Configure external identity providers

Overview

API Manager provides sample external identity providers for Local Directory Access Protocol (LDAP) based on Apache Directory and Microsoft Active Directory. This chapter explains how to configure these sample providers using the Policy Studio and API Manager tools.

Sample configuration

The following sample external identity provider configuration is available in the Policy Studio tree:

Configure an Apache Directory LDAP external identity provider

This section explains how to configure an Apache Directory LDAP external identity provider.

Prerequisites

The sample LDAP configuration assumes that an Apache Directory LDAP server is running locally (on localhost:10389), and configured with a sample partition (Seven Seas). This sample partition is available from:

http://directory.apache.org/apacheds/basic-ug/1.4.3-adding-partition.html

When the partition has been configured, you must import the sample LDAP Data Interchange Format (LDIF) data to populate the directory with users. The sample LDIF data is available from:

http://directory.apache.org/apacheds/basic-ug/1.5-sample-configuration.html#the-sample-data-sailors-of-the-seven-seas

Note   All user passwords are set to pass.

For more details, see the Apache Directory Studio User Guide.

Configuration steps

To set up LDAP as an external identity provider, perform the following steps:

  1. In the Policy Studio tree, select Server Settings > API Manager > Identity Provider > Use external identity provider.
  2. Ensure that the sample LDAP account policies are configured. These policies are selected by default. For example:
  3. Sample LDAP policies
  4. Click Apply Changes at the bottom right.
  5. Optionally, if the community organization is not named Community, or if you wish to on-board users to a specific organization, edit the Set.extidentity.organization filter in the Read LDAP Account Information policy. For example:
  6. Retrieve LDAP Account Information policy
  7. Enter the appropriate value in the Organization selector field (for example, Community).  
  8. Click Deploy in the toolbar to deploy the updated configuration.
  9. Connect to API Manager in your browser:
  10. https://localhost:8075/
  11. On-board a user from the Apache Directory LDAP server by logging in with the appropriate user credentials (for example, the wbligh user).
  12. Select Settings > Account to view the on-boarded account details. For example:
  13. Onboarded LDAP user
Note   The Login name for an external user (provisioned by an external identity provider) is read-only and cannot be changed.

Configure an Active Directory external identity provider

This section explains how to configure a Microsoft Active Directory external identity provider.

To set up Active Directory as an external identity provider, perform the following steps:

  1. In the Policy Studio tree, select Server Settings >API Manager > Identity Provider > Use external identity provider.
  2. Ensure that the sample Active Directory account policies are configured. For example:
  3. Sample Active Directory policies
  4. Click Apply Changes at the bottom right.
  5. In the Policy Studio tree, select External Connections >LDAP Connections > API Management Sample Active Directory Connection.
  6. Right-click, select Edit, and enter the following settings:
    • URL: Enter the URL for your LDAP server (for example, ldap://127.0.0.1:389).
    • User Name: Enter the distinguished name of the user to connect to the Active Directory (for example, CN=Joe Bloggs,OU=DUBL,OU=IE,OU=Employees,DC=company,DC=com).
    Note  This user must have Read MemberOf (search) privileges.
    • Password: Enter the user password.
    • Sample Active Directory connection
  7. Click Test Connection to verify that the configuration details are correct.
  8. Select External Connections >Authentication Repositories > LDAP Repositories >API Management Sample Active Directory Repository.
  9. Right-click, select Edit Repository, and enter the Base Criteria (for example, OU=Employees,DC=company,DC=com). This is the starting point in the Active Directory hierarchy at which the search for users will begin.
  10. Optionally, if the community organization is not named Community, or if you wish to on-board users to a specific organization, edit the Set.extidentity.organization filter in the Read Active Directory Account Information policy.
  11. Enter the appropriate value in the Organization selector field (for example, Community).  
  12. Click Deploy in the toolbar to deploy the updated configuration.  
  13. Connect to API Manager in your browser:
  14. https://localhost:8075/
  15. On-board a user from the Active Directory server by logging in with the appropriate user credentials (for example, a jbloggs user).
  16. Select Settings > Account to view the on-boarded account details. For example:
  17. Onboarded Active Directory user
Note   The Login name for an external user (provisioned by an external identity provider) is read-only and cannot be changed.

Account information policy

You can configure the Account information policy in Policy Studio in Server Settings > API Manager > Identity Provider. This policy returns the user information to API Manager using the following attributes:

Attribute Description
extidentity.organization.id The organization ID (required).
extidentity.role

The user’s role (required). This is one of the following:

  • user: Client appplication developer
  • oadmin: Organization administrator
  • admin: API administrator
extidentity.enabled User is enabled only if the selector evaluates to 1 or true.
extidentity.name The user’s name (required).
extidentity.description A description of the user.
extidentity.email The user’s email address.
extidentity.phone The user’s phone number.

 

Further information

For more details, see Configure API management settings in Policy Studio.

For details on how to create custom policies, see the API Gateway Policy Developer Guide.