User Management

Overview

Developer Portal provides you with options to onboard users and manage their accounts. You can:

User onboarding

Developer Portal offers you the following options to onboard users into your portal:

Lists the user onboarding options available in Developer Portal. They include Native registration, Sign up using SAML SSO and Social media account, and Import of LDAP users.

Configure approval strategy

You can configure the strategy for approving user sign up requests.

It is not mandatory to specify an onboarding strategy. If you do not configure an onboarding strategy, users who sign up are directly onboarded.

For information on configuring user onboarding strategies, see Onboarding Strategy.

Manage user privileges

You can assign one of the following privileges to users and user groups:

When you assign a privilege to a user group, it will be applicable to all users in the group. For information on assigning or modifying user privileges, see How do I assign privileges to a user?

Advanced user account security

You can make the user accounts more secure by enabling:

  • Multi factor authentication. For information on multi-factor authentication, see How do I configure multi-factor authentication settings?
  • Account lockout settings. For information on account lockout configuration, see How do I configure user account lockout settings?
  • Password policy. For information on password policy configuration, see How do I configure password policy?
  • Native Registration

    Native registration process allows:

  • New users to sign up from the landing page of the application.
  • Administrators to add new users.
  • Developer Portal provides the following options for native registration:

  • Sign up page. New users can provide basic details such as their email address and password, and sign up for Developer Portal using the Sign up page accessed from the landing page. The sign-up request is forwarded for approval based on the onboarding strategy. You can configure an onboarding process for the incoming sign up requests by specifying the required strategies from the Onboarding screen. For information on onboarding strategies, see Onboarding Strategy.

    You can disable this mode of registering new users if you want to onboard users using other modes like SSO and LDAP. For information about disabling this feature, see Disabling user registration from the Sign up page.
  • Manage users section. You can also add users and user groups from the Manage users page of the Adminstration section.

    For information on inviting users, see Inviting users to sign up.

    For information on adding users, see How do I add a user?

    For information on adding user groups, see How do I add a user group?

  • Manage programs section or API programs details page. You can invite participants to sign up for an API program (Hackathon or Beta program). This option is also available for API providers and partners who own or organize API programs. For information about inviting users for an API programs, see Inviting users to sign up.
  • How do I add a user?

    This use case starts when you want to add a user and ends when you have added one.

    In this example, you add a user, user1, include the user to the API consumer group and assign the Consumer privilege.

    Before you begin

    Ensure you have the API Administrator privilege.

    To add a user

    1. Click the menu options icon from the title bar and click Manage users.

    2. Click Create user.

    3. Provide user1 in the Username field.

      This is the user name that the user must provide during sign in.

    4. Provide user_first_name in the First name field.

    5. Provide user_last_name in the Last name field.

    6. Provide user@email.com in the Email field.

    7. Provide the Password that must be used to sign in.

    8. Select the API Consumer group.

    9. Select the API Consumer privilege.

    10. Click Save.

      The new user appears in the Manage users screen.

    Alternative steps:

    1. In Step 8, you can add more than one group.

      You can also modify the list of groups later.

    2. In Step 9, you can select one of the following privileges based on the role of the user in your organization:

      • Administrator
      • Provider
      • Consumer
      • Partner

    In addition to the privilege that you assign to users, the users will have the privileges of the selected groups assigned to them. If you select more than one group, then the highest privilege among the groups added will be applied to the user. For example, if you select API provider and API consumer groups for a user, then the user will have the API provider privilege.

    Next steps:

    How do I add a user group?

    This use case starts when you want to add a user group and end when you have added one.

    In this example, you add a user group, usergroup1, assign the Consumer privilege, and include the user user1 to the group.

    Before you begin

    Ensure you have the API Administrator privilege.

    To add a user group

    1. Click the menu options icon from the title bar and click Manage users.

    2. Click Groups.

    3. Click Create group.

    4. Provide usergroup1 in the Name field.

    5. Select the Consumer privilege.

    6. Select user1 from the Users list.

    7. Click Save.

      The group is added.

    Alternative steps:

    Next steps:

    Inviting users to sign up

    As an administrator, you can onboard users by inviting them by e-mails. Users who receive the invitation can click the link in the mail to sign up to Developer Portal.

    To invite users

    1. Click the menu options icon from the title bar and click Manange users.

    2. Click Invite user.

    3. Provide the e-mail addresses of the required users.

      When you invite multiple users using one invite, provide an e-mail address, and provide a comma or press Enter. Repeat this step till you provide all e-mail addresses.

    4. Select the communities, and privileges that must be applied.

      The selected communities and privileges are applied to the newly invited users when they are onboarded.

