The SAML specification defines three entities:
- Principal (Edge UI user)
- Service provider (Apigee SSO)
- Identity provider (returns SAML assertion)
When SAML is enabled, the principal (an Edge UI user) requests access to the service provider (Apigee SSO). Apigee SSO (in it's role as a SAML service provider) then requests and obtains an identity assertion from the SAML IDP and uses that assertion to create the OAuth2 token required to access the Edge UI. The user is then redirected to the Edge UI.
This process is shown below:
In this diagram:
- The user attempts to access the Edge UI by making a request to the login URL for the Edge
UI. For example:
- Unauthenticated requests are redirected to the SAML IDP. For example, "https://idp.customer.com".
- If the user is not logged in to the identity provider, then they are prompted to log in.
- The user logs in.
- The user is authenticated by the SAML IDP, which generates a SAML 2.0 assertion and returns it to the Apigee SSO.
- Apigee SSO validates the assertion, extracts the user identity from the assertion, generates
the OAuth 2 authentication token for the Edge UI, and redirects the user to the main Edge UI
Where orgName is the name of an Edge organization.
Edge supports many IDPs, including Okta and the Microsoft Active Directory Federation Services (ADFS). For information on configuring ADFS for use with Edge, see Configuring Edge as a Relying Party in ADFS IDP. For Okta, see the following section.
To configure your SAML IDP, Edge requires an email address to identify the user. Therefore, the identity provider must return an email address as part of the identity assertion.
In addition, you might require some or all of the following:
The SAML IDP might require the metadata URL of Apigee SSO. The metadata URL is in the form:
|Assertion Consumer Service URL||
Can be used as the redirect URL back to Edge after the user enters their IDP credentials, in the form:
Single logout URL
You can configure Apigee SSO to support single logout. See Configure single sign-out from the Edge UI for more. The Apigee SSO single logout URL has the form:
The SP entity ID (or Audience URI)
For Apigee SSO:
To configure Okta:
- Log in to Okta.
- Select Applications and then select your SAML application.
- Select the Assignments tab to add any users to the application. These user will be able to log in to the Edge UI and make Edge API calls. However, you must first add each user to an Edge organization and specify the user's role. See Register new Edge users for more.
- Select the Sign on tab to obtain the Identity Provider metadata URL. Store that URL because you need it to configure Edge.
- Select the General tab to configure the Okta application, as shown in the
Setting Description Single sign on URL Specifies the redirect URL back to Edge for use after the user enters their Okta credentials. This URL is in the form:
If you plan to enable TLS on
Where apigee_sso_IP_DNS is the IP address or DNS name of the node hosting
Note that this URL is case sensitive and SSO must appear in caps.
If you have a load balancer in front to
apigee-sso,then specify the IP address or DNS name of
apigee-ssoas referenced through the load balancer.
Use this for Recipient URL and Destination URL Set this checkbox. Audience URI (SP Entity ID) Set to
Default RelayState Can leave blank. Name ID format Specify
Application username Specify
Attribute Statements (Optional) Specify
The SAML settings dialog box should appear as below once you are done: