Enabling Single Sign-on (SSO) for IBM FCI using SAML

SAML Web Browser Single-Sign-On (SSO) enables web applications to delegate user authentication to a SAML identity provider instead of a configured user registry.

About this task

Complete the following instructions to configure IBM FCI to allow users to sign in using SAML:

Procedure

  1. Set up Active Directory Services and Internet Information Services (IIS). For instructions, see Configuring Active Directory Services and IIS.
  2. Active Directory users only: Configure Active Directory Federation Services (AD FS). For instructions, see Configuring Active Directory Federation Services.

To configure SAML authentication:

  1. Edit the icp4d-override.yaml file and go to the security-auth securityAuthConfig section.
    • SAML_ENTRY_POINT: Specify the identity provider entry point. This is typically the URL provided by the identity provider for a user to log in. For example: 
      'https://hostname/adfs/ls'
    • SAML_IDENTIFIERFORMAT: Specify the name identifier format to request from the identity provider. For example:
      'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
    • SAML_ISSUER: Specify the issuer string to supply to the identity provider. This identifies IBM FCI as a Service Provider to the identity provider. Typically this string is created by the identity provider specifically for IBM FCI. For example:
      'https://hostname/adfs/services/trust'
    • SAML_PROFILE_DISPLAYNAMEPROP: Specify the SAML profile property that maps to a user's display name. For example:
      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
    • SAML_PROFILE_EMAILPROP: Specify the SAML profile property that maps to a user's email address. For example:
      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
    • SAML_PROFILE_GROUPSPROP: Specify the SAML profile property that maps to a user's groups. For example:
      'http://schemas.xmlsoap.org/claims/Group'
    • SAML_PROFILE_NAMEIDPROP: Specify the SAML profile property that maps to a user's ID. For example:
      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
    • SAML_ACCEPTED_CLOCK_SKEW: Specify the time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 disables checking these conditions entirely.
    • SAML_DISABLEREQUESTEDAUTHNCONTEXT: If true, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
  2. Scroll to the common-ui section at the end of the icp4d-override.yaml file. In the config section, change the following property to true. 
    SAML_ENABLED: 'true'
    This shows a link on the Log in page for a user to authenticate through SSO.

    Save and exit the file.

  3. After you complete SAML configuration, verify that you can connect to the IBM FCI console using SAML. To do so, go to the IBM FCI Sign In page and then select the Sign in with your company ID link. 
    https://fci_web_hostname

    Where fci_web_hostname is the Host value of the fci-common-ui-nginx route.

    Note: SAML credentials persist until the user closes the browser session. For example, if you log out of IBM FCI and Sign in with your company ID again, you are not prompted to re-authenticate since your session is still active.