    5. Click Invite.

      An invite mail is sent to the e-mail addresses you provided.

    Next steps

  • Users who received the invite mail can click the link provided in the mail and follow the given instructions to sign up to the portal. During sign up, users can provide the password using which they can sign in to the portal.
  • Users are included to the group that you have selected in the Default group name field in the Administration > Users page. If you have selected any group other than API Consumer, then the invited participant will also be added as an API Consumer group in addition to the selected group.
  • Users invited by administrators using this feature do not undergo the onboarding approval process, if any. In addition, if you have enabled Email verification as a part of your onboarding process, it is ignored for users who sign up using the mail invite. For information about onboarding strategy and email verification, see Onboarding Strategy. .
  • How do I assign privileges to a user?

    Users can perform tasks based on their privileges. You, as an administrator, can assign privileges to users when you create them. For users who are onboarded using any other method, you can edit users or user groups and assign required privileges.

    When you create users from the Add user page, you can assign the required privileges. However, you must edit the details of users who sign up through native registration or SAML SSO to assign required privileges to them.

    This use case starts when you assign or modify user privileges and ends when you have successfully made the changes.

    Before you begin:

    Ensure you have the API Administrator privilege.

    To assign privileges

    1. Click the menu options icon from the title bar and click Administration.

      The list of users appears.

    2. Click the edit icon next to the required user.

    3. Assign or modify the privileges to the user.

      You cannot modify the user privileges assigned through the groups.

    4. Click Save.

      Your changes are saved.

    Next steps:

    Users can perform any transactions that require the assigned privilege.

    Disabling user registration from the Sign up page

    You can disable signing up of new users from the Sign up page, if you want the user registration only through other modes such as SSO and LDAP registration.

    To disable user registration from the Sign up page

    1. Click the menu options icon from the title bar and click Administration.

    2. Click General.

    3. Turn the Enable User Registration slider off.

      This is turned on by default.

    4. Click Save.

      User signing up from the Sign up page is disabled.

    Onboarding Strategy

    The onboarding strategy is used to specify the process to approve or reject:

  • User sign up requests
  • Application or subscriptions requests
  • You can specify any one or all of the following steps as a part of onboarding strategy:

  • Internal approval. Approvers receive a notification when there is a request for a user, application, or subscription registration. They can view the pending approval requests, review them, and approve or reject them. You can configure the required registration approval workflow. For information on configuring user registration approval workflow, see How do I configure an approval workflow to process an internal approval onboarding strategy?
  • External approval. You can configure an external system to verify and approve or reject the requests. You can notify the required external approving system by creating a webhook. For information on configuring user sign up notifications to your external approving system, see How do I configure webhooks to notify events to an external system?
  • Email verification. This is applicable only for user registration. An email is sent to the email address provided during sign up. Users can click the link sent over the email to get verified. Usually, this step is combined with one of the above two.
  • How do I configure onboarding strategy to process user sign up requests?

    Onboarding strategy determines the process that user sign up requests must undergo and it is optional. If you do not configure an onboarding strategy, then users’ sign up requests are automatically approved.

    This use case starts when you want to configure onboarding process for user registration requests and ends when you have completed the configuration.

    Before you begin:

    Ensure that you:

  • Configure an approval workflow. For information on configuring user registration approval workflow, see How do I configure an approval workflow to process an internal approval onboarding strategy?
  • API Administrator privilege.
  • To configure user onboarding strategy

    1. Click the menu options icon from the title bar and click Administration.

    2. Select Onboarding.

    3. From the User onboarding section, enable any or all of the required strategies:

    4. Use the arrow keys next to these strategies to change their order.

      The strategies are followed by the order they appear.

    5. Click Save.

      The onboarding strategy is saved.

    Next steps:

    User sign up requests are processed based on the onboarding strategy.

    How do I configure an approval workflow to process an internal approval onboarding strategy?

    Within a workflow, you can specify multiple approval steps. An application is successfully registered when the request passes through the steps configured in the approval workflow. You can also modify the sequence of approval steps based on your requirement.

    This use case starts when you want to configure workflow with one or more approval steps with the required approvers to approve a user or application registration request.

    In this example, you create a workflow, workflow1 with user1 as first level approver, and anyone from ApproverGroup1 as second level approvers.

    Before you begin:

    Ensure that you have:

    LDAP Users and Groups Onboarding

    You can add LDAP users and their associated groups as Developer Portal users. You can provide LDAP server details by creating an LDAP connection and import users and user groups from the server. You can specify multiple LDAP servers.

