Creating an organization-specific custom user registry

You can configure an organization-specific custom user registry to provide user authentication for the Developer Portal.

Before you begin

Custom user registries can be used for authenticating users to the Developer Portal, but cannot be used to secure APIs.

To configure a custom user registry as a resource in API Manager, the external user directory must be created and available to use with your API Connect ecosystem.

Also, a custom user registry definition for your external user registry must already have been created on the Cloud Manager, as you will need the information from this definition to set up the custom user registry. See Configuring a shared custom user registry for information.

One of the following roles is required to configure a custom user registry:

  • Administrator
  • Owner
  • Topology Administrator
  • Custom role with the Settings: Manage permissions

About this task

You can create a custom user registry that is specific to a provider organization, or one that can be shared and available to all of the provider organizations in your API Connect environment. An organization-specific user registry can be used for authenticating Developer Portal users in a specific provider organization. While a shared user registry can be used for authenticating Cloud Manager, API Manager, and Developer Portal users.

This topic describes how to configure an organization-specific custom user registry. If you want to create a shared registry, see Configuring a shared custom user registry for more information.
Note:

You can use the following instructions to create a writable or a read-only custom user registry.

API Connect provides two methods for creating a custom user registry in the API Manager, as described in the following sections:

Creating a custom user registry by using the API Manager UI

You configure a custom user registry by creating a new custom user registry resource, which references the custom user registry type that is defined in the Cloud Manager. To make the custom user registry available to the Developer Portal for user authentication, you must enable the registry in the associated Catalog. When the custom user registry is used for authentication, API Connect makes a REST call to the endpoint of your external registry, as defined in the custom user registry type.

Creating a custom user registry resource

Use the following instructions to create a new custom user registry resource in the API Manager UI.
  1. Click Create in the User Registries section of Resources.
  2. Click the Custom user registry tile.
  3. Enter the following information:
    Property Description
    Custom type The name of the custom user registry type. For example, my-custom-user-registry-type. Use the drop-down arrow to select different custom user registry types. The custom user registry type is defined in the Cloud Manager.
    Title A descriptive name to display in the UI.
    Name The name of the custom user registry. This name is auto-generated, and is used in CLI commands.
    Summary A brief description of the custom user registry.
    Endpoint Optional endpoint information.
    Case sensitive To ensure proper handling of user name capitalization, you must ensure that your case-sensitivity setting here matches the setting on your backend server:
    • Only select Case sensitive if your backend server supports case-sensitivity.
    • Do not select Case sensitive if your backend server does not support case-sensitivity.
    Note:
    • The Developer Portal does not support case sensitive usernames.
    • After at least one user has been onboarded into the registry, you cannot change this setting.
    User registry managed Determines whether API Connect manages your user registry. Valid values are:
    • true - select the checkbox
    • false - clear the checkbox
    User managed Determines whether your user registry is writable or not. Select the checkbox to set to true for writable. Clear the checkbox for the non-writable option.
  4. Click Create. The new user registry is displayed in the User registries list.

Adding your custom user registry to the Developer Portal login

To make the custom user registry available for authenticating Developer Portal users, you must enable it in the Catalog that is associated with that Developer Portal. In the API Manager UI, click Manage followed by the relevant Catalog, and then click Catalog settings > Onboarding. In the Catalog User Registries section, click Edit, select the custom user registry, and click Save. For more information, see Creating and configuring Catalogs.

Creating a custom user registry by using the developer toolkit CLI

You configure an organization-specific custom user registry by creating a new custom user registry resource that references the integration document that exists on the Cloud Manager. You use developer toolkit CLI commands to create the custom user registry, and to make the registry available to the Developer Portal, you must enable the registry in the associated Catalog. When the custom user registry is used for authentication, API Connect makes a REST call to the endpoint of your external registry, as defined in the integration document.

