Blog

API Identity Management with LDAP Server

By | Date posted: February 24, 2014

Most corporations deploy LDAP severs such as OpenLDAP to store identities used for SSO and API identity management.   Application users authenticate against these LDAP servers to gain access to APIs.  To avoid an intrusive, non-scalable agent-based model — where every application installs and manages an agent for authentication and authorization — enterprises generally opt to simplify to a centralized model by deploying API gateways.  In this tutorial, you will learn how to use an LDAP server along with Forum Sentry API Gateway to enable access control of your APIs.

This tutorial builds on Using HTTP Basic Auth for API Identity Management in which we show how to lock an API via on-board user identities.  By connecting Forum Sentry to an LDAP server — Online LDAP Test Server — we enable off-board user identity management while alleviating the burden from individual applications to code their own  access control.

Forum-Sentry-LDAP-ListNavigate to ACCESS–>LDAP.  As shown in the screenshot above, Forum Sentry API Gateway can easily be integrated with an LDAP server by providing connectivity information and specifying the Root DN.  The User/group context can be selected to bind to a specific group of users.  For example, in the Online LDAP Test Server, you can bind to Root DN:  ou=scientists, dn=example, dn=com by selecting the Group containing users context shown in the screenshot above.

Forum Sentry-LDAP-ACLTo enable off-board user access to managed APIs, navigate to ACCESS –> User ACLs.  Select TestACLWide and select the new LDAP policy to add all users in the LDAP server to this ACL.  Wherever the ACL policy TestACLWide is being used to lockdown API resources, the users stored in the LDAP server now have access to these API resources.  Note that a hybrid model of on-board and off-board users is readily configured by simply adding the LDAP policy to the ACL group.  Additional identity stores including RSA SecureID, Kerberos, SiteMinder, PingFederate can similarly be added to an ACL.  This model of using an API gateway removes the need for direct code-level integration with single identity stores and enables significant management, performance and maintenance advantages compared to agent-based identity solutions.

Related content:

Leave a Comment