We are using WSO2 API Manager as a gateway to route requests to backend. We have a requirement to verify user credentials and authorization by making a call to Oracle Identity Manager and Oracle Access Manager before making the call to the backend.
I have read the external LDAP user store configuration. But my client's enterprise is using Oracle identity management for user and access management.
How can this be done in WSO2 API manager.
With the current version of API-M which is 1.8.0, we can not add an external Identity Manager as the OAuth server for API Authorization. This sort of an integration will be possible with the next release of WSO2 API Manager which is 1.9.0.
However, you can integrate an external Identity Provider for user authentication by leveraging the capabilities of WSO2 Identity Server. You could integrate WSO2 API Manager with WSO2 Identity Server and user that for SSO and integrate with an external IDP. Please read this blog on how to achieve that.
Related
How to call the secured API management linked APIs configured in azure portal when developing locally using SWA CLI? All I observed in the SWA configuration is meant for functions as APIs not the APIM.
https://learn.microsoft.com/en-us/azure/static-web-apps/apis-api-management
When adding API Management APIs to an azure static web app, an automatic proxy product is created on APIM securing access to the API for this app via /api prefix on the static web app domain. I did not see any mentions of how this works for local development to pass the user claims from SWA emulator to the API via that proxy?
I was trying to do this recently and I don't think it's possible. My solution was to add a proxy to my dev server (in my case vite) to proxy all requests to the /api route to the Api Management URL, setting the necessary subscription key header.
We want to make our APIs available to external systems.
Our APIs are protected by "Access tokens" using OAUTH2 and Azure AD B2C as an Identity Provider.
Unfortunately, B2C does not support the "Client Credential Flow", so external systems cannot get tokens from B2C by passing their client id and their secret.
We are thinking of fronting the APIs with Azure API Management, and providing the external systems with Subscription Keys. Then once we verify the subscription key in API Management, we want to acquire an Access Token to call our back-end.
Is this possible? It seems like not because of the Client Credentials flow missing. However, I've seen videos from APIM experts claiming that it is possible. I'm I missing something? Does APIM have special treatment?
I'm trying to authenticate Azure App Configuration Service with access keys in APIM policies.
Can someone help how we can authenticate Azure App Configuration Service using Access keys in APIM policies.
You will need to implement the HMAC authentication as explained in the document below. There are code samples in a variety of languages in that doc too.
https://learn.microsoft.com/en-us/azure/azure-app-configuration/rest-api-authentication-hmac
I could find that Azure AD can be configured to to Azure API manager.
My question is, is there a way to configure an on-premise LDAP to it?
A side question: can I configure SSO for the developer portal?
I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.
I am planning to publish REST API Service with Azure API Management.
I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.
All good so far. Here is the question (or challange?) :
Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
A link to a code sample or online documentation would be a great help.
Update
While there are some overlaps with the follwoing question:
How to prevent direct access to API hosted in Azure app service
... part of this question is still outstanding:
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).
Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions