We would like to setup the Dev Portal to enable federated login such that the external firms using our APIs will manage their own developers’ identities used to login to Apigee. I think we understand how to setup the federated login part, but I’m not sure how we associate the developer (or firm admin) to the firm and to a specific set of roles when they login. In particular, our goal is to set up the firm and then be able to allow them to manage their own users so that:

1. Each user added is automatically associated to their company
2. When the user leaves the firm, the applications they created remain associated to the company and can be administered by another user from the same firm

This link looks like it sort of covers this idea: https://apidocs.apigee.com/api/companies-0

Ideally, what we want is for federation to handle all the onboarding and offboarding of users and their rights to apps and functions in the portal based on roles. The federated login process could provide a set of SAML assertions to Apigee that would associate the user to the company and the roles and applications he or she should have access to. This would mean that the firm would not need to do much user management in Apigee, but rather would manage that on their end by controlling the set of assertions provided for the user at login.

Put another way, I’d expect us to be able to create a “Company” and a set of roles for each firm we onboard without having to create a new user for the firm in the Dev Portal. The firm would simply provide the assertions in the authentication response from their IDP that indicate the firm maps to the “Company” we created and the user has one or more of the roles we created. One of those roles would be for a firm administrator who can create and delete apps, another would be for a developer authorized to work on some subset of apps for that firm, another role would cover a different subset of apps, and so on.

Is that possible? Are there any examples or documentation that would show how to set that up?