IBM Cloud Docs
Masking your data in watsonx.data on IBM Cloud with IBM Knowledge Catalog on software

Masking your data in watsonx.data on IBM Cloud with IBM Knowledge Catalog on software

This topic describes how to integrate Azure Active Directory (Azure AD) as a SAML identity provider with watsonx.data on IBM Cloud. You can configure Azure Active Directory (now Microsoft Entra ID) as your SAML identity provider to enable single sign-on (SSO) for watsonx.data IBM Cloud.

Before you begin

To enable IKC integration, ensure the following pre-requisites are met:

  • A working watsonx.data instance on IBM Cloud.
  • Access to IBM Software Hub
  • IBM Knowledge Catalog (IKC) service on IBM Software Hub.
  • Subscription to Microsoft Azure.

Configuring Azure Active Directory application on IBM Software Hub

  1. Complete the configuration steps in the Microsoft Azure portal and save the Federation Metadata XML to your local drive.

When you upload the Federation Metadata XML configuration to watsonx.data on IBM Software Hub, update the token attribute-mapping fields such as Email, Family name, Given name, Groups and Sub with the following values:

Configuring Azure Active Directory application on IBM Cloud

Retrieving the SAML metadata file from your watsonx.data on IBM Cloud

  1. Log in to your IBM Cloud account.

  2. Go to Manage > Access (IAM) > Identity providers in the IBM Cloud console.

  3. Click Add and select IBM Cloud SAML as the provider type.

  4. Enter a name for the provider (for example, Azure AD).

  5. In the Service Provider section, all fields are pre-populated. Click View advanced settings and clear the Authentication context selection.

  6. Click Save.

  7. Click Download configuration to download the metadata service provider configuration.

Configuring Azure Active Directory application

  1. Log in to your Azure portal. Select the Manage Microsoft Entra ID tile and click View.

  2. From the left menu, select Enterprise applications.

  3. Click New application.

  4. In the search bar, search for IBMid.

  5. Select IBMid from the results and click Create. The Overview page opens.

  6. Add users and groups to your application:

    1. On the Overview page, select the 1. Assign users and groups tile from the Getting started section.

    2. Click Add user/group.

    3. On the Add assignment page, under Users and groups, click None selected. The list of users and groups opens in a Users and groups window.

    4. Select the users and groups that you want to add to your application from the list, and click Select.

    5. On the Add assignment page, click Assign.

    6. Go back to your application overview.

  7. In the Getting Started section, select 2. Set up single sign-on.

  8. Click SAML. The Basic SAML Configuration page opens.

  9. At the top of the page, choose Upload metadata file.

  10. Browse to and upload the metadata service provider configuration file downloaded in Retrieving the SAML metadata file from your watsonx.data on IBM Cloud. This automatically populates the required configuration fields.

  11. On the Single Sign-On with SAML page, click Edit to modify the Attributes and Claims.

  12. Edit the Unique User Identifier value to user.email and save the details.

  13. Leave the remaining options unchanged. Under SAML Certificates, copy the URL from the Federation Metadata XML attribute.

  14. Open the copied URL in a new browser tab, copy the content, and save it as an XML file.

  15. Ensure that the user accounts in Entra ID have all required attributes populated (email, first name, last name, and display name).

Upload the Federation Metadata XML configuration to watsonx.data on IBM Cloud

Complete these steps from watsonx.data on IBM Cloud.

  1. Log in to your IBM Cloud account.

  2. Go to Manage > Access (IAM) > Identity providers in the IBM Cloud console.

  3. You should now be on the Identity Provider Details page.

  4. Upload the XML file created in Configuring Azure Active Directory application. This automatically populates the required fields.

  5. After uploading the XML file, if you encounter an issue with the IAM claim name in the assertion mapping section, map the SAML assertion http://schemas.microsoft.com/identity/claims/displayname to the IAM claim name.

  6. Click Verify to test the SAML connection between IBM Cloud (Service Provider) and Azure AD (Identity Provider).

  7. Authenticate when prompted and confirm that a Connection succeeded message is displayed.

  8. Once verification is successful, save the configuration. Leave the attribute mapping unchanged unless additional fields are required.

  9. After saving, navigate back to Identity providers from the left menu.

  10. Confirm that the Azure AD provider is listed, and toggle the Enable option to activate it.

  11. Copy the Login URL from the provider tile and share it with Azure AD users. Each user must authenticate at least once using this URL to be added to the IBM Cloud account.

Configure IKC in IBM® watsonx.data UI

  1. Log in to IBM® watsonx.data.

  2. From the left pane, go to Access control.

  3. Select the catalog to open the catalog details page.

  4. Go to the Integrations tab and click Integrate service.

  5. Enter the following details:

    Ingrate service
    Field Description
    Service Select IBM Knowledge Catalog.
    Cluster type Select Software
    Supported catalogs Select the applicable catalogs for IKC governance.
    IKC endpoint Specify the Knowledge Catalog endpoint URL. For example, https:// .ibm.com.
    Username Enter your username (ibmlhapikey_<EMAIL_ID>).
    Password Specify the Zen API key. For more information, see Generating token.
    Port is SSL enabled Use the toggle switch to enable or disable SSL connection. Enabling the SSL connection ensures secure connection.
    Upload Certificate If SSL is enabled,
    i. The Upload SSL certificate (.pem, .crt, .cert, or .cer) link is enabled.
    ii. Click the Upload SSL certificate (.pem, .crt, .cert, or .cer) link.
    iii. Browse the SSL certificate and upload.
    From the cluster where IKC is installed, you can retrieve the certificate using the following steps:
    a. Click on Not Secure in the address bar.
    b. Select Certificate details from the drop-down.
    c. Switch from the General tab to the Details tab.
    d. Click on Export to save the certificate.
    Test connection Click the Test connection link to verify the connection. If the connection is successful, you can view a success message.

  6. Click Integrate.

Generating a Keystore and a Key pair

  1. Log into your IKC server by using SSH and use the following command to generate a new keystore file containing a private key and a self-signed certificate.
keytool -genkey -keyalg RSA -alias ikcadmin -keystore ikc-admin-keystore.jks -storepass <store_password> -validity 365 -keysize 2048 -dname "CN=<Ikc FQDN>, OU=<Organizational Unit>, O=<Organization>, L=<City>, ST=<State>, C=<Country>"

Replace <store_password> with a strong password. Replace <Ikc FQDN> with the server's FQDN (e.g., ikc.example.com). Provide appropriate values for Organizational Unit (OU), Organization (O), Location (L), State (ST), and Country (C) when prompted, or by using the -dname parameter.

Verify the masking functionality as per the rules in IKC

  1. Log in to IBM Knowledge Catalog.
  2. From the left pane, go to Governance > Rules.
  3. From the Rules page, verify that the rules corresponding to your data class of the column is defined. You can define a new rule by using Add rule button.

The owner can see the unmasked data. To verify whether masking is functioning correctly, log in to watsonx.data as user who is not the owner of the asset in IKC and query the asset.