This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Integration of Apigee (as IDP) with OKTA (Service Provider) using OAuth/OIDC Protocol

Posted on 03-04-2021 02:49 AM
madhurimavadlam
New Member
Reply posted on --/--/---- --:-- AM

We have user credentials in Oracle DB and using Apigee OAuth (grant type=password) for user authentication as until today (existing flow).

Our enterprise would like to use OKTA as Service Provider. and need to integrate Apigee with OKTA.

As i understand from OKTA documentation, we can configure APIGEE as external custom IDP provider in OKTA using OIDC protocol.

Also we have angular (SPA) app that needs to login via OKTA, which will invoke apigee for user validation.

As I understand from Apigee docs that we need to use oAuth grant type as "AuthCode+PKCE" in this context.

Can someone help to validate the design/solution and point me to any github sample code?

High level flow is Browser(Angular App)->OKTA (SSO Federation provider)->Apigee(as IDP)

1 3 786
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

It's a reasonable approach.

This repo shows Apigee actiing as an OIDC provider with PKCE. It does not perform a user authentication against an external database, but that is something you can provide.

@Ankur Shukla (@Google) has recently done some work like this for a different use case. He may have some assets to share.

0 Likes

Posted on --/--/---- --:-- AM
shuklaankur
Staff
Reply posted on --/--/---- --:-- AM

Looks like your goal is to use Apigee as an IDP and OKta as your SP for a SAML handshake - correct? I have a repo here that does something similar where Apigee is the SAM IDP and Salesforce.com is the SAML SP. you will have replace SFDC with OKTA to get this to work for you.

0 Likes

Posted on --/--/---- --:-- AM
madhurimavadlam
New Member
In response to shuklaankur
Reply posted on --/--/---- --:-- AM

No SAML at all. we would like apigee acting as IDP and it invoke custom rest endpoint that validates user credentials in oracle DB.

OKTA would be the federation service provider and it will configure APIGEE as a External IDP provider using OIDC protocol (which means APIGEE will expose standard OIDC endpoints authorize/token/jwks/userinfo).

OKTA delegates any user authentication request to APIGee and Apigee will validate user against Oracle DB (which maintain userId/passwords)

0 Likes