Most corporations maintain their system login credentials (employee, applications) in an LDAP repository. They do this for multiple good reasons, such as the systematic organization of records in a hierarchical structure, data security, and platform neutrality.
For such scenarios, APIC supports an LDAP user registry type. Creating an LDAP user registry requires many details and is dependent on your LDAP server configuration. You will most likely need to work with your LDAP administrator in setting up an LDAP user registry. You can still review the sample configuration in the following screenshot to see some of the information that is required to set up an LDAP user registry:
Figure 7.5 – LDAP user registry configuration
As you can see in Figure 7.5, setting up such a user registry requires significantly more information, including, the bind method, Prefix, Suffix, Base DN, and so forth. You should consult your LDAP administrator before embarking on this configuration.
There is one more user registry type that is supported by APIC, and that is the OIDC user registry. Since this chapter is about API security (instead of user security), OIDC is only briefly covered here.
Introducing OpenID Connect (user registry)
APIC also supports creating a user registry connected to an OIDC Identity Provider (IdP). It can only be used for onboarding and authenticating Cloud Manager, API Manager, and developer portal users. You cannot use it for securing your APIs, though.
The OIDC user registry will generally be connected to a primary OIDC provider such as Google, Slack, or GitHub (among many others). APIC makes it convenient for you to integrate with the main IdPs, such as Google, by automatically populating many key configuration parameters. You will need to get your client/application registered with your IdP to get a unique set of Client ID and Client secret credentials that you will need to provide on the Create OIDC user registry form. Refer to Figure 7.6:
Figure 7.6 – Creating an OIDC user registry
Having covered all the user registry types supported by APIC, your next goal is to learn the OAuth provider configuration. With this OAuth provider configuration, you will complete the main setup required to secure the APIs.
Leave a Reply