Using SAML policies in an API proxy

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.

Security Assertion Markup Language (SAML)

The Security Assertion Markup Language (SAML) specification defines formats and protocols that enable applications to exchange XML-formatted information for authentication and authorization.

Edge API Services enables you to authenticate and authorize apps that are capable of presenting SAML tokens. A SAML token is a digitally signed fragment of XML that presents a set of "assertions". These assertions can be used to enforce authentication and authorization.

To use SAML terminology, API Services can function as a service provider (SP) or an Identity Provider (IDP). When API Services validates SAML tokens on inbound requests from apps, it acts in the role of SP. (API Services can also act in the IDP role, when generating SAML tokens to be used when communicating with backend services. See Last-mile security).

The SAML policy type enables API proxies to validate SAML assertions that are attached to inbound SOAP requests. The SAML policy validates incoming messages that contain a digitally-signed SAML assertion, rejects them if they are invalid, and sets variables that allow additional policies, or the backend services itself, to further validate the information in the assertion.

To validate SAML tokens, you need to make digital certificates available to the SAML policy by creating at least one TrustStore. TrustStores are scoped to environments in your organizations. Thus, you can configure different trust chains in test and prod, ensuring that test SAML tokens cannot be used in prod, and vice-versa.

For details on SAML validation, see SAML Assertion policies.