SAML Overview

SAML supports a single sign-on (SSO) environment. By using SAML with Edge, you can support SSO for the Edge UI and API in addition to any other services that you provide and that also support SAML.

Advantages of SAML authentication

SAML authentication offers several advantages. By using SAML you can:

  • Take full control of user management: When users leave your organization and are deprovisioned centrally, they are automatically denied access to Edge.
  • Control how users authenticate to access Edge: You can choose different authentication types for different Edge organizations.
  • Control authentication policies: Your SAML provider may support authentication policies that are more in line with your enterprise standards.
  • Monitor logins, logouts, unsuccessful login attempts and high risk activities on your Edge deployment.

Note that SAML is only used for authentication by the Edge UI and Edge management API. Authorization is still controlled by Edge user roles. See Assigning roles for more.

SAML is supported as the authentication mechanism for the Cloud version of Edge and for Edge for the Private Cloud version 4.17.09 and later.

Considerations

Before you decide to use SAML, you should consider the following requirements:

  • Existing users: You must add all existing organization users to the SAML identity provider
  • Portal: If you are using a Developer Services portal, the portal uses OAuth to access Edge
  • Basic Auth will be disabled: You will need to remove Basic Auth from all of your scripts
  • OAuth and SAML must be kept separate: If you use both OAuth2 and SAML, you must use separate terminal sessions for your OAuth2 flow and SAML flow.

SAML and identity zones

You enable SAML at the organization level through Edge identity zones. That means every organization that supports SAML authentication must be added to an Edge identity zone.

An Edge identity zone is an authentication realm that defines a SAML identity provider used for authentication. Only when a user authenticates with the identity provider can they access the Edge organizations and resources scoped to the zone.

For more information, see Using an identity zone with SAML.

Using SAML with the Edge UI

The SAML specification defines three entities:

  • Principal (Edge UI user)
  • Service provider (Edge SSO)
  • Identity provider (returns SAML assertion)

When SAML is enabled, the principal (an Edge UI user) requests access to the service provider (Edge SSO). Edge SSO (in it's role as a SAML service provider) then requests and obtains an identity assertion from the SAML identity provider and uses that assertion to create the OAuth2 token required to access the Edge UI. The user is then redirected to the Edge UI.

This process is shown below:

In this diagram:

  1. User attempts to access the Edge UI by making a request to the login domain for the Edge SSO, which includes the zone name. For example, https://zoneName.login.apigee.com
  2. Unauthenticated requests to https://zoneName.login.apigee.com are redirected to the customer's SAML identity provider. For example, https://idp.customer.com.
  3. If customer is not logged in to the identity provider, the customer is prompted to log in.
  4. The user is authenticated by the SAML identity provider. The SAML identity provider generates and returns a SAML 2.0 assertion to the Edge SSO.
  5. Edge SSO validates the assertion, extracts the user identity from the assertion, generates the OAuth 2 authentication token for the Edge UI, and redirects the user to the main Edge UI page at:
    https://zoneName.enterprise.apigee.com/platform/orgName

    Where orgName is the name of an Edge organization.

Get started!

See how to enable SAML