Migrate to the Edge UI

This section provides guidance for migrating from the Classic UI to the Edge UI with an IDP such as LDAP or SAML.

For more information, see:

• IDP authentication with the Edge UI
• IDP authentication with the Classic UI

Who can perform the migration

To migrate to the Edge UI, you must be logged in as the user who originally installed Edge or as a root user. After you run the installer for the Edge UI, any user can configure them.

Before you begin

Before migrating from the Classic UI to the Edge UI, read the following general guidelines:

• Backup your existing Classic UI nodes

  Before you update, Apigee recommends that you back up your existing Classic UI server.

• Ports/firewalls

  By default Classic UI uses port 9000. The Edge UI uses port 3001.

• New VM

  The Edge UI can’t be installed on the same VM as Classic UI.

  To install the Edge UI, you must add a new machine to your configuration. If you want to use the same machine as Classic UI, then you must uninstall Classic UI completely.

• Identity Provider (LDAP or SAML)

  The Edge UI authenticates users with either a SAML or LDAP IDP:

  • LDAP: For LDAP, you can either use an external LDAP IDP or you can use the internal OpenLDAP implementation that is installed with Edge.
  • SAML: The SAML IDP must be an external IDP.

  For more information, see Install and configure IDPs.

• Same IDP

  This section assumes that you will use the same IDP after migration. For example, if you currently use an external LDAP IDP with the Classic UI, then you will continue to use an external LDAP IDP with the Edge UI.

Migrate with an internal LDAP IDP

Use the following guidelines when migrating from the Classic UI to the Edge UI in a configuration that uses the internal LDAP implementation (OpenLDAP) as an IDP:

• Indirect binding configuration

  Install the Edge UI using these instructions, with the following change to your silent configuration file:

  Configure LDAP to use search and bind (indirect), as the following example shows:

  SSO_LDAP_PROFILE=indirect
  SSO_LDAP_BASE_URL=ldap://localhost:10389
  SSO_LDAP_ADMIN_USER_DN=uid=admin,ou=users,ou=global,dc=apigee,dc=com
  SSO_LDAP_ADMIN_PWD=Secret123
  SSO_LDAP_SEARCH_BASE=dc=apigee,dc=com
  SSO_LDAP_SEARCH_FILTER=mail={0}
  SSO_LDAP_MAIL_ATTRIBUTE=mail

• Basic authentication for the management API

  The basic authentication for APIs continues to work by default for all LDAP users when Apigee SSO is enabled. You can optionally disable Basic authentication, as described in Disable Basic authentication on Edge.

• OAuth2 authentication for the management API

  Token based authentication is enabled when you enable SSO.

• New user/password flow

  You must create new users with APIs because password flows will no longer work in Edge UI.

Migrate with an external LDAP IDP

Use the following guidelines when migrating from the Classic UI to the Edge UI in a configuration that uses an external LDAP implementation as an IDP:

• LDAP configuration

  Install the Edge UI using these instructions. You can configure either direct or indirect binding in your silent configuration file.

• Management Server configuration

  After you enable Apigee SSO, you should remove all external LDAP properties that are defined in the /opt/apigee/customer/application/management-server.properties file and restart the Management Server.

• Basic authentication for the management API

  Basic authentication works for machine users but not LDAP users. These will be critical if your CI/CD process still uses Basic authentication to access the system.

• OAuth2 authentication for the management API

  LDAP users can access the management API with tokens only.

Migrate with an external SAML IDP

When migrating to the Edge UI, there are no changes to the installation instructions for a SAML IDP.