Identity Management (IM)

Edit online

Learn how to manage security and access to your platform.

If you are using the IM operator service as part of an IBM Cloud Pak®, see the documentation for that IBM Cloud Pak® to learn more about how to install and use the operator service.

What's new for the IM service

Edit online

version 4150 foundational services version 4.15:

version 4120foundational services version 4.12:

  • Configuring certificate-based authentication: Authenticate with the IM service. First, import the signer or root (CA) certificate. Then, provide a personal certificate that contains the common name (CN) as it is configured in a backend Lightweight Directory Access Protocol (LDAP) registry. For more information, see Configuring certificate-based authentication.

  • Configuring OIDC with a SCIMserver dependency: From IBM Cloud Pak® foundational services v4.12, you can configure OIDC with the SCIMServer backend so that users and groups of the SCIM registry can log in with OIDC authentication. When you create a new OIDC connection with UIEnable, enable the This is a SCIM compliant identity provider option. For more information, see Configuring OIDC with a SCIMserver dependency.

  • version 4100 Configuring the unified console: Configure the unified console in IBM Cloud Pak® foundational services version 4.10 and onward and the zenFrontDoor option. For more information, see Configuring the unified console.

  • Support for custom attributes in token attribute mappings: You can add additional attributes to Token attribute mappings. These values are later available as additional claims in jwt idToken. The names of the attributes must consist of alphanumerics. Special characters or spaces are not allowed. For example, "additionalAttribute" : "attribute_value".

version 46x foundational services version 4.6.14:
  • Added platform-idauth route: From foundational services version 4.6.8, the platform-idauth route was not supported for ibm-iam-operator. However, from version 4.6.14 and onward, the platform-idauth route is added back. To solve a performance issue that is related to SAML authentication, you can use the platform-idauth route to connect to the auth-service endpoints.

Previous versions

Edit online

  • version 490 Support for custom mapping for sub attribute in token_attribute_mapping: From foundational services version 4.9, you can update the sub attribute with the custom values in token_attribute_mapping when you enable JIT for OIDC and SAML connections. The default values for sub attribute for SAML and OIDC connections are nameID and sub.

  • version 490 Support for sub attribute mapping to onboard users: From foundational services version 4.9, you can update the sub attribute in the token_attribute_mappings using console to directly onboard users to the user groups. If you onboard users with IdP V3 APIs, you need to specify the sub and subject attributes in token_attribute_mappings to use the custom value in the sub attribute. If you do not specify subject attribute, the default value of the sub attribute is used for the configuration to onboard users.

  • version 490 Support for SCIM API in Open ID Connect (OIDC) with Just in Time (JIT) configuration: From foundational services version 4.9, you can configure SCIM API for Users and Groups in OIDC with JIT configuration. For more information, see Configuring single sign-on using OpenID Connect (OIDC).

  • version 490 Support for mutual TLS authentication for LDAP configuration: From foundational services version 4.9, you can enable mutual TLS authentication between IM and LDAP server when you configure LDAP connection based on the backend LDAP registry configuration. You need to configure the IdP v3 API with ldap_tls_verify_client parameter to enable TLS/SSL authentication when you create LDAP connection. For more information, see Configuring mutual TLS authentication between IM and LDAP server.