Securing Apigee Edge with an External Identity Provider
We’re excited to announce the general availability of SAML-based single sign-on (SSO) for Apigee Edge for customers managed and hosted by Apigee. Apigee now supports authentication to the Apigee Edge management UI via an external SAML-based identity provider (IdP). This makes it easy for customers to leverage an IdP (ADFS, Okta, Ping, or OneLogin, for example) of their choice, as long as it supports SAML 2.0 to authenticate Apigee Edge users.
Here we’ll describe how we have implemented this feature, how the feature addresses multi-tenancy, and, more importantly, how you can get started.
Why SAML-based SSO?For many security teams, this feature provides an easy way to secure user authentication behavior on the Edge platform. It also reduces the overhead associated with provisioning new users (such as org admins or developers) and reduces the risk of terminated employees keeping access to the Edge environment post-employment.
In some cases, our customers have enterprise security policies that involve multiple authentication factors or password policies that Apigee Edge doesn’t support. This feature enables customers to seamlessly enforce their own standards and policies during authentication.
Let’s look at a simple interaction flow that leverages this feature:
- Apigee users are provided with a new dedicated sub-domain—for example, acme.login.apigee.com
- Unauthenticated requests to this link get redirected to the customer identity provider (Okta or Ping, for example)
- The user is authenticated via the customer’s identity provider, which generates a SAML 2.0 assertion and redirects the user to Apigee Edge
- Apigee Edge, through the Edge SSO, recognizes the authenticated user and logs the user in to the UI
Note that the user must first exist in the customer IdP. Once registered there, an Edge administrator must map the user to a role in the Edge UI.