For a customer we want to make the portal accessible via the internet using the default authentication schema. This would also allow the admin user to log in from the internet. Are there options to restrict the admin user, or users with admin rights, to only log in from the internal network? Is it possible to implement MFA (Multi-Factor Authentication) within the default authentication schema? Or what would be considered best practice in this scenario? How do other customers handle login when the developer portal is exposed to the internet?

5,3,2

The Login API provides programmatic access to the Portal API (PAPI), allowing you to integrate login and authentication flows directly in your custom application.

Portal Admins and Org Admins can add other users to API Portal. Portal Admins can add users and can assign a role to them. Org Admins can add Developers and other Org Admins to their organization

Portal Admin can add users only if single sign-on (SSO) is disabled. If SSO is enabled, Portal admin cannot create users using API Portal and must instead use the SAML authentication scheme.

If Third-Party Registration is enabled, anonymous users can register themselves and their organization. API Portal automatically assigns these users the Org Admin role. Users cannot add themselves to an existing organization.
If the Registration Request Workflow for Third-Party Registration is also enabled:
The user completes the registration form.
The Portal Admin approves the registration request.
The user can complete the account setup form.

To integrate a Broadcom API Portal with a SAML provider that enforces MFA, you need to configure both the API Gateway and the API Portal to use SAML SSO, ensuring the SAML provider is configured to require MFA. This involves setting up the SAML provider (e.g., Azure AD, Okta) as an identity provider (IdP) and configuring the Broadcom API Gateway and Portal to act as the service provider (SP)