AAD for API Management

Similar Messages

• Write Custom policies in Javascript for API management in Azure

  I am new to API Management in Azure.
  Is it possible to write custom policy in Javascript like it is possible to write in API Management tool in APIGEE?

  Hi,
  It seems that it is not support in Azure API management, please vote this similar voice at:
  http://feedback.azure.com/forums/34192--general-feedback/suggestions/6564897-api-management-policy
  Best Regards,
  Jambor
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• How to make API manager developer console client use AAD as a oauth2 token issuer

  the answer is configure the oauth2 authorization service record to ONLY use the client_credentials grant type.
  See
  https://yorkporc.wordpress.com/2015/02/23/getting-api-manager-to-use-aad-sts-finally/ for a success case.
  Do NOT (as one might do, thinking as a security engineer) use the authorization_code grant.
  So, after a week of effort, I figured my way through awful documentation to do something really easy (once one knows how).
  The documentation at
  http://azure.microsoft.com/en-us/documentation/articles/api-management-howto-oauth2/#step1 sends one the wrong way, since its picture happens to select authorization_code (which doesn't work, at least with AAD as the AS).
  its pretty clear that the developer console site is not architected to be using AADs own rather excellent delegated user identity security model. One could be leveraging the web site's own session (itself derived from the id_token issued by AAD) to entitle
  the web app server-side process to act for the user, which would normally supply (user's) auth_code and the sites own client credential set  to get privileged access to certain api endpoints of the api management instance. Obviously, that would require
  the console to be nominating which resouces (Api endpoint, within a product) are to be placed in the audience field of the token, which in turn requires more advanced AAD configuration (of those API endpoints, as AAD apps in their own right).
  Sigh. MSDN editorial culture strikes yet again.

  hi Peter,
  Thanks for your feedback!
  I will try to reproduce this issue on my side and report it. Thanks for your time and appreciate your patience.
  Any results, I will post back ASAP.
  Regards,
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Azure API Management Usage Pattern for Enterprise - Grouping APIs

  Consider the following scenario:
  I have a 100 people in one org with 4 divisions
  I create on Azure API Management instance
  All 100 people are developing APIs and adding them to this single API management instance
  Can I achieve following? If yes, how?
  I want to group the APIs by those 4 division. Allow access of APIs only if it is added by people in their division. When I say allow access, basically I mean search the APIs and call the APIs.

  You can achieve this by using "Groups". First, you need to have a group per division. You can either manually create the groups and add users to them or if you use Azure Active Directory and enable developers to login with AAD to the portal, then
  their existing group membership will also be available to use.
  Once you have the group set up you need to have a product for each group. You can set the visibility settings of the product so that only members of a given group can see it. Then you can set which APIs the product contains and thus complete the mapping
  of groups to APIs.

• May 2015 VTS Middleware Track - Resources for the API Management session

  Some very cool resources:
  Blog
       article on "In-depth look into Oracle API Catalog (OAC) 12c": https://technology.amis.nl/2014/11/14/in-depth-look-oracle-api-catalog-oac-12c/
  Data
       sheet of Oracle API Catalog: http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oracle-api-catalog-ds-2347229.pdf?ssSourceSiteId=ocomen
  Oracle
       online documentation about Oracle API Catalog: https://docs.oracle.com/middleware/1213/oac/index.html
  Data
       sheet of Oracle API Manager: http://www.oracle.com/us/technologies/soa/oracle-api-manager-ds-2421644.pdf
  Oracle
       online documentation about Oracle API Manager: https://docs.oracle.com/middleware/1213/apimgr/index.html
  Oracle
       product page about API Management: http://www.oracle.com/us/products/middleware/soa/api-management/overview/index.html

  You could check the note on MOS Doc ID 1114976.1 it may have what you need.

• Using oauth2 flows of Azure Acite Directory (AAD), in API

  documentation on the API feature of azure makes strongly hints that oauth2 is supported. But, that's like saying saml is supported (without specifying the profile of SAML2 or SAML1.1). The hint is far too vague to be actionable. What matters to me is that
  the oauth2 features of Active AD's IDP/STS are supported (and that the JWT tokens and keying properties of AAD can be consumed by API handlers).
  Does anyone having any interworking stories to tell, with AAD? Any samples, blog posts etc?
  Its seems REALLY useful to have 1) mobile sites consume AAD and 2)( API sites similarly consume tokens - whose audiences that cover both the mobile and API endpoints. But, is it reality?

