SAML, management APIs, and multiple organizations

laurallewellyn · 04-26-2019 10:54 AM

We will soon have Edge for the Cloud, and we are planning to create 2 organizations, A and B.

We will eventually want to enable SAML on both organizations, but we'd like a few users to be able to experiment with org A while we admins figure out SAML with org B.

Reading the docs, we work with support to create an identity zone, put Org B into that zone, make sure any users for Org B exist in our identity provider, and then enable SAML (nutshell version!). Once we do that, any scripts or management API access must also use SAML; no longer can basic auth be used.

My questions: if we follow this approach, will folks still be able to log into the Edge UI with basic auth and access Org A? What about the management APIs? The management API using SAML docs note:

Prerequisite: You must enable SAML for at least one organization before you can use it to access the management API.

but does not explicitly note if the management APIs can still be accessed with basic auth for organizations that are NOT SAML-enabled.

davidmehi

Hello - yes, only if the org is SAML enabled will you need to access the management API with SAML. If it is not SAML-enabled, then you can still access the management API with basic auth. It doesn't matter if the same company owns both orgs.

laurallewellyn

So effectively, as soon as one org is SAML enabled, then the management API is SAML-enabled also?

What about the org that is not in the SAML-enabled identity zone? Can users still log into that with basic auth?

davidmehi

Yes, as soon as it's SAML enabled, then the mgmt api is as well. The users will login with their SSO credentials.

Yes, if the org is not SAML-enabled, then they continue to login with their apigee credentials.