Logging in to the management server CLI

Before you can define the custom user registry configuration, you must log in to your management server from the developer toolkit CLI as a member of a provider organization. Use the following command:
apic login --server mgmt_endpoint_url --username user_id --password password --realm provider/identity_provider
You can determine which identity provider to use in the --realm parameter by entering the following command to see a list of all available identity providers (you do not need to be logged in to use this command):
apic identity-providers:list --scope provider --server mgmt_endpoint_url --fields title,realm
For example:
apic identity-providers:list --scope provider --server myserver.com --fields title,realm 
total_results: 2
results:
  - title: Cloud Manager User Registry
    realm: provider/default-idp-2
  - title: Corporate LDAP user registry
    realm: provider/corporate-ldap
The title value should enable you to determine which identity provider to use; you can then copy the corresponding --realm parameter directly from the displayed realm value. For any identity providers that were created by your administrator after API Connect was installed, the names will have been determined at creation time. The default API Manager Local User Registry for login as a member of a provider organization is default-idp-2.

For full details of the login command, see Logging in to a management server.

For more information about how to use the CLI, see Installing the toolkit, and Overview of the command-line tool.

Defining your custom user registry

You define the configuration of your custom user registry in a custom_config_file.yaml file, as shown in the following example.
name: 'custom_registry_name'
title: 'display_title'
registry_type: 'custom_user_registry'
integration_url: custom_integration_url
user_managed: true_or_false
user_registry_managed: true_or_false 
identity_providers:
 - name: provider_name
   title: 'provider_title'
configuration:
  custom_config1: 'value1'
  customize: true
The registry properties that are common to each authentication method are described in the following table:
Property Description
name The name of the custom user registry. This name is used in the CLI commands.
title A descriptive name to display in a graphical user interface.
registry_type The registry type that is configured in the name property in the integration document, for example custom_user_registry.
integration_url The custom integration URL in your API Connect configuration. You can determine the custom integration URL by using the following CLI command:
apic integrations:list --server mgmt_endpoint_url --subcollection user-registry
user_managed Determines whether your user registry is writable or not. Must be set to true for writable. Set to false if you don't want the registry to be writable.
user_registry_managed Determines whether API Connect manages your user registry. Valid values are:
  • true
  • false
identity_providers An array containing the details of your custom server, where:
  • name - is the name of the custom server and is the name that is used in CLI commands
  • title - is the display name of the custom server
configuration The user-defined configuration based on the configuration_schema that is defined in the integration document.

Save your custom_config_file.yaml so it can be accessed by the user-registries:create command in the following section.

Creating your custom user registry

To create your organization-specific custom user registry, run the following CLI command:
apic user-registries:create --server mgmt_endpoint_url --org organization_name custom_config_file.yaml
where:
  • mgmt_endpoint_url is the platform API endpoint URL.
  • --org organization_name means that the registry will be created in your provider organization.
  • custom_config_file is the name of the YAML file that defines the configuration of your custom user registry.
On completion of the registry creation, the command displays the following summary details:
registry_name registry_url
The registry_name is derived from the name property in the custom user registry YAML file. The registry_url is the URL with which the custom registry resource can be accessed.

Your organization-specific user registry is now created; see the following section for instructions on how to make the registry available to users.

Configuring your custom user registry in a Catalog

To make your custom user registry available for authenticating Developer Portal users, you must enable it in the Catalog that is associated with that Developer Portal. Complete the following steps:
  1. Determine the URL of your custom user registry by using the following command (or you can copy and paste from the summary of the registry creation):
    apic user-registries:list --server mgmt_endpoint_url --org organization_name
  2. Enter the following command (the terminating hyphen character means that the command takes input from the command line):
    apic configured-catalog-user-registries:create --server mgmt_endpoint_url --org organization_name --catalog catalog_name -
    where catalog_name is the value of the name property of the required Catalog. The command returns
    Reading CONFIGURED_CATALOG_USER_REGISTRY_FILE arg from stdin
  3. Enter the following data, followed by a new line:
    user_registry_url: custom_registry_url
    where custom_registry_url is the URL of your custom user registry, obtained in step 1.
  4. Press CTRL D to terminate the input.