Access Apigee using Workforce Identity Federation

View Apigee Edge documentation.

This page describes how to use a third-party identity provider to access Apigee with Workforce Identity Federation. Workforce Identity Federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce — a group of users, such as employees, partners, and contractors — using Identity and Access Management (IAM) to access Apigee services.

You can use Workforce Identity Federation with any IdP that supports OpenID Connect (OIDC) or SAML 2.0, such as Azure Active Directory (Azure AD), Active Directory Federation Services (AD FS), Okta, and others.

Benefits of using Workforce Identity Federation

We understand that many Apigee customers already use some form of single sign-on (SSO), allowing their employees to sign-in using existing corporate credentials. Many of our customers also maintain an identity management system. Synchronizing user identities from your existing IdP to Google Cloud identities can be challenging and time-consuming.

Using Workforce Identity Federation can decrease Apigee onboarding time and streamline your identity and security processes by removing the need to synchronize user identities from your existing IdP to Google Cloud identities. Workforce Identity Federation can be used across Google Cloud and provides a single point of control for managing access to Apigee.

Supported Apigee organization types

You can use Workforce Identity Federation to access and manage resources in any Apigee Subscription or Pay-as-you-go organization, including Apigee hybrid-enabled organizations. Workforce Identity Federation users can also create and manage Apigee evaluation organizations.

Limitations and considerations

Before using Workforce Identity Federation with Apigee, consider the limitations described below. Apigee support for Workforce Identity Federation is also described in the Identity federation: products and limitations documentation.

Accessing Apigee in the Google Cloud console

You can use Workforce Identity Federation to access Apigee services using Apigee in Cloud console, or via the Apigee APIs.

Note that Apigee Workforce Identity Federation users cannot access Apigee services using the Classic Apigee UI. Workforce Identity Federation users cannot log into the Classic Apigee UI directly and will not be able to access the Classic Apigee UI from Apigee in Cloud console.

Accessing features only available in the Classic Apigee UI

Some Apigee features are only available in the Classic Apigee UI and can't be accessed using Workforce Identity Federation. See Accessing Apigee in the Google Cloud console for more details. These features include:

• Integrated portals
• Developer Engagement
• End user analysis > Devices
• End user analysis > Geomap

Although these features are not available in the Apigee in Cloud console using Workforce Identity Federation, you can use the Apigee APIs to access these features.

Preview features

Some Apigee features in Preview may not be available to Workforce Identity Federation users. All Generally Available (GA) features accessible in the Apigee in Cloud console will be available to Workforce Identity Federation users.

Unsupported features

The following Apigee features are not supported for Workforce Identity Federation users:

• Workforce Identity Federation users cannot use Cloud Code and the Visual Studio Code (VS Code) IDE for local development of Apigee APIs and API proxies.
• The Apigee Connect API (apigeeconnect.googleapis.com) is not supported for Workforce Identity Federation users with Apigee hybrid organizations.

Use Apigee in Cloud console as a Workforce Identity Federation user

Workforce Identity Federation users can sign in to Apigee using one of three methods:

• Using an SSO link
• Using the console (federated)
• Using IdP-initiated sign-in

Ask your Apigee administrator to determine which method you should use.

Detailed information about each sign-in method is available in the Set up user access to the console (federated) documentation.

Use the Apigee APIs as a Workforce Identity Federation user

Before you can access the Apigee APIs as a Workforce Identity Federation user, you must obtain a short-lived token from the Security Token Service (STS). Once you have a token, you can access the Apigee APIs with no additional steps.

For more information, see Obtain short-lived tokens for Workforce Identity Federation.

Use the Google Cloud CLI as a Workforce Identity Federation user

Before you can use the Google Cloud CLI (gcloud CLI) as a Workforce Identity Federation user, you must obtain a short-lived token from the Security Token Service (STS). Once you have a token, you can use the gcloud CLI libraries with no additional steps.

For more information, see Obtain short-lived tokens for Workforce Identity Federation.