  Hi Peter,
  Firstly, as I know, Azure AD is supported SAML2.0. And we can use and configure SAML2.0 in Azure AD (https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx ).And
  Azure AD supported the JWT and SAML2.0 token formation. From the official document(http://azure.microsoft.com/en-us/documentation/articles/api-management-howto-oauth2/
  ), we can set the OAuth2.0 with Azure AD in API Management service. You can try to configure the AZURE AD as a Authorization Server in API management service.
  The links below is some resources:
  https://msdn.microsoft.com/en-us/library/azure/dn151124.aspx
  https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx
  http://blogs.msdn.com/b/brunoterkaly/archive/2014/07/17/fundamentals-of-active-directory-in-the-cloud-azure-and-on-premises.aspx
  Regards,
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Exposing Azure Search Service through API Management

  Hi everyone,
  I've just setup the API Management and customised the portal for the APIs i'd like to manage. One of the APIs is actually an Azure Search instance. The only problem i can see is that the JSON response from the Azure Search contains a couple of URLs that
  tie back to the Search, I've tried to add a policy to mask the URLs in the response, but it doesn't quite get it right and the resulting URLs don't work.
  So, is it possible to properly expose the Search service through the API Management service with properly masked URLs?
  thanks,
  Andrew

  Hi Miao,
  thanks for your quick response.
  Although I don't need to know a specific date - i'd be interested if there is a target for when this functionality may be added? e.g. 2 months, 6 months?
  I'm evaluating the technology at the moment for a deliverable required in a couple of months and will need to decide whether to wait or develop a wrapper around the search service that removes the data we don't want exposed.
  thanks,
  Andrew

• Azure API Management - external endpoints

  Hi,
  I'm trying to implement the following scenario by using the preview Azure API management.
  I have a Web API, hosted in an OnPrem IIS. I want to expose this API via the Azure API Management.
  How can I manage exposing an OnPrem endpoint? Must I first be sure that my existing OnPrem API is published on the Internet? Or can I use a Service Bus Relay endpoint?
  Thanks.

  Hi David,
  Thanks for posting!
  Base on my understanding, If your website is hosted on-permission( Intranet), you need expose the endpoints for Azure API management , and you need use the http or https endpoints for this feature. You could use azure service bus service to expose
  your endpoints like this blog (http://blogs.msdn.com/b/paolos/archive/2013/10/24/how-to-integrate-a-windows-azure-web-site-with-a-lob-app-via-a-service-bus-relay-service.aspx
  ) and this thread  (http://stackoverflow.com/questions/9626386/relay-webhttprelaybinding-to-webapi-service ), Also, you could publish the site on internet
  and use the API url (http://blogs.iis.net/tomkmvp/archive/2010/02/03/how-do-you-access-iis-behind-a-nat-router.aspx ).If I am misunderstanding , please
  let me know free.
  Regards,
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Azure API Manager ALM

  Would like some good documentation on best practices for ALM with Azure API Manager. 
  For example...
  How do people have their DEV/TEST/PROD environment setup and how do you deploy changes?
  We are thinking about using the dev teir for our development and test environmnet and then the standard version for production. Are we on the right path?

  Hi Dan, you are definitely on the right path.
  Besides, below features might be useful to help you manage your environments:
  1. Management Rest API: this is useful if you want to manage your environment programmatically.
  http://msdn.microsoft.com/en-us/library/azure/dn776326.aspx
  2. Backup/Restore: http://azure.microsoft.com/en-us/documentation/articles/api-management-howto-disaster-recovery-backup-restore/
  Please let us know if you have any questions.
  Regards,
  Miao

• Azure API Management developer portal runtime error

  Hi,
  I'm trying to use the Microsoft Azure API Management functionality just announced in the TechEd 2014 americas.
  I was able to create my namespace for Azure API Management in the Azure Mgmt Portal.
  But now, when I click on the Management Console or Developer Portal, I got a runtime error (ASP.Net Runtime Error).
  I tried from a PC where I'm not authenticated in Azure and it works until I reach the login page, and then I got this Runtime Error again and again.
  My subscription is a MSDN subscription.
  Any ideas or workarounds here?

  Hi,
  The problem still exists but it appears only when I'm authenticated.
  For example, I open the Windows Azure Management Portal with my admin account, goes to the API Management and click on the Management Console. I'm redirected to the https://middleway.portal.azure-api.net/admin URL and here I got a Runtime Error ASP.Net...
  Strange no?

• Apply For Job - Manager Rule

  Hello,
  In irecruitment, to send a notification to the managers when an applicant applies for job, i'm using the seeded AME rule which is "Apply For Job - Manager Rule". When i test it going as an applicant and apply for a job, its not sending any notifications. After seeing the metalink note [ID 605603.1], i enabled the business event "oracle.apps.per.api.assignment.update_apl_asg" and tested but still the AME rule is not fired.
  Am i missing something here?
  Thanks a lot in advance.
  KK

  Hi
  There are bugs with certain iRec Notifications, Oracle asked us to implement the following steps to resolve the issue for the bug to which you refer too:
  Add the below attributes to  Transaction type 'iRecruitment Notification Approvals' using 'Use Existing Attributes'  -
  USER_ID_EXISTS
  APPROVAL TYPE
  CURRENT_EMPLOYEE_FLAG
  Create  New Condition: IRC_EVENT_NAME in (APLFORJOB) - as Vignesh outlined
  Remove any existing conditions from Rule: "Apply For Job - Manager Rule" where the attributes are any of these: USER_ID_EXISTS; APPROVAL TYPE; CURRENT_EMPLOYEE_FLAG
  Add new condition:  IRC_EVENT_NAME in (APLFORJOB)  to the 'Apply For Job - Manager Rule'
  Ensure a Hiring Manager name exists in the vacancy which the Candidate is applying and retest the issue. 
  Also ensure either Workflow Background Process is run or System Profile: HR:Defer Update After Approval is set to No at Site/Responsibility Level.
  Hope this helps.
  Charlie

