ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Setting up a CallAPI Service User with LDAP when using SAML

book

Article ID: 239860

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

This article is a guide to setting up a CallAPI user who is a service user attached to LDAP who cannot use SAML because there won't be MFA performed at login since it is a service user.

 

Environment

Release : 12.3

Component :

Resolution

In this example, the LDAP department is SUPPORT and the service account is called CALLAPI.

All users are a part of the SUPPORT department.
The SUPPORT department is linked to the UC_LDAP_SUPPORT variable in client 0
SAML is set up according to the documentation and the Key NAME in UC_SAML_SETTINGS is SUPPORT

Since the CALLAPI user cannot use MFA, it needs to bypass SAML altogether, so it cannot be a part of the SUPPORT department in Automic; the username cannot be CALLAPI/SUPPORT.

Here are the steps to accomplish this:

  1. Update the username to use a different department, like SVC
  2. The user should still have "LDAP Connection" checked in the user settings
  3. Create a UC_LDAP_SVC variable in client 0
  4. This should be a copy of the UC_LDAP_SUPPORT variable; add the line to it:
    Key: DOMAIN_ALIAS
    Value1: SUPPORT

Any account tied to this will not use the SAML settings since the department doesn't exist as a key name in UC_SAML_SETTINGS.  The user is still tied to LDAP due to the UC_LDAP_SVC variable and having the user use an LDAP Connection.