Map Existing IdP Users to Multiple Organizations

A Developer user who is added to API Portal, using the external authentication scheme, cannot be mapped to multiple organizations unless the authorization scheme is set to Portal.
A Developer user who is added to API Portal, using the external authentication scheme, cannot be mapped to multiple organizations unless the authorization scheme is set to Portal.
 
What is an 
authorization type
?
 
Depending on how the user account exists, the users in Portal can be categorized in two groups:
  •  
    Portal
    : The user details and access levels can be edited and managed in Portal. Developer type users 
    can
     be mapped to multiple organizations.
  •  
    Identity Provider
    : The user details cannot be edited and managed in Portal. 
    Developer type users 
    cannot
     be mapped to multiple organizations.
     
There are two possible ways to map the existing IdP users to multiple organizations:
Portal API (PAPI) can be used to map multiple organizations to Developer type user.
 
User: 
Portal administrator
 
Exception
: This feature is not available for the default authentication scheme and for "SAML SSO (old)".
Change Existing Authentication Scheme from "Identity Provider" to "Portal"
An existing authentication scheme is configured with the authorization type as "Identity Provider". However, this authorization type does not allow the Portal administrator to map a Developer user to multiple organizations. In such a case, you have to change the authorization type to "Portal".
 
Follow these steps:
 
  1. Edit the authentication scheme:
    1. From API Portal, select 
      Administration
      Authentication
      .
    2. Select 
      Edit 
      from the 
      Actions
       menu of the authentication scheme.
    3. Go to 
      Attribute Mapping
       section, and select 
      Portal 
      from 
      Select Authorization Type.
       
    4. Save the authentication scheme.
      Existing IdP users can log in to API Portal using their existing roles. Any new user who log in to API Portal only has Guest user privileges. To complete multi-organization mapping, you need a Portal administrator.
      • If you already have an existing Portal administrator from IdP go to step 3.
      • If you want to use the Portal administrator added and managed from API Portal, go to step 3.
      • If you want to create a Portal administrator in your IdP for the multi-organization mapping, go to step 2.
  2. Create an authentication scheme for a new Publisher user:
    1. Select 
      Administration
      Authentication
      .
    2. Select 
      Add Authentication Scheme. 
      Ensure the following field values are entered:
      1. Select the same authentication type, for example, "LDAP".
      2. Give a meaningful name for
         Basic Details, 
        for example, "LDAP for New Publishers"
      3. Keep the 
        Select Authorization Type 
        as "
        Identity Providers"
        .
      4. Select a role from the available list. Map it to the following CA APIM Portal user roles that are similar to the user roles defined in your authentication scheme: 
        • Portal Administrator
      5. Save the authentication scheme.
    3. The new Publisher user must use log in to API Portal using this authentication scheme.
  3. Map Developer users to multiple organizations:
    1. Log in to API Portal as the Portal administrator.
    2. Select 
      Administration,
       
      Users.
       
    3. Go to the 
      Developers 
      tab.
    4. In the 
      Actions
       menu for the user, select 
      Edit
      .
      The user details are displayed.
      For a Portal administrator from IdP, the user details are displayed as read-only. Only the organization details of the Developer type user can be edited.
    5. Select 
      Next.
       
    6. From the Select Organization and Role page, select the organization and the corresponding role.
    7. Select 
      Save 
      to save the mapping.
      The user is mapped to one or more organizations.
Create a Similar Authentication Scheme with "Portal"
You have an existing authentication scheme with the authorization type as "Identity Provider". And you want to change the authorization type to "Portal". Instead of editing this authentication scheme, you can create a duplicate of the authentication scheme with the authorization type set to "Portal". Then, edit the Developer users mapping them to multiple organizations. 
After you create the authentication scheme, ensure all the Developers log in to API Portal in order to edit their organization mapping. This method is best used when you have a limited number of Developers who need to have their organization mapping changed.
 
Follow these steps:
 
  1. Create an authentication scheme:
    1. From API Portal, select 
      Administration
      Authentication
      .
    2. Select 
      Add Authentication Scheme. 
      Ensure the following field values are entered:
      1. Select the same authentication type, for example, "LDAP".
      2. Give a meaningful name for
         Basic Details, 
        for example, "Portal-Managed LDAP".
      3. Change the 
        Select Authorization Type 
        to "
        Portal"
        .
    3. Save the authentication scheme.
  2. Ensure all the Developers log in to API Portal in order to change their organization mapping. Any new user who logs in to Portal has only Guest user privileges.
  3. To map a Developer to multiple organizations, you need a Portal administrator. Use one of the following methods:
    • Use an IdP Publisher with Portal administrator role. 
      1. Create another LDAP authentication scheme with authorization type as "Identity Provider".
      2. Add the role as Portal Administrator.
      3. Log in to API Portal as the Portal administrator.
      4. Edit the Developer user profile to map to multiple organizations.
    • Use the Portal administrator added and managed in API Portal. Edit the Developer user profile to map to multiple organizations.