• Using SPML for Identity Management in EJB WebService

  Dear All,
  I have a requirement af using SPML(Service Provisioning Markup Language) for Identity management. Identity management is used to manage the user like deleting a user, modifying, adding a user etc for a application.For that the request for all these functions need to be made using the SPML. The idea is that first the data used to make any request will come from the SAP R3 using an EJB which will retrieve that data by calling a BAPI via JCO and then it is needed to be passed to the entitlement system using the SPML.Thus I have to publish a web service which will get data by calling BAPI and give it to entitlement system using SPML and how can I achieve it?. I have less knowledge about SPML, your guidence will help.
  Thanks & Regards,
  Samir

  There is a document on the SAP Service Market Place that covers the SPML in the UME APIs. This quote is from the [UME documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm]:
  SPML Support
  The UME APIs support access using the Service Provisioning Markup Language (SPML). For more information, see service.sap.com/security > Security in Detail > Secure User Access > Identity Management > SAP Identity Management APIs.
  -Michael
  Edited by: Michael Shea on Jan 17, 2008 9:01 AM

• Difference between API manager and API catalogue?

  Hi All
  Apologies for this naive question. But I'm a bit confused by the overlapping functionality offered by Oracle API catalogue and manager. Can someone please explain how both of this product are positioned in API management landscape?
  Thanks in advance.

  Access Manager is for access control (web authentication, authorization), Identity Manager is for identity (userid,profile,role, password etc) provision/management across multi resources (such as unix, active directory, peoplesoft, SAP) etc.

• How to setup Traffic Manager with Azure API Management

  Hello-
  I have been trying to configure traffic manager as a Failover mechanism for Azure API Management (not sure if this is the correct terminology). 
  The gist is this: I have configured Azure API management to point to a set of Web API's hosted in a Cloud Service. I would like to use Traffic Manager as a Failover mechanism to route requests to a different data center, should the primary service becomes
  unresponsive or goes into a degraded state. 
  When going through the portal, there is no selection that is available to configure API Management/Web API: the selections are Cloud Service and Web apps.
  I've also looked into th Powershell Add-AzureTrafficManagerProfile using the -Type ["Any"] option with same result - it adds the endpoint but it is in a "Degraded" state.
  I need to understand the correct way to accomplish this - I'm pretty sure I'm doing something wrong.
  gigabit

  Hi Shaun,
  For most Traffic Manager applications, endpoint health is probed in the same way on each endpoint.  That's why Traffic Manager profiles have endpoint monitoring settings configured at the profile level, not the endpoint level.
  It appears your case is an exception--you need to configure a different monitoring path for each of your endpoints.  To do this, you should use
  'nested' Traffic Manager profiles.  Create a child profile for each endpoint (with endpoint monitoring settings particular to that endpoint) and then join them in a parent profile.  Endpoint health will propagate up from child to parent and should
  give the behaviour you're looking for.
  There's no downside: We bill only for the actual monitored endpoints and actual queries received (so no extra costs), and the parent-child link will be unwound within the Traffic Manager name servers (so no extra latency).
  Regards,
  Jonathan Tuliani
  Program Manager
  Azure Networking - DNS and Traffic Manager

• SSL and API Management

  Hello,
  Any help with this technical issue would be greatly appreciated.
  When our clients call our API Management front end, we'd like them to connect to https://api.mydomain.com/service
  Traffic Manager will be used to load balance between API Management interfaces at 2 separate Azure DCs.
  Our API Management services are set up with the addresses apimNameSite1.azure-api.net and apimNameSite2.azure-api.net
  Our 2 back-end servers live in an azure IaaS vNets (in separate DCs) and their azure endpoint URLs are webServerSite1.cloudapp.net and webServerSite2.cloudapp.net
  We have a wildcard SSL certificate for *.mydomain.com
  From what I've read (I may have missed something), API management doesn't terminate SSL. (have since found this is incorrect, API Management DOES terminate SSL)  Can anyone give me a solution for configuring HTTPS for the API management interface in
  this scenario?
  One way I've thought of addressing it is to:
  - Create a CNAME record for the alias api.mydomain.com pointing to the traffic manager address
  - Traffic manager is configured using powershell to load balance between the apimNameSite1.azure-api.net and apimNameSite2.azure-api.net endpoints
  - Create a CNAME record for the alias webServerSite1.mydomain.com pointing to webServerSite1.cloudapp.net
  - An API in API management on Site1 is configured with an HTTPS URL scheme and has https://webServerSite1.mydomain.com/service set as the web service URL.
  - The IIS web site on the back end server has a HTTPS binding configured using the *.mydomain.com certificate
  I'm not sure if this will work, and I have to get a number of people to configure stuff on their end to POC it so would prefer to have it right at the start.  Does anyone have suggestions or links to good sources on the subject?

  I found the Custom Domain settings under Configuration for the API Management service.  Will close this thread if all works out ok.  I hope having traffic manager in front of it doesn't cause any issues.