API Management

Configuring an Auth0 SAML Identity Provider (IdP) for Apigee Integrated Developer Portal

June 2, 2023

Tanmay Bangale

Cloud Application Development Engineer

In this article, we will be looking at how to configure a SAML Identity Provider (Auth0 in this case) for signing in to Apigee’s Integrated Developer Portal.

The conventional way to sign in to an Apigee Integrated Developer Portal is through the built-in Identity Provider option. It requires users to pass their credentials (username and password; user registration should be done if not an existing user) to the integrated portal for authentication. When you create a new portal, the built-in identity provider is configured and enabled. To understand the sign-in experience from the user perspective, see Signing in to the portal using user credentials (built-in provider).

You can now configure the Apigee Integrated Developer Portal with any third-party identity provider that supports Security Assertion Markup Language (SAML), a standard protocol for enforcing Single Sign-On (SSO). SSO authentication using SAML lets you log in to your Apigee Integrated Developer Portal(s) without having to create new accounts, by using your existing accounts registered with the Identity Provider. The SAML integration feature is currently in Preview.

Configuring SAML as an Identity Provider for an Integrated Developer Portal offers the following benefits:

Set up your developer program once and re-use it across multiple integrated portals. Choose your developer program when creating your Integrated Developer Portal. Easily update or change the developer program as requirements evolve.
Take full control of user management. Connect your company SAML server to the Integrated Developer Portal. When users leave your organization and are deprovisioned centrally, they will no longer be able to authenticate with your SSO service to use the Integrated Developer Portal.

To configure the SAML provider, you need to configure service provider (Apigee) as well as identity provider (such as Auth0) as below.

Configure the Service Provider (Apigee)

Select Publish > Portals in the side navigation bar to display the list of portals.
Click Accounts on the portal landing page. Alternatively, you can select Accounts in the portal drop-down in the top navigation bar.
Click the Authentication tab.
In the Identity providers section, click the SAML provider type.
Select the Enabled checkbox to enable the identity provider.
Click Save.

https://storage.googleapis.com/gweb-cloudblog-publish/images/1_9fczzHN.max-600x600.png

You will now be able to see SP metadata URL. Access it using the browser and open the downloaded xml file using any XML reader.

https://storage.googleapis.com/gweb-cloudblog-publish/images/2_j2CSjr9.max-1000x1000.png

Then, fetch the AssertionConsumerService URL from this file as below.

<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://diyyaedfgchrbui-a5vnmtygh8qzekbd.portal-login.apigee.com/saml/SSO/alias/diyyaumzqchrbui-a5vnmu1sp8qzekbd.apigee-saml-login" index=”0" isDefault=”true”/>

This location value will be used while configuring the Identity Provider.

You also need to fill in the Sign-in URL, IdP entity ID in SAML settings, and upload a certificate in the Apigee SAML identity provider page. You can fetch these from Auth0 Identity Provider as below.

Configuring Identity provider Auth0

1. Create an application under the Applications tab that can serve this SAML integration.

https://storage.googleapis.com/gweb-cloudblog-publish/images/3_8kj4IIf.max-700x700.png

2. Click on the newly created application, scroll to the Advanced Settings drop down menu and choose the Certificates tab.

3. Download the .pem file of the certificate and use it to upload to the Apigee SAML Identity Provider configuration.

4. Under the Add Ons tab on the Auth0 Applications page, enable SAML2 WEB APP.

5. On clicking SAML2 WEB, you will get a pop-up that displays Issuer that will be IdP entity ID and an Identity Provider Login URL that will be Sign-in URL. Update these values on the Apigee SAML Identity Provider configuration.

6. Under the Settings tab of the SAML2 WEB APP pop-up, use the AssertionConsumerService URL value that you fetched earlier and use it as Application Callback URL.

Note: Apigee requires the nameidentifier to be an email id. Hence you need to create a rule in Auth0 to map the attribute to email id instead of nameid, as shown below. This step is specific to Auth0 and might not be needed if you use other identity providers.

https://storage.googleapis.com/gweb-cloudblog-publish/images/4_M5DLJw2.max-1100x1100.png

Now you are ready to test SAML integration. Launch your Apigee Integrated Developer Portal and click on sign in. You should see a Login with SAML option as below.

https://storage.googleapis.com/gweb-cloudblog-publish/images/5_ZCEXds3.max-1600x1600.png

In case of any errors, trace the network using browser developer console and debug using Auth0 monitoring logs.

You can now disable the built-in identity provider (if required) as shown below.

Disabling the built-in identity provider

To disable the built-in identity provider:

https://storage.googleapis.com/gweb-cloudblog-publish/images/6_ss0p29v.max-2000x2000.jpg

in the Provider Configuration section.

3. De-select the Enabled checkbox to disable the identity provider.

https://storage.googleapis.com/gweb-cloudblog-publish/images/7_BEnzu3r.max-1100x1100.png

Note: At least one identity provider must be enabled to allow users to sign in.

4. Click Save.

And there you have it — a fully configured Auth0 SAML Identity Provider to sign into Apigee’s Integrated Developer Portal. For more information about getting started with Apigee and Integrated Developer Portal, visit here.

Posted in