September 30, 2019 By Anton Aleksandrov 3 min read

Integrate IBM Cloud App ID and IBM Cloud Identity.

For developers, setting up application security can one of the hardest parts of creating an app. In most cases, developers prefer to focus on delivering the business value while leaving any security aspects to experts and specialized products.

There are quite a few well-known and trusted Identity and Access Management products on the market that you might already be familiar with, but today I’m going to focus on two of them: IBM Cloud App ID and IBM Cloud Identity

What is IBM Cloud App ID?

IBM Cloud App ID is a cloud service that allows developers to easily add authentication and authorization capabilities to their applications while all the operational aspects of the service are handled by the IBM Cloud Platform

App ID is intended for developers that don’t need or want to know anything about various security protocols. The service provides capabilities like Cloud Directory (a highly scalable user repository in the cloud), enterprise identity federation, social login, SSO, customizable Login Widget UI, flexible access controls and user profiles, multi-factor authentication, a set of open-sourced SDKs for easy app instrumentation, and more. 

A major benefit of using App ID is the deep integration with other IBM Cloud components that creates a seamless experience for easy protection of cloud native applications, including IBM Cloud Kubernetes Service, Cloud Functions, Cloud Foundry, API Connect, Activity Tracker, and more.  

What is IBM Cloud Identity?

IBM Cloud Identity is a service that allows you to connect your users (and things) to any application that you have running either inside or outside of the enterprise. That means anything from legacy apps running in your data center to the new cloud native applications you are building for multicloud environments.  

Cloud Identity provides tools for developers but also makes it easy for administrators to configure access control policies that can be applied at runtime without modifying the underlying application. In addition to the capabilities you usually expect from an identity service, Cloud Identity provides advanced features like adaptive access, password-less authentication (e.g., FIDO2 and QR code based MFA), API protection, user governance, and more.

Configuring App ID to use an existing IBM Cloud Identity instance

So, the question that brought you to this blog: What if I already have an existing user repository in IBM Cloud Identity but I want to use App ID for all of the benefits that come from the integrated IBM Cloud experience? Or, what if I want to add more advanced authentication features, like password-less authentication, to my app?

The short answer—no problem! You can connect IBM Cloud App ID to your IBM Cloud Identity instance. Check out the following video tutorial and instructions to learn how to maximize the benefits of using both services to protect an application that runs on OpenShift with zero code changes or redeploys.

Recapping the steps

  1. Starting in the App ID dashboard:
    1. Go to SAML 2.0 Federation under Identity Providers.
    2. Specify the name you’d like to use for the provider.
    3. Click Download SAML Metadata file.
    4. Open the downloaded file.
    5. Note the entityID property under <EntityDescriptor> element.
    6. Note the Location property under <AssertionConsumerService> element.
  2. Switch to the Cloud Identity Dashboard:
    1. Make sure your Cloud Identity instance has at least one user you’ll be able to sign in with.
    2. Go to Applications and click Add application.
    3. Select a Custom Application type and give it a name.
    4. Go to the Sign-on tab.
    5. Copy the entityID value from 1.5 to the Provider ID box.
    6. Copy the Location value from 1.6 to the Assertion Consumer Service URL (HTTP-POST) box.
    7. Save your configuration and select users that are entitled to use this application.
    8. Switch back to the Sign-on tab.
    9. Note the Provider ID value on the right side of the screen.
    10. Note the Login URL on the right side of the screen.
    11. Note the Signing Certificate on the right side of the screen.
  3. Back in the App ID dashboard:
    1. Copy the Provider ID value from 2.9 to the entityID box.
    2. Copy the Login URL value from 2.10 to the Sign-in URL box.
    3. Copy the Signing Certificate value from 2.11 to the Primary Certificate box.
    4. Save your settings.
    5. Click the Test button to see everything in working together.

That’s it, you’re done! App ID is now integrated with Cloud Identity. So, you can start enjoying the superb experience of easily adding user authentication to your app, protecting applications running on Kubernetes or OpenShift clusters, getting administrative and authentication events in Activity Tracker, and more.

Feedback and resources

We’d love to hear from you with feedback and questions:

  • Reach out directly to the development team on Slack.
  • If you have technical questions about App ID, post your question on Stack Overflow and tag your question with ibm-appid.
  • For questions about the service and getting started instructions, use the IBM Developer Answers forum. Include the appid tag.
  • Open a support ticket in the IBM Cloud menu.

To learn more about the service and get started, check out the following links.

More from Cloud

Hybrid cloud examples, applications and use cases

7 min read - To keep pace with the dynamic environment of digitally-driven business, organizations continue to embrace hybrid cloud, which combines and unifies public cloud, private cloud and on-premises infrastructure, while providing orchestration, management and application portability across all three. According to the IBM Transformation Index: State of Cloud, a 2022 survey commissioned by IBM and conducted by an independent research firm, more than 77% of business and IT professionals say they have adopted a hybrid cloud approach. By creating an agile, flexible and…

Tokens and login sessions in IBM Cloud

9 min read - IBM Cloud authentication and authorization relies on the industry-standard protocol OAuth 2.0. You can read more about OAuth 2.0 in RFC 6749—The OAuth 2.0 Authorization Framework. Like most adopters of OAuth 2.0, IBM has also extended some of OAuth 2.0 functionality to meet the requirements of IBM Cloud and its customers. Access and refresh tokens As specified in RFC 6749, applications are getting an access token to represent the identity that has been authenticated and its permissions. Additionally, in IBM…

How to move from IBM Cloud Functions to IBM Code Engine

5 min read - When migrating off IBM Cloud Functions, IBM Cloud Code Engine is one of the possible deployment targets. Code Engine offers apps, jobs and (recently function) that you can (or need) to pick from. In this post, we provide some discussion points and share tips and tricks on how to work with Code Engine functions. IBM Cloud Code Engine is a fully managed, serverless platform to (not only) run your containerized workloads. It has evolved a lot since March 2021, when…

Sensors, signals and synergy: Enhancing Downer’s data exploration with IBM

3 min read - In the realm of urban transportation, precision is pivotal. Downer, a leading provider of integrated services in Australia and New Zealand, considers itself a guardian of the elaborate transportation matrix, and it continually seeks to enhance its operational efficiency. With over 200 trains and a multitude of sensors, Downer has accumulated a vast amount of data. While Downer regularly uncovers actionable insights from their data, their partnership with IBM® Client Engineering aimed to explore the additional potential of this vast dataset,…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters