT in response.
This is an example of the LDAP policy that could be used in the first case:
<Ldap name="LDAP-Authenticate-and-Query-1">
<LdapResource>freeipaorg</LdapResource>
<Authentication>
<SearchQuery>uid={request.formparam.username}</SearchQuery>
<Password ref="request.formparam.password"/>
<Scope>subtree</Scope>
<BaseDN>cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org</BaseDN>
</Authentication>
<Search>
<BaseDN>cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org</BaseDN>
<Scope>subtree</Scope>
<SearchQuery>uid={request.formparam.username}</SearchQuery>
<!-- these are all attributes on the user from LDAP -->
<Attributes>
<Attribute>uid</Attribute>
<Attribute>homeDirectory</Attribute>
<Attribute>loginShell</Attribute>
<Attribute>initials</Attribute>
<Attribute>mail</Attribute>
<Attribute>ipaUniqueID</Attribute>
</Attributes>
</Search>
</Ldap>
LinkedIn
Twitter
