Configure Microsoft Active Directory
Administrator can configure to support Microsoft Active Directory for user authentication. The Lightweight Directory Access Protocol (LDAP) is used to to perform querying against the Microsoft Active Directory to authenticate users.
Administrator can configure
Layer7 API Developer Portalto support Microsoft Active Directory for user authentication. The Lightweight Directory Access Protocol (LDAP) is used to to perform querying against the Microsoft Active Directory to authenticate users.
Microsoft Active Directory Server that is populated with users, and roles.
How to Configure Microsoft Active Directory
To configure the Microsoft Active Directory, follow the steps:
- Log in as an administrator.
- From the menu bar, select the gear icon,Authentication.
- On theAuthentication Schemespage, click theAdd Authentication Schemebutton.
- Provide the following information on theAdd Authentication Schemepage:
- Providers: Select an LDAP provider from the available providers, and click Next.
- Basic Details: Specify the provider name, description, a provider icon, and click Next.Note:By default, CA icon is set as the provider icon. Provide a different PNG file to change the icon, and ensure that the file size must not exceed 500 KB.
- Provider Configuration: Provide the following LDAP server details:AttributeDescriptionExample valueProvider ConfigurationLDAP URLThe fully qualified domain name or IP address with specific port of your LDAP server.ldaps://10.131.63.81:636Base Distinguished NameBase Distinguished Name that is used as the basis for user search.dc=ca,dc=comBind Distinguished NameThe complete Bind Distinguished Name of a user with search permissions in LDAP.cn=admin,ou=admins,dc=ca,dc=comBind PasswordPassword that is associated with the Bind Distinguished Name.Lookup QueryStart *Specifies the text string that is the beginning of an LDAP search expression.(&(cn=End*Specifies the text string that is the end of an LDAP search expression.)(objectClass=*))Effective QueryDefines the combination of Start string, ID-From-Login, and End string of the LDAP search query. ID-From-Login is the username.(&(cn= ID-From-Login )(objectClass=*))Attribute MappingSpecifies the email address attribute that is defined for users in your LDAP.First NameSpecifies the first name attribute that is defined for users in your LDAP.givenNameLast NameSpecifies the last name attribute that is defined for users in your LDAP.snLoginSpecifies user ID attribute that is used for login.cnSelect Authorization TypePortalSelect this authorization type, to manage the organization and role mapping from Portal. This means, Portal administrator can map the Developer user (who has logged in to API Portal, at least once) to multiple organizations by editing the user profile.N/AIdentity ProviderSelect this authorization type, to add the organization and role attributes as provided by this external authentication scheme.This option does not allow a Portal administrator to map a Developer user to multiple organizations. If you want to change the authorization type from Identity Provider to Portal after creating the authentication scheme, seeChange Existing Authentication Scheme from "Identity Provider" to "Portal"section from the Map Existing IdP Users to Multiple Organizations topic.N/AWhen Identity Provider is selected as the Authorization typeOrganizationSpecifies the organization attribute that a user is associated with.oRole(When IdP is selected) Specifies the user role attribute that is defined in your LDAP.titleMap the API Portal user roles to the appropriate roles in your IDPSpecifies the API Portal user roles that are similar to the user roles defined in your LDAP:
Configure the group attribute to assign the role to all the users present in a group. If the role attribute value ismemberOf, ensure to provide the full DN in role mapping. The following sample BaseDN is to map the portaladministrators to a group named "Engineering managers" for the domain ca.com:CN=Engineering managers, CN=users, DC=ca, DC=com
- Portal Administrator
- API Owner
- Org Administrator
- ClickCreateto save the configuration.Now, Microsoft Active Directory is configured and the Microsoft Active Directory users can be authenticated inLayer7 API Developer Portal.Layer7 API Developer Portallogin page now lists the configured providers.To set an authentication scheme as a default scheme, select Set as Default option in the Actions section from the Authentication Schemes page. Once the Microsoft Active Directory authentication scheme is your default scheme,Layer7 API Developer Portalrenders this login page to prompt for user credentials.Note:To add and manage external users fromLayer7 API Developer Portal, use the Users option in the navigation bar. For information about how to manage users from Portal, see the Get Started - User Types, Roles and Permissions section.
- If you have configured the authorization type as Portal, any new user who logs in to Portal has only Guest user privileges. To map a Developer to multiple organizations, you need a Portal administrator. Use one of the following methods:
- Use an IdP Publisher with Portal administrator role.
- Create another LDAP authentication scheme with authorization type as "Identity Provider".
- Add the role as Portal Administrator.
- Log in to API Portal as the Portal administrator.
- Edit the Developer user profile to map to multiple organizations.
- Use the Portal administrator added and managed in API Portal. Edit the Developer user profile to map to multiple organizations.
Edit and Delete Microsoft Active Directory Configuration
If your Microsoft Active Directory configuration changes, update the same in
Layer7 API Developer Portal.
To edit the Microsoft Active Directory details, follow the steps:
- Log in to CA APIM Portal as an Administrator.
- From the menu bar, select the gear icon,Authentication.
- On theAuthentication Schemespage, click the down arrow in theActionssection of a configured LDAP, and select Edit.
- In the Edit Authentication Scheme page, select an LDAP configuration to edit. For example, to edit the provider details, select the Provider Configuration option. Make the required changes and click Save.
- To delete Microsoft Active Directory that is configured withLayer7 API Developer Portal: On the Authentication Schemes page, click the down arrow in theActionssection of a configured LDAP, and select Delete.