Add Global users In Apigee Public cloud enterprise

Hello,

I am referring to the following docs to create global user in Apigee using API calls - https://apidocs.apigee.com/management/apis/post/users. It seems to me that for apigee public cloud only sys admins have access to create global user. I would like to know if only system admins have access to add global users using Management API calls then how can an org admin add user to Apigee using Edge UI? Just to let you know i did try adding user to the Apigee org and associated the user to a default role in apigee which gave me a successful 201 created response but when i try to view the permissions of this user from Edge UI it shows me user does not exist error.

0 11 517
11 REPLIES 11

Anyone can sign up for Apigee Edge Saas.

Once that email is in the system any orgadmin can add that user (by email) to their org with a specific role.

i did try adding user to the Apigee org and associated the user to a default role in apigee which gave me a successful 201 created response

what did you do, specifically? Did you use the API, or the UI to do this?

I ran management API call to add the User to Apigee which shows 201 created but i see "user does not exit error from the Edge UI as shown in below snapshot.screen-shot-2018-12-12-at-53034-pm.pngscreen-shot-2018-12-12-at-52335-pm.png

Just to give you a brief of what am i trying to achieve is to automate the process of adding user to apigee using script so that apigee platform owner team doesn't have to manually go ahead and add user to apigee using Edge UI.

If you use Apigee signin, you can automate adding an existing user to an org.

USER=person@example.com
ROLE=readonlyadmin
ORG=MYORG
curl -n -i -X POST \
        -H "Content-type:application/x-www-form-urlencoded"
        "$mgmtserver/v1/o/$ORG/userroles/$ROLE/users?id=$USER" 

This is a documented API. If the user (email) already exists as a real user in Apigee Edge, then the new org will just appear in that user's list of orgs.

Does this work if the user is not yet registered as an Apigee Edge user? No. The result in this case is:

{
  "code" : "usersandroles.UserDoesNotExist",
  "message" : "User person@example.com does not exist",
  "contexts" : [ ]
}

If you want to add a new user programmatically, for Edge public cloud, you can do it, but not via the published api. The way I did it was to automate the API that is used by the UI. Like this:

curl -b "$cstr" \
  https://enterprise.apigee.com/ws/proxy/users
  -X POST -H content-type:application/json \
  -d '{
    "userRoles": ["'${ROLE}'"],
    "emailId": "'${EMAIL}'",
    "firstName": "'${FNAME}'",
    "lastName": "'${LNAME}'"
  }'

enterprise.apigee.com/ws/proxy/users is an endpoint that is used by the UI. It is not documented. It may change without notice.

"$cstr" is the browser cookie, obtained from Chrome. Invoking this request, you are making the same request the web app would make when adding a user. The cookie includes a whole bunch of information about your UI session: your own user id, and the org you're currently signed into. How do you get that cookie?

Via a tool called cookie monster. (google it) You need to have recently signed into the apigee.com service with Chrome.

The result is: the new user will get an email from Apigee asking them to confirm their account.

This is not a supported mechanism. So if you try it, maybe it will work, and maybe it won't. It worked for me. (Although I haven't used it in a while) I found it by using the Chrome developer tools and sniffing the traffic.

---

Another way to do it would be to use something like selenium to actually automate the browser to add users. I haven't tried that, but I'm sure it's just a simple matter of programming.

It's a shame that it takes so much effort to do this.

---

Having said all of this, don't forget ... to use SAML. Independently of "creating the user" in Apigee, be sure to set up your own IDP and configure THAT for signin.

Thanks for quick turn around on this.

Dino, we have a okta in front of Apigee and we are currently using a AD group. Is there any tool/App that can be used in integration with okta to supports user provisioning for Apigee?. Also if you can point to any docs in Apigee that makes providing user access to Apigee using SAML that would be great. Any link of tools that support such scenario would be appreciated.

If you enable SAML you will be able to add users to your IdP (e.g. Okta) via whatever means it provides. Once you do that, you assign roles to those users so they can access Edge.

See: https://docs.apigee.com/api-platform/system-administration/saml-overview

What api call can we use to add roles to SAML users?
The following call does not find SAML users

POST
https://api.enterprise.apigee.com/v1/organizations/{org}/userroles/{role}/users

Just an update - 2021 June 7

It no longer works to use curl, sending a cookie to enterprise.apigee.com/ws/proxy/users.

There are several reasons, but the most important one is that the web app now includes CSRF security measures that prevent this from happening.

Therefore, the only way to add new users is via the Web UI.

For a long time, there have been frameworks that can automate web browsers. They were invented to aid in automated testing of Web sites. One of the well-known browser automation frameworks is called "Selenium". While I believe the designers of Selenium created it to support testing efforts, anyone can use it for any automation task. Selenium provides language bindings for Python and Java and other languages too. Wouldn't it be great to use Selenium to automate the addition of new Apigee Edge users in a specific role to a specific org?

Yes, it would.

Here is the tool repo: https://github.com/DinoChiesa/Apigee-Add-User

and here is a 3-minute screencast showing what it does: https://youtu.be/LdVNz6a6MjU

Can you please let us know if you have any roadmap to allow public edge users to automate using 

https://enterprise.apigee.com/ws/proxy/users

Most automations are run in container runners and running selenium is not feasable.

Not currently.