Map IdP Users to Multiple Organizations

Use Case: You have created an authentication scheme, for example, LDAP. There are users (Publishers or Developers) who log in to API Portal using this authentication scheme. Now, you want to map some of the Developers to multiple organizations.
Use Case:
You have created an authentication scheme, for example, LDAP. There are users (Publishers or Developers) who log in to API Portal using this authentication scheme. Now, you want to map some of the Developers to multiple organizations.
However, when a user logs in to API Portal using an external IdP, the organization and role is assigned according to the mapping provided by the administrator. This mapping is done during the configuration of the authentication scheme. This assignment cannot be altered as the values are derived from an external IdP.
Solution: 
  • Other than organization and role, you cannot edit other details for an external IdP user.
  • By default, all external authentication schemes have "Identity Provider" as the authorization type.
Map IdP Users to MultiOrg
Map IdP Users to MultiOrg
User:
API Portal Administrator
Exception
: This feature is not available for the default authentication scheme and for "SAML SSO (old)".
Edit an Existing Authentication Scheme
You can manage the organization details of a Developer from API Portal by editing the authentication scheme and changing the authorization type to "Portal". Then, edit these users to map them to multiple organizations. 
After you change the authorization type to "Portal", all new 
Publishers
of this authentication scheme are unable to log in to API Portal. To address this issue, create an authentication scheme for all the new Publishers. This issue is not applicable for users who have previously logged in to API Portal.
Follow these steps:
  1. Edit the authentication scheme:
    1. From API Portal, select 
      Administration
      ,
      Authentication
      .
    2. Select 
      Edit 
      from the
      Actions
      menu of the authentication scheme.
    3. Go to
      Attribute Mapping
      section, and select
      Portal
      from 
      Select Authorization Type.
    4. Save the authentication scheme.
  2. Map users to multiple organizations:
    1. Select
      Users.
    2. Go to the 
      Developers 
      tab.
    3. In the 
      Actions
       menu for the user, select 
      Edit
      .
      The user details are displayed. This is a read-only page.
    4. Select 
      Next.
    5. From the Select Organization and Role page, select the organization and the corresponding role.
    6. Select 
      Save 
      to save the mapping.
      The user is mapped to one or more organizations.
  3. Create an authentication scheme for the new Publisher:
    1. Select 
      Administration
      Authentication
      .
    2. Select 
      Add Authentication Scheme.
      Ensure the following field values are entered:
      1. Select the same authentication type, for example, "LDAP".
      2. Give a meaningful name for
        Basic Details,
        for example, "LDAP for New Publishers"
      3. Keep the 
        Select Authorization Type 
        as "
        Identity Providers"
        .
      4. Select a role from the available list. Map it to the following CA APIM Portal user roles that are similar to the user roles defined in your authentication scheme: 
        • API Portal Administrator
        • API Owner
    3. Save the authentication scheme.
      The new Publisher must use this authentication scheme to log in to API Portal.
Create a Copy of the Authentication Scheme
You can manage users using the authentication scheme from API Portal by creating a copy of the authentication scheme with the authorization type set to "Portal". Then, edit the users mapping them to multiple organizations. 
After you create the authentication scheme, ensure all the Developers log in to API Portal in order to edit their organization mapping. A Publisher cannot use this authentication scheme to log in to API Portal. This method is best used when you have a limited number of Developers who need to have their organization mapping changed.
Follow these steps:
  1. Create an authentication scheme:
    1. From API Portal, select 
      Administration
      Authentication
      .
    2. Select 
      Add Authentication Scheme. 
      Ensure the following field values are entered:
      1. Select the same authentication type, for example, "LDAP".
      2. Give a meaningful name for
         Basic Details,
        for example, "Portal-Managed LDAP".
      3. Change the 
        Select Authorization Type 
        to "
        Portal"
        .
    3. Save the authentication scheme.
  2. Ensure all the Developers log in to API Portal in order to change their organization mapping.
  3. Map users to multiple organizations:
    1. Select
      Users.
    2. Go to 
      Developers 
      tab.
    3. In the 
      Actions
       menu for the user, select 
      Edit
      .
      The user details are displayed. This is a read-only page.
    4. Select 
      Next.
    5. From the Select Organization and Role
       
      page, select the organization and the corresponding role.
    6. Select 
      Save 
      to save the mapping.
      The user is mapped to one or more organizations.