Migrating users from another preferred identity provider

For additional security, CDP Private Cloud treats users with the same username from different identity providers as different users, even if they are actually the same users from the same backend user storage. This is to prevent unintended access to users from different identity providers that happen to share the same username. Therefore, for CDP Private Cloud installations that have been using LDAP as the default authentication method, if you want to change your preferred identity provider type to SAML, and the LDAP and SAML identity providers have the same underlying database of users, ensure that you also migrate the affected users.

Required role: Account administrator or PowerUser

Ensure you have:

cdp-cli client version 0.9.128 or later
Admin user access key and private key
The old and new identity providers share the same underlying database of users
The same users are configured with identical userId attributes across both identity providers.
If those conditions are not met, then unauthorized access may be granted if a new user shares the same username as an existing user post migration.

Configure SAML Identity Provider. Follow the instructions in Configuring your enterprise IdP to work with CDP as a service provider with SAML as your preferred authentication type.
Delete duplicate users. If users have already logged in through SAML and were previously logged in through LDAP, delete the duplicate SAML users:
1. Log in to the CDP Private Cloud Management Console as a local admin using the following URL format: https://[***MANAGEMENT CONSOLE URL***]/authenticate/login/local (Example: https://console-cdp.apps.domain.com/authenticate/login/local).
2. Navigate to User Management > Users.
3. Locate users with a _+numeric suffix, click the three-dot menu on the right, and delete these users.
  note
  Failing to delete these users will cause the migration to fail.
Migrate users using cdp-cli.
1. Download and configure the cdp-cli client (version 0.9.128 or later, include the doc for users to set up cdp-cli: Setting up CDP-CLI ). For information on the cdp-cli official doc, see CDP-CLI User Guide.
2. Run the following command to migrate users from the LDAP identity provider to the SAML identity provider:
```
cdpcli --endpoint-url <Management_Console_URL> iam migrate-users-to-identity-provider --original-provider-name cm-ldap --new-provider-name cm-saml
```
  note
  The output will display the number of users migrated.
note
You do not need to change original-provider-name (cm-ldap) and the new-provider-name (cm-saml) as they are pre-configured. For customers switching from SAML to LDAP, swap the original-provider-name and new-provider-name values in the command.