Configuring single sign-on (SSO) authentication

Blueworks Live incorporates IBMid authentication to the client organization's identity provider to enable SSO. You can set up SSO through IBMid Enterprise Federation so that users can log in to Blueworks Live by using the same credentials they use to log in to the organization. Federated authentication allows an organization's identity provider to handle all the users who are using IBM® web applications and cloud services.

Important: The former SSO authentication method with Blueworks Live SAML 2.0 is deprecated and is available for legacy configurations only. The following steps are for configuring SSO with IBMid Enterprise Federation.

When users use an email address or user ID from a federated domain, they are redirected back to the organization for authentication. The organization uses its own login page and security controls to secure the access. Configuring IBMid to use federated authentication does not require any changes to Blueworks Live.

To configure single sign-on to federate Blueworks Live accounts with IBM, follow these steps:
  1. Contact the Blueworks Live support team to request single sign-on (SSO) for your Blueworks Live account. The support team creates a temporary SSO test account to be used in step 8.
  2. Review the IBMid SSO configuration documentation External link opens a new window or tab and send your confirmation to support.
  3. After receiving confirmation, the IBMid Federation team sends you their Welcome template. It involves information about exchanging metadata files and IBMid federation requirements to create a trust.
  4. The IBMid Federation team sends environment-specific instructions for you to configure preproduction federation, for example: Instructions for AzureAD.
  5. Optional: If needed you can request a call to the Blueworks Live support team, who will coordinate with the IBMid Federation team and your organization to organize a suitable time for a call.
  6. Testing commences on IBM preproduction with your enterprise:
    1. After the IBMid Federation team confirms that federation is set up in IBM preproduction, you can commence testing by accessing My IBM External link opens a new window or tab.
    2. Enter your email address in the log in screen, and you are redirected to your identity provider (IdP).
    3. You can see the landing page.
  7. After testing is successfully completed, the IBMid team configures SSO on IBM production. The IBMid team can make production changes only on Tuesdays and Fridays of every week, so all production testing needs to be configured before one of those windows.
  8. Enable IBMid on your Blueworks Live test account from the Admin page, in the Settings > Security > IBMid tab. For more information, see the IBMid authentication in Blueworks Live External link opens a new window or tab support page.
  9. If your test account login is successful, you can enable IBMid on your production account. An email is sent to notify users. You can decide to send it to all users or to admins only.
  10. Any user in your account who doesn't have an IBMid is given an IBMid automatically after the first login, as previously configured by the IBMid Federation team.
  11. Optional: If your Blueworks Live account has Viewer licenses enabled, you can enable Just In Time provisioning (JIT). If JIT is enabled, any new user is given permission to the account on demand without having to register to the account, if they have the URL to the process.
Troubleshooting
  • If you experience login issues, check your access to the corporate network first.
  • The email address that you use to log in to Blueworks Live must be the same as the email address that is listed on your Active Directory (AD).
  • If you receive an error from IBMid, contact the IBMid support team.
  • If you receive an error related to Blueworks Live, open a ticket to the Blueworks Live support team via IBM support portal External link opens a new window or tab.