Edge for Private Cloud v4.18.01
After you have enabled SAML on Edge, you can disable Basic Auth. However, before you disable Basic Auth:
- Make sure you have added all Edge users, including system administrators, to your SAML IDP.
- Make sure you have thoroughly tested SAML authentication on the Edge UI and Edge management API.
- If you are also using API BaaS, configure and test SAML on API BaaS. See Enabling SAML for API BaaS.
- If you are using the Developer Services portal, configure and test SAML on the portal to ensure that the portal can connect to Edge. See Configuring the Developer Services portal to use SAML to communicate with Edge.
Viewing the current security profile
You can view the Edge security profile to determine the current configuration to determine if Basic Auth and SAML is currently enabled. Use the following Edge management API call on the Edge Management Server to view the current security profile used by Edge:
> curl -H "accept:application/xml" http://localhost:8080/v1/securityprofile -u sysAdminEmail:pWord
If you have not yet configured SAML, the response is as shown below meaning Basic Auth is enabled:
<SecurityProfile enabled="true" name="securityprofile">
<UserAccessControl enabled="true">
</UserAccessControl>
</SecurityProfile>
If you have already enabled SAML, you see the <ssoserver> tag in the output:
<SecurityProfile enabled="true" name="securityprofile">
<UserAccessControl enabled="true">
<SSOServer>
<BasicAuthEnabled>true</BasicAuthEnabled>
<PublicKeyEndPoint>/token_key</PublicKeyEndPoint>
<ServerUrl>http://35.197.37.220:9099</ServerUrl>
</SSOServer>
</UserAccessControl>
</SecurityProfile>
Notice that the version with SAML enabled also shows <BasicAuthEnabled>true</BasicAuthEnabled> meaning Basic Auth is still enabled.
Disable Basic Auth
Use the following Edge management API call on the Edge Management Server to disable Basic Auth. Note that you pass as the payload the XML object returned in the previous section. The only difference is that you set <BasicAuthEnabled>false</BasicAuthEnabled>:
> curl -H "Content-Type: application/xml"
http://localhost:8080/v1/securityprofile -u sysAdminEmail:pWord -d
'<SecurityProfile enabled="true" name="securityprofile">
<UserAccessControl enabled="true">
<SSOServer>
<BasicAuthEnabled>false</BasicAuthEnabled>
<PublicKeyEndPoint>/token_key</PublicKeyEndPoint>
<ServerUrl>http://35.197.37.220:9099</ServerUrl>
</SSOServer>
</UserAccessControl>
</SecurityProfile>'
After you disable Basic Auth, any Edge management API call that passes Basic Auth credentials returns the following error:
<Error>
<Code>security.SecurityProfileBasicAuthDisabled</Code>
<Message>Basic Authentication scheme not allowed</Message>
<Contexts/>
</Error>
Re-enable Basic Auth
If for any reason you have to re-enable Basic Auth, you must perform the following steps:
Caution: As part of re-enabling Basic Auth, you have to temporarily disable all authentication on Edge, including SAML.
- Log in to any Edge ZooKeeper node.
- Run the following bash script to turn off all security:
Caution: This step disables all authentication on Edge, including SAML.
#! /bin/bash
/opt/apigee/apigee-zookeeper/bin/zkCli.sh -server localhost:2181 <<EOFset /system/securityprofile <SecurityProfile></SecurityProfile>quitEOF
You will see output in the form:
Connecting to localhost:2181
Welcome to ZooKeeper!
JLine support is enabled
WATCHER::
WatchedEvent state:SyncConnected type:None path:null[zk: localhost:2181(CONNECTED) 0] set /system/securityprofile <SecurityProfile></SecurityProfile>cZxid = 0x89...
[zk: localhost:2181(CONNECTED) 1] quit
Quitting… - Re-enable Basic Auth and SAML authentication:
> curl -H "Content-Type: application/xml"
You can now use Basic Auth again.
http://localhost:8080/v1/securityprofile -u sysAdminEmail:pWord -d
'<SecurityProfile enabled="true" name="securityprofile">
<UserAccessControl enabled="true">
<SSOServer>
<BasicAuthEnabled>true</BasicAuthEnabled>
<PublicKeyEndPoint>/token_key</PublicKeyEndPoint>
<ServerUrl>http://35.197.37.220:9099</ServerUrl>
</SSOServer>
</UserAccessControl>
</SecurityProfile>'