Use the user interface to configure and enable Single-Sign-On in IBM® Cloud Pak System Software for Power®.
Before you begin
You must be assigned the Security administration role with permission to Manage security (Full
permission) to perform these steps. Additionally, you must:
- Define external (LDAP) configuration parameters for the centralized Identity Provider (IdP) used
for SSO.
- Ensure Cloud Pak System Software can successfully connect with the configured IdP.
- Define external (LDAP) user groups that correspond to identically named user groups in the
IdP.
- Assign appropriate security role(s) to the external user groups defined for use with SSO.
About this task
Single-Sign-On (SSO) enables users to employ a single set of login credentials for
authentication with multiple applications on multiple systems, avoiding the need to authenticate
separately with each application or system. Cloud Pak System Software users initially authenticate
(that is, login) with a centralized Identity Provider (IdP). If successfully authenticated, users
are automatically authenticated and able to access resources in Cloud Pak System Software. When enabled, SSO is only used
for external users, not local users. The following diagram illustrates the flow from the initial
user request to a successful validation.
To configure and enable SSO:
Procedure
-
To configure SSO, click Security and access > System
Security .
-
Expand Single-Sign-On (SSO) Settings.
-
Click Browse and upload the IdP metadata XML file received from the
Identity Provider. When the file has been selected, click Import. A message
displays indicating a successful import.
-
If the import of the IdP metadata file failed, try to import the metadata xml file again.
-
If the IdP metadata file can not be identified for some reason, the system allows you to
replace the file with an existing metadata file by browsing and replacing the file initially
selected.
-
Set the Clock Skew by entering the desired time period. The default time
period is 10 minutes. (Optional)
-
Set the Digital Signature Settings by clicking the Require
Signed Assertion (default is Enabled). Select an algorithm from the drop down list
(SHA256 is the default). (Optional)
-
Click the Enable SSO check box.
Note: SSO will be enforced upon enablement and all SSO settings take effect immediately upon change.
All LDAP settings will be locked and creation of local users and user groups will be disabled. At
least one external user group must be defined for SSO login. All external users will be required to
use SSO login.
Results
After you have completed these steps, SSO has been configured.