search cancel

Setting up a CallAPI Service User with LDAP when using SAML


Article ID: 239860


Updated On:


CA Automic Workload Automation - Automation Engine CA Automic One Automation


This article is a guide to setting up a CallAPI user who is a service user attached to LDAP who cannot use SAML because there won't be MFA performed at login since it is a service user.



Release : 12.3

Component :


In this example, the LDAP department is SUPPORT and the service account is called CALLAPI.

All users are a part of the SUPPORT department.
The SUPPORT department is linked to the UC_LDAP_SUPPORT variable in client 0
SAML is set up according to the documentation and the Key NAME in UC_SAML_SETTINGS is SUPPORT

Since the CALLAPI user cannot use MFA, it needs to bypass SAML altogether, so it cannot be a part of the SUPPORT department in Automic; the username cannot be CALLAPI/SUPPORT.

Here are the steps to accomplish this:

  1. Update the username to use a different department, like SVC
  2. The user should still have "LDAP Connection" checked in the user settings
  3. Create a UC_LDAP_SVC variable in client 0
  4. This should be a copy of the UC_LDAP_SUPPORT variable; add the line to it:
    Value1: SUPPORT

Any account tied to this will not use the SAML settings since the department doesn't exist as a key name in UC_SAML_SETTINGS.  The user is still tied to LDAP due to the UC_LDAP_SVC variable and having the user use an LDAP Connection.