Configuring single sign-on with the SAML using IdP APIs

This version of documentation is no longer updated. For the latest information, see the following links:
- Continuous Delivery (CD) documentation
- Support Cycle-2 (SC-2) documentation

Metadata files are used for communication between your product and your enterprise SAML server.

Note: If you see the error 404 during SAML configuration, check with the administrator whether SAML is enabled for the Cloud Pak at the Identity Provider.

Before you configure single sign-on (SSO), you must configure a fully qualified domain name (FQDN) for accessing your cluster.

Note: If you are configuring SSO by using SAML, you must manually register the identity provider (IdP) by using Identity provider APIs in the following scenarios:

• If you do not have the IdP registration.

• If you are installing foundational services for the first time.

• Irrespective of SAML dependency on LDAP.

To verify whether you have an IdP registration, see Get IdP registration by query.

To configure SSO, complete the following sequence of steps:

1. Configure SAML and import metadata that is sent by your enterprise SAML server by using IdP V3 APIs.

2. Export the metadata of your product to your enterprise SAML server. After you complete this task, a metadata file is downloaded. For more information, see SAML metadata export by using samlmetadata API.

3. Verify whether SAML was successfully configured.

4. Configure the SAML connection with one of the following methods:

   • SAML with SCIM dependency: You can directly connect with the SAML IdP if it is SCIM-enabled. SCIM is supported to connect with the registered IdP and import the users by using the IdP APIs. If you are manually registering SAML with SCIM-enabled IdP, see SAML with SCIM dependency registration. Based on your requirement, you can update the values of the schema elements, name, description, idp_type, scim_base_path,token_attribute_mappings, scim_attribute_mappings, and config. To understand the use of schema elements, see Different schema elements.

   • SAML without any dependency: If you are using SAML without LDAP dependency or SCIM-enabled IdP, you can register the IdP by using SAML registration without any dependency. Based on your requirement, you can update the values of schema elements, name, description, and token_attribute_mappings. To understand the use of schema elements, see Different schema elements.

   • SAML with LDAP dependency: Optional: Connect with an LDAP server and import users who might use the SSO request. For more information, see Configuring LDAP connection. See the following notes:

     • You can also connect your product with the same LDAP server that your enterprise SAML server uses for authentication.
     • If you are connecting LDAP by using SAML, see SAML with LDAP dependency registration. Based on your requirement, you can update the values of the schema elements, name, description, scim_base_path, token_attribute_mappings, and saml_ldap. To understand the use of schema elements, see Different schema elements.

   • SAML with IdP initiated login: You can configure SAML with IdP initiated login to use the IdPs for the SAML SSO. Specify the IdP SSO URL in the "login_page_url" parameter that is obtained from the IdP side in the SAML IdP API to enable the IdP initiated SAML SSO.