    The high level of LDAP configuration workflow is as follows:

    How do I create an LDAP connection to import users from a LDAP server?

    This use case starts when you want to provide the LDAP server details and ends when you have successfully created a connection.

    Before you begin

    Ensure the following:

    API Administrator privilege.

    To create an LDAP connection

    1. Click the menu options icon from the title bar and click Administration.

    2. Select LDAP.

    3. Click Create LDAP.

    4. In the ID field, provide a unique ID for the LDAP connection.

    5. Provide the Server Name, URL, Username, and Password of the LDAP server.

    6. Based on your security requirements for the LDAP connection, enable the following checks:

      • Verify host names. Turn on to verify if the LDAP server host name provided matches the name in the SSL certificate Developer Portal receives from the LDAP server while establishing the connection. The LDAP connection fails if the names do not match.

      • Verify certificates. Turn on to verify the SSL certificates provided by LDAP server. The LDAP connection fails if invalid certificates are provided.

    7. In the Simultaneous connections field, provide the maximum number of simultaneous connections to the same LDAP server.

    8. Provide the Connection timeout and Read timeout values in milliseconds.

    9. Click Save.

      The LDAP connection appears in the Connections tab.

    10. Click of the LDAP connection to verify if Developer Portal is able to connect successfully with the LDAP server.

      You can import users and user groups from the LDAP connection.

    Alternative steps:

    Next steps:

    How do I create an LDAP connection to import users from a secured LDAP server?

    This use case starts when you want to provide the secured LDAP server details and ends when you have successfully created a connection.

    Before you begin

    Ensure the following:

    To create a secured LDAP connection

    1. Click the menu options icon from the title bar and click Administration.

    2. Select LDAP.

    3. Click Create LDAP.

    4. In the ID field, provide a unique ID for the LDAP connection.

    5. Provide the Server name, URL, Username, Password of the LDAP server.

    6. Based on your security requirements for the LDAP connection, enable the following checks:

      • Verify host names. Turn on to verify if the LDAP server host name provided matches the name in the SSL certificate Developer Portal receives from the LDAP server while establishing the connection. The LDAP connection fails if the names do not match.

      • Verify certificates. Turn on to verify the SSL certificates provided by LDAP server. The LDAP connection fails if invalid certificates are provided.

      • Use SSL. Turn on to specify that the connection to the LDAP server is secure. Enable this option or use an LDAPS URL for a secure connection. When you turn this on, the SSL mode list appears.

    7. Select the required SSL mode from the list.

    8. In the Simultaneous connections field, provide the maximum number of simultaneous connections to the same LDAP server.

    9. Provide the Connection timeout and Read timeout values in milliseconds.

    10. Click Save.

      The LDAP connection appears in the Connections tab.

    11. Click of the LDAP connection to verify if Developer Portal is able to connect successfully with the LDAP server.

      You can import users and user groups from the LDAP connection.

    Next steps:

    How do I specify attributes for the LDAP connection established with an LDAP server?

    This use case starts when you have created an LDAP connection and when you want to modify or specify the attribute mappings, user attribute mappings, group attribute mappings, and behavior of the LDAP connection.

    Before you begin:

    Ensure that you have:

    To specify attributes for the LDAP connection established with an LDAP server

    1. From the Connections tab, click the edit icon next to the connection.

    2. Click the Attribute mappings tab.

    3. Provide the following details:

      Field Description
      objectClass Attribute that contains the object class.
      DN Fully qualified name (distinguished name).
      GUID Globally unique Identifier of the LDAP server.
    4. Click the User attribute mappings tab.

    5. Provide LDAP user attributes:

      Field Description
      Name, First name, and Last name LDAP user name, first name, and last name.
      E-mail address and Telephone number Email address and telephone number of the LDAP user.
      Picture Location of the user’s thumbnail picture.
      memberOf Attribute that references the groups of a user.
      User-defined List of LDAP attributes, separated by commas, that are to be imported as user-defined attributes of LDAP user.
    6. Click the Group attributes mappings tab.

    7. Provide the following LDAP group attributes:

      Field Description
      Name Group name.
      hasMember Attribute that references the members of a group.
      User-defined List of LDAP attributes, that you want to import as user-defined attributes of a group.
    8. Click the Behavior tab.

