Layer7 API Management

Expand all | Collapse all

Unable to map a group of users to a role in Portal 4.2

Jump to Best Answer
  • 1.  Unable to map a group of users to a role in Portal 4.2

    Posted 08-17-2018 10:51 AM

    I have a simple LDAP configured like this:

     

    User

    dn: uid=p00,ou=people,dc=ca

    cn: user

    objectClass: inetOrgPerson

    uid: p00

    title: admin

     

    Group

    dn: cn=APIM_ADMINISTRATOR,ou=groups,dc=ca

    cn: APIM_ADMINISTRATOR

    objectClass: groupOfNames

    member: uid=p00,ou=people,dc=ca

     

    With just this I could create a LDAP Identity Provider in the CA API Gateway - Policy Manager 9.3, allow assignment to administrative rules, set the group "APIM_ADMINISTRATOR" as administrator so that every member inside it has admin rules, and log in with user p00.

     

    However, I can't figure out how to do this in the CA API Developer Portal 4.2.2.7.

    When using LDAP Authentication Scheme, it only provides mappings for user attributes.If I want to authenticate a user as Portal Administrator, I have to map the user "role" attribute as "title" and the role mapping for a Portal Administrator as "admin", so that a user with "title=admin" can log in as admin. But it just maps a role to an user.

    I have been told I could do this using SAML SSO Authentication Scheme, but every attempt I made to return a response to the Portal with an authenticated user resulted with the Portal redirecting to the failed login page.

     

    So my question is: How can I map a role to a group and authenticate using a member of this group in the CA API Developer Portal 4.2.2.7? Why can I do it as simple as that with the Policy Manager, but not with the Portal? Assigning every possible member to a role isn't an option.



  • 2.  Re: Unable to map a group of users to a role in Portal 4.2

    Posted 08-20-2018 06:02 AM

    Hello Gustavo,

    There are a couple of things that you need to take into consideration:

    1) that you will need to have an organisation created for the user that logs in, otherwise it will not allow you to log in.

    2) if you use SAML, you need to put the user details in the attributes elements.

     

    here are the settings that I was able to use in my portal (4.2.x)

     

    Where in some, I use the Gateway as an idp to SAML 'proxy', 

     

    here is an example of the setting for LDAP

     

     

     

     

    As you can see, I am reusing LDAP fields so that all will go through and in the Organisation I have 'o' , 

     

    in ORGANISATIONS I have

     

    and in the LDAP I have the following user:

     

     

    As you can see I use 'o' for the organisation but I HAD to create it manually in the portal under the 'Organisation' page,

     

    I hope this helps

     

     

    For SAML, here is a sample SAML response that works

     

     

     

    I hope this helps



  • 3.  Re: Unable to map a group of users to a role in Portal 4.2

    Posted 08-20-2018 02:13 PM

    It might helps. As I stated before, I can't assign the role information to each user individually. This information must be inside a group. But I think I can work around, like inserting this information into the response.
    But now I'm getting another error from the portal_authenticator service log: "Incoming SAML message is invalid"



  • 4.  Re: Unable to map a group of users to a role in Portal 4.2
    Best Answer

    Posted 08-20-2018 03:02 PM

    I found the problem! There's one missing step or somewhat incomplete step in your discussion SAML Bridging to allow for the Portal 4.2.x 
    Step 2.d.2: You also have to associate the PKI to the assertion "Build SAML Protocol Response".

     

    And I also could work around, explicitly inserting the role information from the group into the response.

    Thanks.



  • 5.  Re: Unable to map a group of users to a role in Portal 4.2

    Posted 08-27-2018 05:58 AM

    You are totally right! sorry for the oversight, I thought it was obvious, but indeed, it needs to be expanded, I will correct it