Can i secure an API by basic LDAP authentication

Not applicable

Can i secure an API by basic LDAP authentication (from a extranet Active Dir )?? Is there a way to configure inbound and outbound security for the API proxy ? As we are trying to swith from an internal application where the users are being validated against LDAP for accessing any existing services and a outbound security is in place as well. Trying to understand if we switch to apigee , will we able to have similar configurations and the allow consumers to not make any additional changes in their backend services to allow new authentication mechanism which Apigee provides.

0 1 419
1 REPLY 1

Yes, you can use Apigee Edge to secure an API with basic authentication, wired up to an LDAP store.


Apigee Edge acts as a layer 7 proxy (aka gateway) in your architecture.

Clients can send requests to APigee Edge.

Apigee Edge can then optionally "do something" with the request to verify or authorize it, and if that step is successful, Apigee Edge can then invoke a new request on a designated backend (aka "upstream") system.

I think you are asking, as part of the "do something", can Apigee Edge verify basic auth credentials against an LDAP datastore.

Yes. That is one of the many things Apigee Edge could do to verify or authorize an inbound request. There are a couple things you should know.

  1. There is an LDAPAuthentication policy within Apigee Edge that directly connects to an LDAP database, like Active Directory, OpenLDAP, or etc. This can be used to either verify user credentials, or to obtain information (claims?) about specific users. Some people use it to do both. "Verify these credentials, and if they're good, give me the attributes for the verified user."
    This policy is supported only in OPDK (On Premises, aka "customer managed") deployments of Apigee Edge. You cannot use it with Apigee Edge saas.
  2. If you are using Apigee Edge SaaS, then you will need something else. One way I've done this is to use the nodejs target and the ldapjs npm module to connect to an external LDAP server.
    This works, but it's rare to have an LDAP Server presenting its LDAP port on the open internet. So it may not be of practical use.
  3. If when you say :LDAP: you mean " an identity store that is network-accessible, but not necessarily using the LDAP protocol", then yes, you can do that too. Imagine an IdP that exposes a REST service that confirms credentials of a user. Auth0 and Okta have such things. If you can connect to it over the internet, then Apigee Edge can invoke it and thereby verify user credentials and collect claims about users from the Identity Provider.

Does this help?