Introduction
Earlier this week I wrote this post that detailed implementing the Lithnet REST API for FIM/MIM Service. I also detailed using PowerShell to interact with the API Endpoint.
Now lets imagine you are looking to have a number of Azure Serverless features leverage your Rest API enabled Microsoft Identity Manager environment. Or even offer it “as-a-Service”. You’ll want to have some visibility as to how it is performing, and you’ll probably want to implement features such as caching and rate limiting let alone putting more security controls around it. Enter Azure API Management, which provides all those functions and more.
In this post I detail getting started with Lithnet Azure API Management integration by using Azure API Management to front-end the Lithnet FIM/MIM Rest API.
Overview
In this post I will detail;
- Enabling Azure API Management
- Configuring the Lithnet FIM/MIM Rest API integration with Azure API Management
- Accessing MIM via Azure API Management and the Lithnet FIM/MIM Rest API using PowerShell
- Reporting
Prerequisites
For this particular scenario I’m interfacing Azure API Management with a Rest API that uses Digest Authentication. So even though it is a Windows WCF Webservice you could do something similar with a similar API Endpoint. If the backend API endpoint is using SSL it will need to have a valid certificate. Even though Azure API Management allows you to add your own certificates I had issues with Self Signed Certificates. I have it working fine with Lets Encrypt issued certificates. Obviously you’ll need an Azure Subscription as well as an App/Service with an API.
Enabling Azure API Management
From the Azure Portal select Create a resource and search for API management and select it.
Select Create
Give your API Management Service a name, select a subscription, resource group etc and select Create.
Once you select Create it will take about 30 minutes to be deployed.
Configuring the Lithnet FIM/MIM Rest API integration with Azure API Management
Once your new API Management service has been deployed, from the Azure Portal select the API Management services blade and select the API Management service that you just created. Select APIs.
Select Add API and then select Add a new API
Give the API a name, description, enter the URI for your API EndPoint, and select HTTPS. I’m going to call this MIMSearcher so have entered that under API URL Suffix. For initial testing under Products select starter. Finally select Create.
We now have our base API setup. From the Backend tile select the Edit icon.
As the backed is authenticated using Basic Authentication, select Basic in Gateway credentials and enter the details of an account with access that will be used by the API Gateway. Select Save.
Now from our API Configuration select Add operation.
First we will create a test operation for the Help page on the Lithnet FIM/MIM Rest API. Provide a Display name, and for the URL add /v2/help. Give it a description and select Create.
Note: I could have had v2 as part of the base URI for the API in the previous steps. I didn’t as I will be using API’s from both v1 and v2 and didn’t want to create multiple operations.
Select the new Operation (Help)
Select the Test menu. Select Send.
If everything is set up correctly you will get a 200 Success OK response as below.
Accessing MIM via Azure API Management and the Lithnet FIM/MIM Rest API using PowerShell
Head over to your API Portal. The URL is https://.portal.azure-api.net/ where is the name you gave your API Management Service shown in the third screenshot at the top of this post. If you are doing this from the browser you used to create the API Management Service you should be signed in already. From the Administrator menu on the right select Profile.
Click on Show under one of the keys and record its value.
Using PowerShell ISE or VSCode update the following Code Snippet and test.
$APIURL = 'https://yourAPI.azure-api.net/yourAPI/v2/help' $secret = 'yourSecret' $Headers = @{'Ocp-Apim-Subscription-Key' = $secret} [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $response = Invoke-RestMethod -Uri $APIURL -Headers $Headers -ContentType "application/json" -UseBasicParsing -Method Get $response
The snippet will create a Web Request to the new API and display the results.
Querying the Lithnet Rest API via Azure API Management
Now that we have a working solution end-to-end, let’s do something useful with it. Looking at the Lithnet Rest API, the Resources URI is the key one exposing Resources from the MIM Service.
Let’s create a new Operation for Resources similar to what we did for the Help. After selecting Create configure the Backend for Basic Authentication like we did for Help.
Testing out the newly exposed endpoint is very similar to before. Just a new APIURL with the addition of /?Person to return all Person Resources from the MIM Portal. It lets us know it’s returned 7256 Person Objects, and the Results are still paged (100 by default).
Let’s now Search for just a single user. Search for a Person object whose Display Name is ‘darrenjrobinson’.
$query = "Person[DisplayName='darrenjrobinson']" $queryEncoded = [System.Web.HttpUtility]::UrlEncode($query) $APIURL = "https://yourAPI.azure-api.net/yourAPI/v2/resources/?filter=/$($queryEncoded)" $secret = 'yourSecret' $Headers = @{'Ocp-Apim-Subscription-Key' = $secret} [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $user = Invoke-RestMethod -Uri $APIURL -Headers $Headers -ContentType "application/json" -UseBasicParsing -Method Get $user
Executing, we get a single user returned.
Reporting
Using the Publisher Portal we can get some Stats on what is happening with our API Management implementation.
Go to https://yourAPI.portal.azure-api.net/admin and select Analytics.
We then have visibility to what has been using the API Management Service. At a Glance gives and overview and you can drill down into;
- Top Users
- Top Products
- Top subscriptions
- Top APIs
- Top Operations
At a glance looks like this;
And Top Operations looks like this;
Summary
That is a quick start guide to implementing Azure API Management in front of a Rest API and using PowerShell to integrate with it. Next steps would be to enable caching, and getting into more of the advanced features. Enjoy.