According to the architecture of WSO2 API Cloud, all users need to be registered in the Cloud user store in order to consume API Cloud services. However, some organizations may want to connect their internal developers or API consumers (end-users) to API Cloud without explicitly adding them to the Cloud user store. In such cases, organizations can connect their internal identity providers and user stores to WSO2 API Cloud.
If you want to authenticate external users for Web UI access, do one of the following:
- Configure an External Identity Provider for API Cloud Authentication: You do this when you want the organization to link their IdP to WSO2 Identity Cloud to provide SSO-based authentication for API Cloud apps.
- Configure an On-Premise User Store for API Cloud Authentication: You do this when you want the organization to connect their local LDAP user stores to the API/Identity Cloud through the WSO2 Outbound Agent. This allows the organization to provide authentication for users in the LDAP, without sharing the credentials of the LDAP with WSO2 Cloud.
If you want to configure an external user store for authenticating API calls,
- Authenticate External Users for API Invocation: You do this when you want to authenticate subscribers who are not in the WSO2 Cloud's user store.