Configure Microsoft Active Directory

Administrator can configure  to support Microsoft Active Directory for user authentication. The Lightweight Directory Access Protocol (LDAP) is used to to perform querying against the Microsoft Active Directory to authenticate users.
Administrator can configure
API Developer Portal
 to support Microsoft Active Directory for user authentication. The Lightweight Directory Access Protocol (LDAP) is used to to perform querying against the Microsoft Active Directory to authenticate users.
Prerequisite
Microsoft Active Directory Server that is populated with users, and roles.
How to Configure Microsoft Active Directory
To configure the Microsoft Active Directory, follow the steps:
  1. Log in as an administrator.
  2. Click 
    Settings, 
    Authentication
    .
  3. On the 
    Authentication Schemes
     page, click the 
    Add Authentication Scheme
     button. 
  4. Provide the following information on the 
    Add Authentication Scheme
     page:
    1. Providers
      : Select an LDAP provider from the available providers, and click Next.
    2. Basic Details
      : Specify the provider name, description, a provider icon, and click Next.
      Note:
       By default, CA icon is set as the provider icon. Provide a different PNG file to change the icon, and ensure that the file size must not exceed 500 KB.
    3. Provider Configuration
      : Provide the following LDAP server details:
      Attribute
      Description
      Example value
      Provider Configuration
      LDAP URL
      The fully qualified domain name or IP address with specific port of your LDAP server.
      ldaps://10.131.63.81:636
      Base Distinguished Name
      Base Distinguished Name that is used as the basis for user search.
      dc=ca,dc=com
      Bind Distinguished Name
      The complete Bind Distinguished Name of a user with search permissions in LDAP.
      cn=admin,ou=admins,dc=ca,dc=com
      Bind Password
      Password that is associated with the Bind Distinguished Name.
      Lookup Query
      Start *
      Specifies the text string that is the beginning of an LDAP search expression.
      (&(cn=
      End*
      Specifies the text string that is the end of an LDAP search expression.
      )(objectClass=*))
      Effective Query
      Defines the combination of Start string, ID-From-Login, and End string of the LDAP search query. ID-From-Login is the username.
      (&(cn= ID-From-Login )(objectClass=*))
      Attribute Mapping
      Email
      Specifies the email address attribute that is defined for users in your LDAP.
      mail
      First Name
      Specifies the first name attribute that is defined for users in your LDAP.
      givenName
      Last Name
      Specifies the last name attribute that is defined for users in your LDAP.
      sn
      Login
      Specifies user ID attribute that is used for login.
      cn
      Select Authorization Type
      Portal
      Select this authorization type, to manage the organization and role mapping from Portal. This means, Portal administrator can map the Developer user (who has logged in to API Portal, at least once) to multiple organizations by editing the user profile.
      N/A
      Identity Provider
      Select this authorization type, to add the organization and role attributes as provided by this external authentication scheme.
      This option does not allow a Portal administrator to map a Developer user to multiple organizations. If you want to change the authorization type from Identity Provider to Portal after creating the authentication scheme, see 
      Change Existing Authentication Scheme from "Identity Provider" to "Portal"
       section from the Map Existing IdP Users to Multiple Organizations topic.
      N/A
      When Identity Provider is selected as the Authorization type
      Organization
      Specifies the organization attribute that a user is associated with.
      o
      Role
      (When IdP is selected) Specifies the user role attribute that is defined in your LDAP.
      title
      Map the API Portal user roles to the appropriate roles in your IDP
      Specifies the API Portal user roles that are similar to the user roles defined in your LDAP: 
      • Portal Administrator
      • API Owner
      • Developer
      • Org Administrator
      Configure the group attribute to assign the role to all the users present in a group. If the role attribute value is 
      memberOf
      , ensure to provide the full DN in role mapping. The following sample BaseDN is to map the portaladministrators to a group named "Engineering managers" for the domain ca.com:
      CN=Engineering managers, CN=users, DC=ca, DC=com
  5. Click Create to save the configuration.
    Now, Microsoft Active Directory is configured and the Microsoft Active Directory users can be authenticated in 
    API Developer Portal
    API Developer Portal
     login page now lists the configured providers. 
    To set an authentication scheme as a default scheme, select Set as Default option in the Actions section from the Authentication Schemes page. Once the Microsoft Active Directory authentication scheme is your default scheme, 
    API Developer Portal
    renders this login page to prompt for user credentials.
    Note:
     To add and manage external users from
    API Developer Portal
    , use the Users option in the navigation bar.  For information about how to manage users from Portal, see the Get Started - User Types, Roles and Permissions section.
  6. If you have configured the authorization type as Portal, any new user who logs in to Portal has only Guest user privileges. To map a Developer to multiple organizations, you need a Portal administrator. Use one of the following methods:
    • Use an IdP Publisher with Portal administrator role. 
      1. Create another LDAP authentication scheme with authorization type as "Identity Provider".
      2. Add the role as Portal Administrator.
      3. Log in to API Portal as the Portal administrator.
      4. Edit the Developer user profile to map to multiple organizations.
    • Use the Portal administrator added and managed in API Portal. Edit the Developer user profile to map to multiple organizations.
Edit and Delete Microsoft Active Directory Configuration
If your Microsoft Active Directory configuration changes, update the same in 
API Developer Portal
To edit the Microsoft Active Directory details, follow the steps:
  1. Log in to CA APIM Portal as an Administrator.
  2. Click 
    Settings, 
    Authentication
    .
  3. On the
     Authentication Schemes
     page, click the down arrow in the 
    Actions
     section of a configured LDAP, and select Edit.
  4. In the Edit Authentication Scheme page, select an LDAP configuration to edit. For example, to edit the provider details, select the Provider Configuration option. Make the required changes and click Save.
  5. To delete Microsoft Active Directory that is configured with 
    API Developer Portal
    : On the Authentication Schemes page, click the down arrow in the 
    Actions
     section of a configured LDAP, and select Delete.