Enabling SAML for API BaaS

Edge for Private Cloud v4.18.01

After you enable SAML for Edge, you can enable SAML for API BaaS. SAML support for API BaaS requires that you have already installed and configures the Edge SSO module on the Edge Management Server node.

The general process for enabling SAML for API BaaS is:

  1. Configure SAML on Edge as described in Installation and configuration of SAML for Edge.
  2. Install API BaaS and ensure that your installation is working properly. This includes creating BaaS organizations. See API BaaS Installation.
  3. For all existing BaaS users, including the BaaS system administrator and BaaS organization administrators, create a corresponding user in the IDP. The email address of the user in the IDP must be the same as was used to create the BaaS user.
  4. Configure SAML on API BaaS.

Configure SAML on API BaaS

To configure SAML on API BaaS, you have to enable it on both the BaaS Portal and Stack, in that order.

You first create a config file to configure SAML:

# IP address of BaaS Portal
IP1=11.111.11.111

# IP address of apigee-sso node
IP2=22.222.22.222

# Information about apigee-sso.
# Externally accessible IP or DNS of apigee-sso.
SSO_PUBLIC_URL_HOSTNAME=$IP2
SSO_PUBLIC_URL_PORT=9099
# Default is http. Set to https if you enabled TLS on apigee-sso.
SSO_PUBLIC_URL_SCHEME=http

# SSO admin credentials as set when you installed apigee-sso.
SSO_ADMIN_NAME=ssoadmin
SSO_ADMIN_SECRET=Secret123

# The name of the OAuth client used to connect to apigee-sso.
# The default client name is "baas". 
BAAS_SSO_CLIENT_NAME=baas

# If set, the existing BAAS client is deleted and new one is created.
# The default value is "n".
# Set to "y" when you reconfigure SAML and change the value of 
# any of the BAAS_* properties.
BAAS_SSO_CLIENT_OVERWRITE=y

# API BaaS Portal properties:
BAAS_SSO_ENABLED=y

# Comma separated list of URLs for the BAAS portal, 
# in the format:  http_or_https://IP_or_hostname_of_UI:9000. 
# You can have multiple URLs when you have multiple installations
# of the BAAS portal or you have multiple data centers.
BAAS_PUBLIC_URIS=http_or_https://IP_or_hostname_of_BAAS:9000
BAAS_SSO_REGISTERED_PUBLIC_URIS=$BAAS_PUBLIC_URIS

# API BaaS Stack properties
BAAS_SSO_ENABLED=y

To configure API BaaS to enable SAML support:

  1. Run the following command to configure SAML on the BaaS Portal:
    > /opt/apigee/apigee-service/bin/apigee-service baas-portal configure-sso -f samlConfigFile

    where samlConfigFile is the SAML config file.
  2. Run the following command to restart the portal:
    > /opt/apigee/apigee-service/bin/apigee-service baas-portal restart
  3. Run the following command to configure SAML on all the BaaS Stack nodes:
    > /opt/apigee/apigee-service/bin/apigee-service baas-usergrid configure-sso -f samlConfigFile

To later change these values, update the config files and run these steps again.

Disable SAML on API BaaS

To disable SAML on API BaaS:

  1. Edit the config file that you used to configure SAM to set:
    BAAS_SSO_ENABLED=n
  2. Configure the BaaS Portal:
    > /opt/apigee/apigee-service/bin/apigee-service baas-portal configure-sso -f configFile

    Note: Users who never set a BaaS password must select the Reset password link on the login page to set a new password.
  3. Run the following command to restart the portal:
    > /opt/apigee/apigee-service/bin/apigee-service baas-portal restart
  4. Configure the BaaS Stack:
    > /opt/apigee/apigee-service/bin/apigee-service baas-usergrid configure-sso -f configFile