I have a simple LDAP configured like this:
With just this I could create a LDAP Identity Provider in the CA API Gateway - Policy Manager 9.3, allow assignment to administrative rules, set the group "APIM_ADMINISTRATOR" as administrator so that every member inside it has admin rules, and log in with user p00.
However, I can't figure out how to do this in the CA API Developer Portal 188.8.131.52.
When using LDAP Authentication Scheme, it only provides mappings for user attributes.If I want to authenticate a user as Portal Administrator, I have to map the user "role" attribute as "title" and the role mapping for a Portal Administrator as "admin", so that a user with "title=admin" can log in as admin. But it just maps a role to an user.
I have been told I could do this using SAML SSO Authentication Scheme, but every attempt I made to return a response to the Portal with an authenticated user resulted with the Portal redirecting to the failed login page.
So my question is: How can I map a role to a group and authenticate using a member of this group in the CA API Developer Portal 184.108.40.206? Why can I do it as simple as that with the Policy Manager, but not with the Portal? Assigning every possible member to a role isn't an option.
There are a couple of things that you need to take into consideration:
1) that you will need to have an organisation created for the user that logs in, otherwise it will not allow you to log in.
2) if you use SAML, you need to put the user details in the attributes elements.
here are the settings that I was able to use in my portal (4.2.x)
Where in some, I use the Gateway as an idp to SAML 'proxy',
here is an example of the setting for LDAP
As you can see, I am reusing LDAP fields so that all will go through and in the Organisation I have 'o' ,
in ORGANISATIONS I have
and in the LDAP I have the following user:
As you can see I use 'o' for the organisation but I HAD to create it manually in the portal under the 'Organisation' page,
I hope this helps
For SAML, here is a sample SAML response that works
It might helps. As I stated before, I can't assign the role information to each user individually. This information must be inside a group. But I think I can work around, like inserting this information into the response.But now I'm getting another error from the portal_authenticator service log: "Incoming SAML message is invalid"
I found the problem! There's one missing step or somewhat incomplete step in your discussion SAML Bridging to allow for the Portal 4.2.x Step 2.d.2: You also have to associate the PKI to the assertion "Build SAML Protocol Response".
And I also could work around, explicitly inserting the role information from the group into the response.
You are totally right! sorry for the oversight, I thought it was obvious, but indeed, it needs to be expanded, I will correct it