    9. Provide the following details:

      Field Description
      Group object class. Object class of the LDAP group.
      User object class Object class of the LDAP user.
      Search paths List of all LDAP search paths separated with semi-colons.
      Group search paths List of all LDAP search paths for user groups separated by semi-colons. The list provided here overwrites the list of general search paths.
      User search paths List of LDAP search paths for users separated using semi-colons. The list provided here overwrites the list of general search paths.
      Group search filter Query filter for LDAP groups.
      User search filter Query filter for LDAP users.
      Recursion depth Recursion depth that is to be used for nested groups and users.
      Page size Maximum number of entries that are loaded in a single LDAP query.
      Refferals Defines how referrals to other LDAP systems are processed.
    10. Click Save.

      You have now completed providing LDAP details.

    Next steps:

    How do I import users and user groups from an LDAP server?

    After creating an LDAP connection, you can import the users and user groups present in the LDAP server.

    This use case begins when you have created an LDAP connection and ends when you have imported users and user groups from the specified server.

    Before you begin:

    Ensure that you have:

    To import users and user groups from an LDAP server

    1. Click the menu options icon from the title bar and click Manage users.

    2. Click Import LDAP users or groups.

      Import LDAP Users or Groups

    3. From the list, select the LDAP connection from which you want to import.

    4. Select one of the following:

      • Users. To import users from LDAP server.

      • Groups and associated users. To import user groups and their associated users.

    5. In the text field, provide a value to filter users or groups, if required. Alternatively, type * to import all users or groups from the given LDAP server.

    6. Click the right pane to preview users or groups.

    7. Click Import.

      The list of users or groups are imported to Developer Portal.

    Next steps:

    Single Sign-On Users Onboarding

    Developer Portal uses SAML protocol to allow users to sign up with one of their following credentials:

    The onboarding strategy determines how the sign up requests of users who sign up using their SSO credentials must be processed.

    SAML SSO Onboarding

    The SAML protocol is used to enable the SSO authentication. This authentication mechanism permits users to use one set of login credentials to access multiple applications. In addition to being a user-friendly option, implementing SSO makes user logins more secure as it uses SAML protocol for communication.

    You can configure SAML settings and allow users to onboard using one of the following credentials:

    Important
    By default, the Developer Portal destination in API Gateway is configured using the pre-defined user, apigatewaysystemuser. If you configure SAML for Developer Portal sign-in, the pre-defined destination configuration does not work. Hence, if you are setting up SAML sign-in then ensure that you modify the portal destination settings in API Gateway.

    The SAML authentication workflow for onboarding users is as follows:

    The high level of SAML configuration workflow is as follows:

    How do I onboard users using their SAML service provider credentials?

    You can enable SSO using one of the following applications:

    This use case begins when you want to allow users to onboard using their SSO credentials and ends when you have completed the configuration.

    In this example, you enable SSO for user with their Okta credentials.

    Before you begin:

    Ensure that you:

    To enable SSO onboarding using Okta credentials:

    1. Click the menu options icon from the title bar and click Administration.

    2. Select SAML.

    3. Select Redirect from the Binding list.

    4. Provide the following values copied from Okta SSO application that you created for Developer Portal:

      • Identity provider Id. Id of the identity provider.

      • Service provider Id. Id of the service provider. This must be same as the value you specify in Okta.

      • Single sign-on endpoint and Single logout endpoint. Endpoints that the identity provider must use to send single sign-on and logout payloads.

    5. Click Save.

      Your changes are saved.

    Alternative steps:

    Next steps:

    How do I configure SAML settings to specify user onboarding configurations?

    This use case starts when you want to configure SAML settings and ends when you have completed the configuration.

    Before you begin:

    Ensure you have

    To configure SAML settings:

    1. Click the menu options icon from the title bar and click Administration.

    2. Select SAML.

    3. Click the Signature tab.

    4. Enable the following fields, if required:

      • Enforce signing of assertions. Turn on to specify that the SAML assertions must be signed. If this is enabled, all assertions received by the application will be signed.

      • Enforce signing of requests. Turn on to specify that the SAML authentication requests must be signed. If this field is enabled, all requests received by the application must be signed. Requests sent by the application are signed by the selected signature algorithm.

      • Enforce signing of responses. Turn on to specify whether the SAML authentication response must be signed.

      • Enforce signing of metadata. Turn on to specify whether the SAML metadata must be signed. If set, the service provider metadata file provided by the application is signed.

