IM for your product platform users
Identity Management (IM) for platform users includes authentication that includes OIDC and SAML.
Authentication
Your product uses WebSphere Liberty
OpenID Connect (OIDC) 1.0 for authentication. It calls the standard
OIDC endpoints /authorize and /token to
initiate an OAuth dance. OpenID in Liberty can be configured with
Lightweight Directory Access Protocol (LDAP), after which an LDAP
user can authenticate to your product by using
the same OpenID endpoints. For single sign-on (SSO) based
authentication, OIDC is configured with Security Assertion Markup
Language (SAML) to interact with your enterprise identity
source.
Authentication protocols supported
Your product supports the following two authentication protocols:
- OIDC-based authentication
- SAML-based federated authentication
OIDC and SAML are both used for SSO with your product but for different purposes.
Your product is an OIDC identity provider that provides authentication and authorization services to your product console and APIs. It works along with one or more LDAP providers to authenticate the user ID and password with the LDAP service and to provide an access token for subsequent requests to your product services. Your product is an identity provider through LDAP.
Your product can be configured as a SAML service provider, which allows federated authentication with an external SAML 2.0 identity provider. When you configure SSO, your product redirects your console browser to the third-party login page, and OIDC issues you a bearer token.
The OIDC-based authentication service is the default authentication service in your product. If required, you can configure a SAML server to provide federated authentication.
OIDC-based authentication
You must configure and connect an LDAP directory with your product cluster, and provide cluster administrator, Cloud Pak administrator, or administrator access level. For more information, see Configuring LDAP connection. You must set up the LDAP connection before you create a team and add users to the team. Only LDAP users who are assigned to a team can log in to the console.