After you have enabled SAML or LDAP on Edge, you can disable Basic authentication. However, before you disable Basic authentication:
- Make sure you have added all Edge users, including system administrators, to your IDP.
- Make sure you have thoroughly tested your IDP authentication on the Edge UI and Edge management API.
- If you are using the Apigee Developer Services portal (or simply, the portal), configure and test your external IDP on the portal to ensure that the portal can connect to Edge. See Configuring the portal for external IDPs.
View the current security profile
You can view the Edge security profile to determine the current configuration to determine if Basic authentication and an external IDP are currently enabled. Use the following Edge management API call on the Edge Management Server to view the current security profile used by Edge:
curl -H "accept:application/xml" http://localhost:8080/v1/securityprofile -u sysAdminEmail:pWord
If you have not yet configured an external IDP, the response is as shown below, meaning Basic authentication is enabled:
<SecurityProfile enabled="true" name="securityprofile"> <UserAccessControl enabled="true"> </UserAccessControl> </SecurityProfile>
If you have already enabled an external IDP, the <ssoserver>
element should
appear in the response:
<SecurityProfile enabled="true" name="securityprofile"> <UserAccessControl enabled="true"> <SSOServer> <BasicAuthEnabled>true</BasicAuthEnabled> <PublicKeyEndPoint>/token_key</PublicKeyEndPoint> <ServerUrl>http://35.197.37.220:9099</ServerUrl> </SSOServer> </UserAccessControl> </SecurityProfile>
Notice that the version with an external IDP enabled also shows <BasicAuthEnabled>true</BasicAuthEnabled>, which means that Basic authentication is still enabled.
Disable Basic authentication
Use the following Edge management API call on the Edge Management Server to disable Basic authentication.
To disable Basic authentication, you pass the XML object returned in the previous section as the payload. The only
difference is that you set <BasicAuthEnabled>
to false
, as the
following example shows:
curl -H "Content-Type: application/xml" http://localhost:8080/v1/securityprofile -u sysAdminEmail:pWord -d '<SecurityProfile enabled="true" name="securityprofile"> <UserAccessControl enabled="true"> <SSOServer> <BasicAuthEnabled>false</BasicAuthEnabled> <PublicKeyEndPoint>/token_key</PublicKeyEndPoint> <ServerUrl>http://35.197.37.220:9099</ServerUrl> </SSOServer> </UserAccessControl> </SecurityProfile>'
After you disable Basic authentication, any Edge management API call that passes Basic authentication credentials returns the following error:
<Error> <Code>security.SecurityProfileBasicAuthDisabled</Code> <Message>Basic Authentication scheme not allowed</Message> <Contexts/> </Error>
Re-enable Basic authentication
If for any reason you have to re-enable Basic authentication, you must perform the following steps:
- Log in to any Edge ZooKeeper node.
- Run the following bash script to turn off all security:
#! /bin/bash /opt/apigee/apigee-zookeeper/bin/zkCli.sh -server localhost:2181 <<EOF set /system/securityprofile <SecurityProfile></SecurityProfile> quit EOF
You will see output in the form:
Connecting to localhost:2181 Welcome to ZooKeeper! JLine support is enabled WATCHER:: WatchedEvent state:SyncConnected type:None path:null [zk: localhost:2181(CONNECTED) 0] set /system/securityprofile <SecurityProfile></SecurityProfile> cZxid = 0x89 ... [zk: localhost:2181(CONNECTED) 1] quit Quitting...
- Re-enable Basic authentication and the external IDP authentication:
curl -H "Content-Type: application/xml" http://localhost:8080/v1/securityprofile -u sysAdminEmail:pWord -d '<SecurityProfile enabled="true" name="securityprofile"> <UserAccessControl enabled="true"> <SSOServer> <BasicAuthEnabled>true</BasicAuthEnabled> <PublicKeyEndPoint>/token_key</PublicKeyEndPoint> <ServerUrl>http://35.197.37.220:9099</ServerUrl> </SSOServer> </UserAccessControl> </SecurityProfile>'
You can now use Basic authentication again. Note that Basic authentication does not work when the New Edge experience is enabled.