Connecting to an external identity provider for authentication

IBM Cloud service offers multiple external identity provider integration options. For more information, see Which is the right federation option for you?. This topic describes the option of using IBM Cloud SAML service provider (SP) as well as App ID to connect to an external identify provider.

Configuring IBM Cloud SAML service provider (SP) and IAM to use single sign-on (SSO)

You can integrate with your external identity provider (IdP) to securely authenticate external users to your IBM Cloud®. By using your IdP, you can provide a way for users in your company to use single sign-on (SSO). You can connect your cloud account to an external IdP by using the IBM Cloud SAML service provider (SP).

To configure IBM Cloud SAML service provider (SP), do the following steps:

  1. Configure the integration by doing the steps in the following topic: Federating with the IBM Cloud SAML service provider (SP).

  2. Get the Realm ID for your identity provider.

    Click Manage Access (IAM), and then click Identity providers. Identify your provider, click to open the detail page and copy the Realm ID.

  3. Ensure that you have an IBM OpenPages instance. If you need to create an IBM OpenPages instance, see Provisioning your IBM OpenPages as a Service environment.

    You can integrate more than one IBM OpenPages instance in this account with the same Custom identity provider.

    Open a support case for each IBM OpenPages instance requesting for the Custom identity provider integration and include the IBM OpenPages instance CRN and Realm ID that you copied from the previous step in the case. For more information on creating the case, see Creating support cases.

    After the support case is addressed from the IBM Cloud team and is closed, the Custom identity provider integration for the provided IBM OpenPages instance CRN is completed.

Onboarding users

The following options are available to give users access to IBM OpenPages:

  • Configure dynamic rules to automatically assign users to an access group where the IBM OpenPages access is granted by an IBM Cloud IAM role, and where the role templates from IBM OpenPages is assigned.
  • When users login to the IBM OpenPages instance successfully, they are added to IBM Cloud IAM. Next, give the users access to IBM OpenPages. For more information, see Managing IAM access for IBM OpenPages.

Results

  1. For users to access their IBM OpenPages instance, they must follow the steps in the IBM OpenPages UI.
  2. When the user launches their IBM OpenPages instance, they are redirected for authentication to their Custom identity provider and after successful authentication, the users are logged into IBM OpenPages.

Configuring trusted profile

  1. By using trusted profiles, federated users can be given conditional access management to establish a flexible, secure way to access the IBM OpenPages resources to do their job. Users must follow the setps to configure the same Managing access for federated users by using trusted profiles.

Configuring App ID and IAM

You can connect your external identity provider to an IBM Cloud® App ID instance, and then configure that App ID to connect directly to IBM Cloud® Identity and Access Management (IAM) to federate authentication users of an enterprise to an IBM Cloud® account.

To configure App ID, do the following steps:

  1. Configure the integration by doing the steps in the following topic: Configuring App ID with your identity provider.

    The topic discusses watsonx, but the steps are the same for IBM OpenPages.

  2. Get the Realm ID for your identity provider.

    Click Manage Access (IAM), and then click Identity providers. Identify your provider, and copy the Realm ID.

  3. Ensure that you have an IBM OpenPages instance. If you need to create an IBM OpenPages instance, see Provisioning your IBM OpenPages as a Service environment.

    You can integrate more than one IBM OpenPages instance in this account with the same Custom identity provider.

    Open a support case for each IBM OpenPages instance requesting for the Custom identity provider integration and include the IBM OpenPages instance CRN and Realm ID that you copied from the previous step in the case. For more information on creating the case, see Creating support cases.

    After the support case is addressed from the IBM Cloud team and is closed, the Custom identity provider integration for the provided IBM OpenPages instance CRN is completed.

Onboarding users

The following options are available to give users access to IBM OpenPages:

  • Configure dynamic rules to automatically assign users to an access group where the IBM OpenPages access is granted by an IBM Cloud IAM role, and where the role templates from IBM OpenPages is assigned.
  • When users login to the IBM OpenPages instance successfully, they are added to IBM Cloud IAM. Next, give the users access to IBM OpenPages. For more information, see Managing IAM access for IBM OpenPages.

Results

  1. For users to access their IBM OpenPages instance, they must follow the steps in the IBM OpenPages UI.
  2. When the user launches their IBM OpenPages instance, they are redirected for authentication to their Custom identity provider and after successful authentication, the users are logged into IBM OpenPages.