Configure your LDAP IDP

This section describes the mechanisms with which you can use LDAP as an IDP with Apigee Edge for Private Cloud.

Simple binding (direct binding)

With simple binding, the user supplies an RDN attribute. The RDN attribute can be a username, email address, common name, or other type of user ID, depending on what the primary identifier is. With that RDN attribute, Apigee SSO statically constructs a distinguished name (DN). There are no partial matches with simple binding.

The following shows the steps in a simple binding operation:

  1. The user inputs an RDN attribute and password. For example, they might input the username “alice”.
  2. Apigee SSO constructs the DN; for example:
    dn=uid=alice,ou=users,dc=test,dc=com
  3. Apigee SSO uses the statically constructed DN and supplied password to attempt a bind to the LDAP server.
  4. If successful, Apigee SSO returns an OAuth token that the client can attach to their requests to the Edge services.

Simple binding provides the most secure installation because no LDAP credentials or other data are exposed through configuration to Apigee SSO. The administrator can configure one or more DN patterns in Apigee SSO to be tried for a single username input.

Search and bind (indirect binding)

With search and bind, the user supplies an RDN and password. Apigee SSO then finds the user's DN. Search and bind allows for partial matches.

The search base is the top-most domain.

The following shows the steps in a search and bind operation:

  1. The user inputs an RDN, such as a username or email address, plus their password.
  2. Apigee SSO performs a search using an LDAP filter and a set of known search credentials.
  3. If there is exactly one match, Apigee SSO retrieves the user's DN. If there are zero or more than one matches, Apigee SSO rejects the user.
  4. Apigee SSO then attempts to bind the user's DN and supplied password against the LDAP server.
  5. The LDAP server performs the authentication.
  6. If successful, Apigee SSO returns an OAuth token that the client can attach to their requests to the Edge services.

Apigee recommends that you use a set of read-only admin credentials that you make available to Apigee SSO to perform a search on the LDAP tree where the user resides.