Accessing Consumer Catalog using multiple user registries

Log in or sign up to the Consumer Catalog using multiple user registries.

Before you begin

  • If you configure a new user registry for authenticating users to the Consumer Catalog , you must also complete the onboarding section in the catalog, to make the registry available to Consumer Catalog users.
  • Every account in the Consumer Catalog , including across different user registries for the same site must have a unique email address, including the site Admin account.
    For example, if you configure three different user registries for a particular Consumer Catalog, the email address alice@acme.com can be used to log in to the site from only one of the user registries. The default email address for the Admin account is the email address of the catalog owner.
    Note: It is not possible to create a new user account and the associated consumer organization with the same email address as the Admin account or that of the catalog owner. Any attempts to create an account with the same email address returns the following error message when you try to log in: A user already exists with this email address.

About this task

You can select the preferred registry when accessing the Consumer Catalog if multiple user registries are configured in the API Manager and enabled for the respective catalog. When user registries are configured to accept registrations, you can create your own accounts from the sign-up page without requiring an invitation from API Manager.

To enable user registries for the catalog that hosts the Consumer Catalog, you must configure the catalog onboarding settings.

Procedure

To configure the catalog onboarding settings and manage the access of the API consumers to the Consumer Catalog using multiple user registries, complete the following steps:

  1. Click Onboarding in the catalog settings navigation pane.
  2. To select the registries that are used to authenticate users of the Consumer Catalog associated with this catalog, click Edit in the Catalog user registries section, select the required registries, then click Save.
    For more information about how to configure a user registry, see Authenticating by using your enterprise user registry.
    Important: Do not share user registries between the API Manager and the Consumer Catalog, or between Consumer Catalog sites when self-service onboarding is enabled or account deletions in any of the sites are expected. You should create separate user registries for them, even if the separate registries point to the same backend authentication provider. For example, an LDAP server. This separation enables the Consumer Catalog to maintain unique email addresses across the catalog, without API Manager needing the same requirement. It also avoids problems with users deleting their accounts from the Consumer Catalog that then affects their API Manager access.
  3. To set a default registry, locate the required registry and click the Options menu icon options icon and click Set default.

    When an API consumer signs up to the Consumer Catalog, the specified registry is used by default, with the option to select another registry.

  4. To allow API consumers to complete their own sign-up process to the Consumer Catalog, set Self service onboarding to On.
    If this option is disabled, an API consumer cannot sign up without an invitation from a consumer organization owner.
  5. To require approval for all new self service onboarding to the Consumer Catalog, set Self service onboarding approval to On.
    If this option is enabled, then any attempt by an API consumer to sign up to the Consumer Catalog results in an approval request being sent. This request is displayed in the Tasks tab in the catalog for the associated Consumer Catalog. The owner can approve or decline the request from here.

    The Self service onboarding approval is honored whenever a consumer organization is created. So, even if an API consumer has already been approved to access a Consumer Catalog with a specific consumer organization, if they then try to create another consumer organization in the same Consumer Catalog, their request will still go through the approval process.

    Note: To enable self-service onboarding approval, you must also complete the following tasks:
    • Configure the user registry to require the user's email address.
    • Configure the OIDC apps to send the user's email address for approval.
  6. To edit the timeout period for the self service onboarding task, click Edit in the Self service onboarding task timeout section, specify the timeout period required, and click Save. The timeout period for this task covers both the email activation link and, if Self service onboarding approval is enabled, the approval process. The default timeout period for the self service onboarding task is 72 hours.
    Expired self service onboarding tasks are cleared only once per day in the Consumer Catalog. Therefore, any API consumers with expired onboarding tasks must wait until these tasks are cleared before attempting to sign up again.
  7. To configure the ability for API consumers to invite collaborators and assign them to roles, click Edit in the Consumer invitation and roles section, select the options required, and click Save.
  8. To configure the timeout for activation links that are sent in email invitations to application developers, click Edit in the Invitation Timeout section, specify the timeout length, then click Save. The default timeout period for the invitation link is 48 hours.
  9. To override the timeouts set by consumer organization invitations, set Override consumer organization's invitation timeout with catalog invitation timeout to On.

    The catalog's own timeout setting is used instead.