Configuring authentication

As the account admin, you can decide whether users can choose their own authentication method based on what is enabled for the account. This option is only visible when multiple authentication tabs are visible and multiple authentication methods are enabled. If you let individual users choose their own form of authentication, they can make this choice when they log in for the first time and can also change it on the Security tab of their profile settings. The option does not show up for users unless you enable it.

You can override this setting for individual users on the User management tab and restrict a specific user to a specific authentication method, even if the user has not yet accepted an invitation.

Authentication methods

IBM Blueworks Live supports three authentication methods to help organizations manage secure access based on their needs. The following table shows the available options and choose the most appropriate method for your environment.

Method Description Recommendation to use
IBMid authentication Users log in with their IBMid credentials, commonly used across IBM Cloud® services. IBMid (default).
Blueworks Live authentication Users are authenticated by using credentials that are managed within Blueworks Live. Teams needing internal user management without IBMid.
Single sign-on (SSO) Users can log in by using corporate credentials. You can use SSO through IBMid Federation to log in to Blueworks Live.

Enabling Just-in-time (JIT) provisioning

JIT provisioning means that users can be added dynamically to accounts that allow it. New users can join as Viewers without having to be invited to the account.

You can use JIT provisioning if you have an SSO account, or if you have an IBMid account that is federated against your organization's identity provider.

To enable JIT provisioning:
  1. In the Admin page, open the Settings > Security tab.
  2. In the Authentication section, click the IBMid tab or Single Sign-On (SAML 2.0) tab (if enabled).
  3. Switch the toggle for Enable Just-in-Time Provisioning. For IBMid, specify the IBMid realm that users authenticate against. The realm cannot be www.ibm.com and must be the federated realm for your organization. If you don't know your realm name, you can get it from the IBMid support team. The realm name is used only for your organization and ensures that users outside of your organization don't gain access to the account.