Securing Apigee Edge with an External Identity Provider

We’re excited to announce the general availability of SAML-based single sign-on (SSO) for Apigee Edge for customers managed and hosted by Apigee. Apigee now supports authentication to the Apigee Edge management UI via an external SAML-based identity provider (IdP). This makes it easy for customers to leverage an IdP (ADFS, Okta, Ping, or OneLogin, for example) of their choice, as long as it supports SAML 2.0 to authenticate Apigee Edge users.

Here we’ll describe how we have implemented this feature, how the feature addresses multi-tenancy, and, more importantly, how you can get started.

Why SAML-based SSO?

In some cases, our customers have enterprise security policies that involve multiple authentication factors or password policies that Apigee Edge doesn’t support. This feature enables customers to seamlessly enforce their own standards and policies during authentication.

Several of our customers have multiple organizations. To implement this feature, we have introduced the concept of a “zone,” which uniquely identifies all the orgs assigned to a particular customer.

Let’s look at a simple interaction flow that leverages this feature:

• Apigee users are provided with a new dedicated sub-domain—for example, acme.login.apigee.com
• Unauthenticated requests to this link get redirected to the customer identity provider (Okta or Ping, for example)
• The user is authenticated via the customer’s identity provider, which generates a SAML 2.0 assertion and redirects the user to Apigee Edge
• Apigee Edge, through the Edge SSO, recognizes the authenticated user and logs the user in to the UI

Note that the user must first exist in the customer IdP. Once registered there, an Edge administrator must map the user to a role in the Edge UI.

Get started!

We encourage customers to try this new capability and simplify their Apigee Edge management UI login experience. Please check out the documentation and ask questions and provide feedback on the Apigee Community.