This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Azure AD SAML implementation : workflow

Posted on 10-06-2020 10:15 AM
sampadajoshi8
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi All,

Has anyone implemented SAML with AzureAD in Apigee?

I went through the azure documentation and found few points like there are 2 endpoints, the first for signin, the second for signout.

SAML is purely xml based.

I am new to apigee.any references/guidelines are appreciated.

Solved Solved
0 5 815
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

For login, The UI can just connect directly to the login experience presented by Azure AD. I believe you want the Apigee proxy to act as the ACS. See this document. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-saml-single-sign-on

After login, The UI passes in a SAML token. I am supposing it is a token signed by Azure AD, and you have the ability to independently verify the signature on that token. This means You have the certificate, or you have the ability to trust the certificate that is passed in, within the assertion.

ValidateSAMLAssertion will let you do this.

There is no need for the Apigee proxy to connect with Azure AD to validate the token that has been issued by Azure AD. Validation can be done with the certificate alone. Apigee trusts the certificate; the assertion is signed by the certificate; if the signature is valid, then Apigee can trust the assertion.

An alternative is that in thr first step, login, if Apigee is the ACS.... Apigee can validate the sAML Assertion right then, and can issue an opaque oauth token (using password grant) and send that back to the calling system. Then the calling system can present the opaque token when requesting service. Apigee can validate that with OAhtV2/VerifyAccessToken.

----

Your first step should be setting up the Azure AD signon with Apigee as the ACS. See if you can get that to work. Then you will have the SAML assertion and you can go from there.

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

implemented SAML with AzureAD in Apigee?

You'll have to be more specific.

Do you want to authenticate operators and administrators? API users? Users of the developer portal? Something else? Maybe describe in a little more detail.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sampadajoshi8
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Dino,

My requirement is to implement an authentication for organization(application)users.We have angular UI and Micro-services backend

Login :

Application UI(login page that accepts user credetials) -> Apigee ->azuread (User authentication based on SAML token)

On Successful login flow be like :

UI ->apigee(authorization based on SAML token passed as header) ->able to access microservice endpoints.

Like in JWT we have /authorize & /token endpoint I am not getting exact idea on how saml can be implemented specific to this requirement.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
mayukh
Bronze 2
Bronze 2
In response to sampadajoshi8
Reply posted on --/--/---- --:-- AM

@sampadajoshi8 how did you implement it finally?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

For login, The UI can just connect directly to the login experience presented by Azure AD. I believe you want the Apigee proxy to act as the ACS. See this document. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-saml-single-sign-on

After login, The UI passes in a SAML token. I am supposing it is a token signed by Azure AD, and you have the ability to independently verify the signature on that token. This means You have the certificate, or you have the ability to trust the certificate that is passed in, within the assertion.

ValidateSAMLAssertion will let you do this.

There is no need for the Apigee proxy to connect with Azure AD to validate the token that has been issued by Azure AD. Validation can be done with the certificate alone. Apigee trusts the certificate; the assertion is signed by the certificate; if the signature is valid, then Apigee can trust the assertion.

An alternative is that in thr first step, login, if Apigee is the ACS.... Apigee can validate the sAML Assertion right then, and can issue an opaque oauth token (using password grant) and send that back to the calling system. Then the calling system can present the opaque token when requesting service. Apigee can validate that with OAhtV2/VerifyAccessToken.

----

Your first step should be setting up the Azure AD signon with Apigee as the ACS. See if you can get that to work. Then you will have the SAML assertion and you can go from there.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
mayukh
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

@dchiesa1 I am in a similar situation, where we have the following:

  • Web client (already authenticated with Azure AD) making an API call to a proxy on Apigee
  • I need to make sure that the request coming to the proxy is an authenticated user with our Organizations Azure AD

You mentioned, that

"The UI passes in a SAML token. I am supposing it is a token signed by Azure AD, and you have the ability to independently verify the signature on that token. This means You have the certificate, or you have the ability to trust the certificate that is passed in, within the assertion."

Could you elaborate on that or at least provide some samples or steps on how I can implement it?

Jump to Solution
0 Likes