Map Existing IdP Users to Multiple Organizations

You can map IdP users (Developer type users) that you have added to
Layer7 API Developer Portal
and that use the external authentication scheme to multiple organizations only for
Portal
authorization types.
What is an
authorization type
?
Depending on how the user account exists,
Layer7 API Developer Portal
users are categorized in the following groups:
  • Portal:
    Portal Admins can edit and manage the user details and access levels for Developer type users in
    Layer7 API Developer Portal
    . You can map Developer type users to multiple organizations.
  • Identity Provider:
    Portal Admins
    cannot
    edit and manage the user details for Developer type users in
    Layer7 API Developer Portal
    . The Portal Admin
    cannot
    map Developer type users to multiple organizations.
Map existing Developer type users to multiple organizations using
one
of the following methods:
Portal Admins can also map Developer type users to multiple organizations using Portal API (PAPI) for any authentication scheme except the default and the SAML SSO (old) authentication schemes.
For more information about how to use PAPI, see Portal API (PAPI).
Allow Portal Admins to Manage the User Details for Developer Type Users
If the existing authentication scheme does not allow Portal Admins to manage the user details for Developer type users (the authorization type is
Identity Provider
), you can edit it to allow Portal Admins to manage the user details for these users (change the authorization type to
Portal
).
Use the following process:
  1. Change the authorization type for the existing authentication scheme to
    Portal
    .
  2. Existing Developer type users can log in to
    Layer7 API Developer Portal
    using their existing roles. New users who log in to
    Layer7 API Developer Portal
    only have Guest user privileges. Map the user to the organizations. Do
    one
    of the following:
  3. Log in to
    Layer7 API Developer Portal
    as the Developer type user (Publisher) using this authentication scheme.
Change the Authorization Type for the Existing Authentication Scheme
Follow these steps:
  1. Log in to
    Layer7 API Developer Portal
    .
  2. From the menu bar, select the gear icon,
    Authentication
    .
    The Authentication Schemes page appears.
  3. Select
    Edit
    from the
    Actions
    menu for the existing authentication scheme.
    The Edit Authentication Scheme page appears.
  4. Go to the
    Attribute Mapping
    section, select
    Portal
    from
    Select Authorization Type
    , and then save the authentication scheme.
Create a Portal Admin in your Developer Type Users for Multi-Organization Mapping
Follow these steps:
  1. On the Authentication Schemes page, select
    Add Authentication Scheme
    .
    The Add Authentication Scheme page appears.
  2. On the
    Providers
    tab, select the same authentication type, for example
    LDAP
    , and then select
    Next
    .
  3. On the
    Basic Details
    tab, give a meaningful name, for example,
    LDAP for New Publishers
    , and a description, and then select
    Next
    .
  4. On the
    Provider Configuration
    tab, complete the following:
    1. Keep the
      Select Authorization Type
      as
      Identity Providers
      .
    2. Select a role from the available list. Map it to the
      Portal Admin
      user role.
  5. Save the authentication scheme.
Map an Existing Portal Admin in your Developer Type Users or Use the Portal Admin Added in
Layer7 API Developer Portal
to Multiple Organizations
Follow these steps:
  1. From the menu bar, select the gear icon,
    Users
    .
    The Users page appears.
  2. Go to the
    Org Users
    tab.
  3. In the
    Actions
    menu for the user that you want to map to multiple organizations, select
    Edit
    .
    The user details are displayed on the Edit User page.
    For Portal Admins from Developer type users, the user details are displayed as read-only.
  4. Select
    Next
    .
    The Select Organization and Role page appears.
  5. Select the organizations and the corresponding roles, and then select
    Save
    to save the mapping.
The user is mapped to the organizations.
Duplicate the Existing Authentication Scheme
You can duplicate an existing authentication scheme (that is configured to the
Identity Provider
authorization type), and then change the authorization type to
Portal
.
This method is best used when you have a limited number of Developer type users who require a change to their organization mapping.
Follow these steps:
  1. Create an authentication scheme:
    1. From the menu bar, select the gear icon,
      Authentication
      .
    2. Select
      Add Authentication Scheme
      .
      The Add Authentication Scheme page appears.
    3. On the
      Providers
      tab, select the same authentication type, for example
      LDAP
      , and then select
      Next
      .
    4. On the
      Basic Details
      tab, give a meaningful name, for example,
      Portal-Managed LDAP
      , and a description, and then select
      Next
      .
    5. On the
      Provider Configuration
      tab, change the
      Select Authorization Type
      to
      Portal
      .
    6. Save the authentication scheme.
  2. Ensure that the Developer type users change their organization mapping. New users have only Guest user privileges.
  3. A Portal Admin is required to map a Developer type user to multiple organizations. Use
    one
    of the following methods:
    • Use a Developer type user (Publisher) with the Portal Admin role:
      1. Add another LDAP authentication scheme that does not allow Portal Admins to manage the user details for Developer type users (define it with the authorization type is
        Identity Provider
        ).
      2. Add the Portal Admin role.
      3. Log in to
        Layer7 API Developer Portal
        as the Portal Admin.
      4. Map the Developer type user profile to multiple organizations.
    • Use a Portal Admin that has been added and managed in
      Layer7 API Developer Portal
      . Map the Developer user profile to multiple organizations.