IM for IBM Cloud Pak for AIOps platform users

Identity Management (IM) for platform users includes authentication that includes OIDC and SAML.

Authentication

IBM Cloud Pak® for AIOps uses WebSphere Liberty OpenID Connect (OIDC) 1.0 for authentication. It calls the standard OIDC endpoints /authorize and /token to initiate an OAuth dance. OpenID in Liberty can be configured with Lightweight Directory Access Protocol (LDAP), after which an LDAP user can authenticate to IBM Cloud Pak for AIOps by using the same OpenID endpoints. For single sign-on (SSO) based authentication, OIDC is configured with Security Assertion Markup Language (SAML) to interact with your enterprise identity source.

Authentication protocols supported

IBM Cloud Pak for AIOps supports the following two authentication protocols:

  1. OIDC-based authentication
  2. SAML-based federated authentication

OIDC and SAML are both used for SSO with IBM Cloud Pak for AIOps but for different purposes.

IBM Cloud Pak for AIOps is an OIDC identity provider that provides authentication and authorization services to IBM Cloud Pak for AIOps console and APIs. It works along with one or more LDAP providers to authenticate the user ID and password with the LDAP service and to provide an access token for subsequent requests to IBM Cloud Pak for AIOps services. IBM Cloud Pak for AIOps is an identity provider through LDAP.

IBM Cloud Pak for AIOps can be configured as a SAML service provider, which allows federated authentication with an external SAML 2.0 identity provider. When you configure SSO, IBM Cloud Pak for AIOps redirects your console browser to the third-party login page, and OIDC issues you a bearer token.

The OIDC-based authentication service is the default authentication service in IBM Cloud Pak for AIOps. If required, you can configure a SAML server to provide federated authentication.

OIDC-based authentication

You must configure and connect an LDAP directory with your product cluster, and provide cluster administrator, Cloud Pak administrator, or administrator access level. For more information, see Configuring LDAP connection. You must set up the LDAP connection before you create a team and add users to the team. Only LDAP users who are assigned to a team can log in to the console.