Hi,

We are working on integrating Active Directory as an external authentication provider for our on-prem Apigee deployment (private cloud v 4.16.05). I have followed the "Apigee Edge Private Cloud External Auth" document provided by Apigee. Here are some of the things that have worked and some that have not quite worked:

1) One of the important things that we have seen is when installing Apigee private cloud, we need to make a user that already exists in AD as the sysadmin for Apigee installation. If Apigee is built using a local user as sysadmin(one that resides in Apigee LDAP only), then we can't change and make Apigee to use a sysadmin that resides in AD.

2) Tried both direct and indirect binding recommended in the Ext Auth doc and it works fine.

3) Tried dynamic role mapping using custom code (one that implements ExternalRoleMapperService service) and dynamic role mapping did not work. Only the static role mapping works alright, as in the user should already have been pre-allocated a role in Apigee using Mgmt API or Edge UI. The dynamic role mapping based on the AD group membership of users did not work.

4) Trying to use username e.g. cn, samaccountname etc. as the login, rather than email also does not work. So e.g john.doe@myorg.com as login works fine but not jdoe.

So summarizing, AD as an external auth provider works fine for both direct and indirect binding and with email address as the login name.

Has anyone been able to make points 3 & 4 i.e. dynamic role mapping and samaccountname as usernames work?