Integrating with the Identity Management Service

By default, IBM Cloud Pak for Data user records are stored in an internal repository database. However, it is strongly recommended that you use an enterprise-grade password management solution, such as single sign-on (SSO) or LDAP.

If you use LDAP, you can choose between the following options:

Mechanism Details

Mechanism	Details
LDAP integration provided by Cloud Pak for Data (deprecated)	When you install Cloud Pak for Data, the Identity Management Service is automatically enabled. If you want to use the LDAP integration provided by Cloud Pak for Data, see Configuring Cloud Pak for Data to use the embedded LDAP integration. After you configure Cloud Pak for Data to use the embedded LDAP integration, see Connecting to your identity provider. Benefits You can use LDAP with or without SAML SSO. You can choose the level of integration with the LDAP server. You can use LDAP to: Validate users' credentials Manage access to the platform Drawbacks You can connect to a single LDAP server from each instance of Cloud Pak for Data. This method is deprecated and will be removed in a future release.
LDAP integration provided by the IBM Cloud Pak foundational services Identity Management Service	When you install Cloud Pak for Data, the Identity Management Service is automatically enabled. However, if you upgrade from an older release of Cloud Pak for Data and the Identity Management Service is not enabled, you can use the `setup-iam-integration` command to integrate Cloud Pak for Data with the Identity Management Service provided by IBM Cloud Pak foundational services. Benefits The Identity Management Service supports: A wide variety of LDAP servers The ability to connect to multiple LDAP servers More configuration options Drawbacks There are no known drawbacks with this mechanism.

LDAP integration provided by Cloud Pak for Data (deprecated)

When you install Cloud Pak for Data, the Identity Management Service is automatically enabled. If you want to use the LDAP integration provided by Cloud Pak for Data, see Configuring Cloud Pak for Data to use the embedded LDAP integration.

After you configure Cloud Pak for Data to use the embedded LDAP integration, see Connecting to your identity provider.

Benefits

You can use LDAP with or without SAML SSO.

You can choose the level of integration with the LDAP server. You can use LDAP to:

Validate users' credentials
Manage access to the platform

Drawbacks

You can connect to a single LDAP server from each instance of Cloud Pak for Data.

This method is deprecated and will be removed in a future release.

LDAP integration provided by the IBM Cloud Pak foundational services Identity Management Service

When you install Cloud Pak for Data, the Identity Management Service is automatically enabled.

However, if you upgrade from an older release of Cloud Pak for Data and the Identity Management Service is not enabled, you can use the setup-iam-integration command to integrate Cloud Pak for Data with the Identity Management Service provided by IBM Cloud Pak foundational services.

Benefits

The Identity Management Service supports:

A wide variety of LDAP servers
The ability to connect to multiple LDAP servers
More configuration options

Drawbacks

There are no known drawbacks with this mechanism.

Who needs to complete this task?

Instance administrator An instance administrator can complete this task.

When do you need to complete this task?

Complete this task if you upgraded Cloud Pak for Data to Version 5.0 and you want to use the LDAP integration provided by the Identity Management Service.

If you installed Cloud Pak for Data Version 5.0, you don't need to complete this task. Cloud Pak for Data is already integrated with the Identity Management Service.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

You can use the setup-iam-integration command to integrate Cloud Pak for Data with the Identity Management Service. When you integrate with the Identity Management Service, you delegate all authentication to the Identity Management Service.

If you onboard users before you integrate with the Identity Management Service, existing users might not be able to log in to Cloud Pak for Data.

Procedure

Log the cpd-cli in to the Red Hat® OpenShift® Container Platform cluster:
```
${CPDM_OC_LOGIN}
```
Remember: CPDM_OC_LOGIN is an alias for the cpd-cli manage login-to-ocp command.
Run the following command to integrate with the Identity Management Service:
```
cpd-cli manage setup-iam-integration \
--enable=true \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS}
```
The command triggers a reconciliation in the Zen operator.

It might take up to 20 minutes for the process to complete if the Identity Management Service needs to be started and configured.
Wait for the setup-iam-integration command to return Succeeded.

To confirm that the integration is complete, confirm that the following command returns true:

oc get zenservice lite-cr \
-n ${PROJECT_CPD_INST_OPERANDS} \
-o jsonpath='{.spec.iamIntegration}'

Get the name of the default platform administrator:

oc get secret ibm-iam-bindinfo-platform-auth-idp-credentials \
-n ${PROJECT_CPD_INST_OPERANDS} \
-o jsonpath='{.data.admin_username}' | base64 --decode;

Get the initial password for the default platform administrator from the Identity Management Service:

oc get secret ibm-iam-bindinfo-platform-auth-idp-credentials \
-n ${PROJECT_CPD_INST_OPERANDS} \
-o jsonpath='{.data.admin_password}' | base64 --decode;

What to do next

After you integrate Cloud Pak for Data with the Identity Management Service:

Determine whether you need to update name of the default administrative user that is created by the Identity Management Service.
Connect to your LDAP servers. For more information, see Configuring an LDAP connection in the IBM Cloud Pak foundational services documentation.