Integrating with the Identity Management Service

Important: IBM Cloud Pak for Data Version 4.7 will reach end of support (EOS) on 31 July, 2025. For more information, see the Discontinuance of service announcement for IBM Cloud Pak for Data Version 4.X.

Upgrade to IBM Software Hub Version 5.1 before IBM Cloud Pak for Data Version 4.7 reaches end of support. For more information, see Upgrading IBM Software Hub in the IBM Software Hub Version 5.1 documentation.

By default, IBM Cloud Pak for Data user records are stored in an internal repository database. However, it is strongly recommended that you use an enterprise-grade password management solution, such as single sign-on (SSO) or LDAP.

If you use LDAP, you can choose between the following options:

Mechanism Benefits Drawbacks
LDAP integration provided by Cloud Pak for Data (deprecated) You can use LDAP with or without SAML SSO.
You can choose the level of integration with the LDAP server. You can use LDAP to:
  • Validate users' credentials
  • Manage access to the platform
 You can connect to a single LDAP server from each instance of Cloud Pak for Data.

This method is deprecated and will be removed in a future release.

LDAP integration provided by the IBM Cloud Pak foundational services Identity Management Service The Identity Management Service supports:
  • A wide variety of LDAP servers
  • The ability to connect to multiple LDAP servers
  • More configuration options
 There are no known drawbacks with this mechanism.

To use the LDAP integration provided by Cloud Pak for Data, see Connecting to your identity provider.

Who needs to complete this task?

Instance administrator An instance administrator can complete this task.

When do you need to complete this task?
If you want to use the LDAP integration provided by the Identity Management Service, you must integrate Cloud Pak for Data with the Identity Management Service before you onboard users or create user groups.

When you integrate with the Identity Management Service, you delegate all authentication to the Identity Management Service. If you onboard users before you integrate with the Identity Management Service, existing users might not be able to log in to Cloud Pak for Data.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

Important: Integrating with the Identity Management Service is irreversible.

Contact IBM® Support to reset Cloud Pak for Data to the previous state.

Procedure

  1. Run the cpd-cli manage login-to-ocp command to log in to the cluster as a user with sufficient permissions to complete this task. For example: 
    cpd-cli manage login-to-ocp \
--username=${OCP_USERNAME} \
--password=${OCP_PASSWORD} \
--server=${OCP_URL}
    Tip: The login-to-ocp command takes the same input as the oc login command. Run oc login --help for details.
  2. Run the following command to integrate with the Identity Management Service: 
    cpd-cli manage setup-iam-integration \
--enable=true \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS}

    The command triggers a reconciliation in the Zen operator.

    It might take up to 20 minutes for the process to complete if the Identity Management Service needs to be started and configured.

  3. Wait for the setup-iam-integration command to return Succeeded.
  4. To confirm that the integration is complete, confirm that the following command returns true: 
    oc get zenservice lite-cr \
-n ${PROJECT_CPD_INST_OPERANDS} \
-o jsonpath='{.spec.iamIntegration}'
  5. Get the name of the default platform administrator: 
    oc get secret ibm-iam-bindinfo-platform-auth-idp-credentials \
-n ${PROJECT_CPD_INST_OPERANDS} \
-o jsonpath='{.data.admin_username}' | base64 --decode;
  6. Get the initial password for the default platform administrator from the Identity Management Service: 
    oc get secret ibm-iam-bindinfo-platform-auth-idp-credentials \
-n ${PROJECT_CPD_INST_OPERANDS} \
-o jsonpath='{.data.admin_password}' | base64 --decode;

What to do next

After you integrate Cloud Pak for Data with the Identity Management Service:
  1. Determine whether you need to update name of the default administrative user that is created by the Identity Management Service.
  2. Connect to your LDAP servers. For more information, see Configuring an LDAP connection in the IBM Cloud Pak foundational services documentation.