    5. Select the required Signature algorithm from the drop-down list.

    6. Click the Keystore tab.

    7. Click Browse and select the SAML keystore file.

    8. Provide the Alias name and Password required to access the keystore file in the corresponding fields.

    9. Select the type of keystore file to be used from the Type drop-down list.

    10. Click the Truststore tab.

    11. Click Browse and select the SAML truststore file.

    12. Provide the Alias name and Password required to access the truststore file in the corresponding fields.

    13. Select the type of truststore file to be used from the Type drop-down list.

    14. Click the User attributes tab.

    15. Provide required values in the following fields:

      Field Description
      First name Attribute name to be used for reading the first name from a SAML assertion.
      Last name Attribute name to be used for reading the last name from a SAML assertion.
      E-mail address Attribute name to be used for reading the email addresses from a SAML assertion.
      Telephone number Attribute name to be used for reading the phone numbers from a SAML assertion.
      memberOf Attribute that references the groups of a user.
      User-defined List of attributes, separated by commas, to be imported as user-defined attributes of the user.
    16. Click the Advanced settings tab.

    17. Select Create user automatically.

      A user is created automatically using the details received from assertion.

    18. Provide information in following fields:

      Field Description
      Login using DN Specifies whether sign in must be tried using the fully qualified name instead of the user name.
      The name in the assertion is assigned as the distinguished name of the user being created.
      Decompose DN Specifies whether the fully qualified name is to be decomposed.
      The name in the assertion is assigned as the distinguished name of the user being created only if the name is in an appropriate format.
      Keyword Specifies which part of the fully qualified name is to be used for login.
      Authentication context comparison Specifies the level of comparison that must be performed on the assertion context class against the authentication context. If this fails, the user is not authenticated.
      Name ID format Specifies the format in which the user ID must be saved.
      Clock skew (in seconds) Specifies the time offset between identity provider and service provider, in seconds. Assertions are accepted if they are received within the permitted time frame.
      Assertion lifetime (in seconds) Specifies the maximum lifetime of a SAML assertion, in seconds.
      Assertion consumer service URL Specifies the URL to which the identity provider must send the authentication response. The URL must be given in the format: http(s)://hostname/portal/rest/saml/initsso
      Default tenant Specifies the default tenant that is to be used for the SAML-based login.
    19. Click Save.

      You have specified SAML configuration details. Users can sign up to Developer Portal using their SSO credentials.

    User Onboarding using Social Media Account

    The OAuth section is used to configure onboarding using social media accounts. You can allow users to onboard using the following accounts:

    To allow users to login through these accounts, you must register an OAuth application in their corresponding sites and provide the API Key and security token details in Developer Portal.

    How do I onboard users using their Social media credentials?

    You can enable users to sign up using their Facebook, Google, or GitHub credentials.

    This use case starts when want to allow user onboarding using their Social media account and ends when you have completed the configuration.

    In this example, you enable users to sign in using their Facebook credentials.

    Before you begin


    To enable SSO onboarding using Facebook credentials:

    1. Click the menu options icon from the title bar and click Administration.

    2. Select OAuth.

    3. Select Facebook from the Providers tab.

    4. Provide the API key and API secret values from the OAuth application registered in Facebook.

    5. Click Save.

      Your changes are saved.

    Alternative steps

    Next steps

  • The Sign in with Facebook button appears in the Sign in page.
  • User can click this button, provide their Facebook credentials to sign up to Developer Portal.
    The sign up request goes through the onboarding strategy.

    Data Anonymization

    Overview

    Data protection laws and regulations, such as the General Data Protection Regulation (GDPR) requires specific handling of user’s personal data, even after a user is removed. Additionally, employees or other clients with user accounts on Developer Portal may request that any user identifying information such as user name, email addresses, or client IP addresses be removed from Developer Portal.

    When a user is deleted from Developer Portal, the audit events retain the information about the user, which should be deleted or anonymized.

    When you anonymize user data, the corresponding user name is replaced with anonymous in all applicable instances of the UI.

    You can anonymize user data automatically or manually as follows:

    How do I enable or disable automatic anonymization of deleted user data through Developer Portal UI?

    This section explains the steps to enable automatic anonymization of deleted user accounts.

    To enable automatic anonymization user data using UI

    1. Click the menu options icon from the title bar and click Administration.

    2. Click General.

    3. Select Enable automatic user anonymization if not selected.

      This is selected by default. Clearing the check box disables automatic anonymization.

    4. Click Save.

      Your configurations are saved.

    How do I anonymize the deleted user data using REST API?

    This section describes the REST API used to anonymize the deleted user accounts. You can use the REST API for anonymizing user accounts in bulk.

    After you delete a user account, you must wait for a minimum of ten minutes to perform anonymization. This is to ensure that the background operations related to user account removal is completed before the anonymization.

    To anonymize user data using REST API

    Make a REST call with the required list of user names to the following endpoint:

    PUT /users/anonymize

    You can provide the list of user accounts within quotes like shown here:

    [“user1”,“user2”,“user3”]

    The specified user accounts are anonymized.