Map Existing IdP Users to Multiple Organizations

You can map Developer type users that you have add to API Portal using the external authentication scheme to multiple organizations only if the authorization scheme is set to "Portal".
What is an
authorization type
?
Depending on how the user account exists, API Portal users can be categorized in two groups:
  • Portal:
    You can edit and manage the user details and access levels for these users in API Portal. You can map Developer type users to multiple organizations.
  • Identity Provider:
    The user details cannot be edited and managed in Portal. The Portal administrator cannot map Developer type users to multiple organizations.
There are two possible ways to map the existing IdP users to multiple organizations:
Portal API (PAPI) can be used to map multiple organizations to Developer type user.
User:
Portal administrator
Exception
: This feature is not available for the default authentication scheme and for "SAML SSO (old)".
Change the Existing Authentication Scheme from "Identity Provider" to "Portal"
An existing authentication scheme is configured with the "Identity Provider" authorization type. However, with this authorization type, the Portal administrator cannot map Developer type users to multiple organizations. In such a case, you must change the authorization type to "Portal".
Follow these steps:
  1. Edit the authentication scheme:
    1. From API Portal, select
      Administration
      ,
      Authentication
      .
    2. Select
      Edit
      from the
      Actions
      menu of the authentication scheme.
    3. Go to
      Attribute Mapping
      section, and select
      Portal
      from
      Select Authorization Type.
    4. Save the authentication scheme.
      Existing IdP users can log in to API Portal using their existing roles. New users who log in to API Portal only have Guest user privileges. To complete multi-organization mapping, you need a Portal administrator.
      • If you already have an existing Portal administrator from IdP go to step 3.
      • If you want to use the Portal administrator added and managed from API Portal, go to step 3.
      • If you want to create a Portal administrator in your IdP for the multi-organization mapping, go to step 2.
  2. Create an authentication scheme for a new Publisher user:
    1. Select
      Administration
      ,
      Authentication
      .
    2. Select
      Add Authentication Scheme.
      Ensure the following field values are entered:
      1. Select the same authentication type, for example, "LDAP".
      2. Give a meaningful name for
        Basic Details,
        for example, "LDAP for New Publishers".
      3. Keep the
        Select Authorization Type
        as "
        Identity Providers"
        .
      4. Select a role from the available list. Map it to the following CA APIM Portal user roles that are similar to the user roles defined in your authentication scheme:
        • Portal Administrator
      5. Save the authentication scheme.
    3. The new Publisher user must use log in to API Portal using this authentication scheme.
  3. Map Developer users to multiple organizations:
    1. Log in to API Portal as the Portal administrator.
    2. Select
      Administration,
      Users.
    3. Go to the
      Developers
      tab.
    4. In the
      Actions
      menu for the user, select
      Edit
      .
      The user details are displayed.
      For a Portal administrator from IdP, the user details are displayed as read-only. You cannot edit only the organization details of Developer type users.
    5. Select
      Next.
    6. From the Select Organization and Role page, select the organization and the corresponding role.
    7. Select
      Save
      to save the mapping.
      The user is mapped to one or more organizations.
Create a Similar Authentication Scheme with the "Portal" Authentication Scheme
You have an existing authentication scheme with the "Identity Provider" authorization type. And you want to change the authorization type to "Portal". Instead of editing this authentication scheme, you can create a duplicate authentication scheme with the authorization type set to "Portal". Then, you can edit the Developer users mapping them to multiple organizations.
After you create the authentication scheme, ensure that all Developer type users edit their organization mapping. This method is best used when you have a limited number of Developer type users who require a change to their organization mapping.
Follow these steps:
  1. Create an authentication scheme:
    1. From API Portal, select
      Administration
      ,
      Authentication
      .
    2. Select
      Add Authentication Scheme
      .
    3. Complete the following field values, and then save the authentication scheme:
      1. Select the same authentication type, for example, "LDAP".
      2. Give a meaningful name for
        Basic Details
        , for example, "Portal-Managed LDAP".
      3. Change the
        Select Authorization Type
        to "Portal".
  2. Ensure that the Developer type users log in to API Portal to change their organization mapping. New users who log in to API Portal have only Guest user privileges.
  3. Mapping a Developer type user to multiple organizations requires a Portal administrator. Use one of the following methods:
    • Use an IdP Publisher with the Portal administrator role:
      1. Create another LDAP authentication scheme with authorization type as "Identity Provider".
      2. Add the Portal Administrator role.
      3. Log in to API Portal as the Portal administrator.
      4. Map the Developer type user profile to multiple organizations.
    • Use a Portal administrator that has been added and managed in API Portal. Map the Developer user profile to multiple organizations.