Authenticating users with Single-Sign-On

Use the user interface to configure and enable Single-Sign-On in IBM® Cloud Pak System Software for Power®.

Before you begin

You must be assigned the Security administration role with permission to Manage security (Full permission) to perform these steps. Additionally, you must:
  • Define external (LDAP) configuration parameters for the centralized Identity Provider (IdP) used for SSO.
  • Ensure Cloud Pak System Software can successfully connect with the configured IdP.
  • Define external (LDAP) user groups that correspond to identically named user groups in the IdP.
  • Assign appropriate security role(s) to the external user groups defined for use with SSO.

About this task

Single-Sign-On (SSO) enables users to employ a single set of login credentials for authentication with multiple applications on multiple systems, avoiding the need to authenticate separately with each application or system. Cloud Pak System Software users initially authenticate (that is, login) with a centralized Identity Provider (IdP). If successfully authenticated, users are automatically authenticated and able to access resources in Cloud Pak System Software. When enabled, SSO is only used for external users, not local users. The following diagram illustrates the flow from the initial user request to a successful validation.

To configure and enable SSO:

Procedure

  1. To configure SSO, click Security and access > System Security .
  2. Expand Single-Sign-On (SSO) Settings.
  3. Click Browse and upload the IdP metadata XML file received from the Identity Provider. When the file has been selected, click Import. A message displays indicating a successful import.
    1. If the import of the IdP metadata file failed, try to import the metadata xml file again.
    2. If the IdP metadata file can not be identified for some reason, the system allows you to replace the file with an existing metadata file by browsing and replacing the file initially selected.
  4. Set the Clock Skew by entering the desired time period. The default time period is 10 minutes. (Optional)
  5. Set the Digital Signature Settings by clicking the Require Signed Assertion (default is Enabled). Select an algorithm from the drop down list (SHA256 is the default). (Optional)
  6. Click the Enable SSO check box.
    Note: SSO will be enforced upon enablement and all SSO settings take effect immediately upon change. All LDAP settings will be locked and creation of local users and user groups will be disabled. At least one external user group must be defined for SSO login. All external users will be required to use SSO login.

Results

After you have completed these steps, SSO has been configured.