Configuring single sign-on using OpenID Connect (OIDC)

Using OIDC, you can configure single sign-on (SSO) between your product and supported providers.

OIDC is an authentication protocol layer that is built on the OAuth 2.0 protocol. It allows the third-party applications to:

The following steps represent the flow that happens during SSO configuration by using OIDC:

  1. A user attempts to access a service in your product through a web browser.

  2. Your product verifies whether an authentication token is present.

  3. If no authentication token is present, your product redirects the request for authentication to the third-party authorization server of the user.

  4. The authorization server presents a login page to the user.

  5. If the user logs in successfully, the authorization server redirects the user, along with the OIDC response, to your product.

  6. Your product generates an authentication token and grants access to the service that the user requested.

Configuring SSO in your product by using OIDC

See the following notes:

Before you begin

Log in to any of the following platforms by using the provided IdP links and register yourself in the application. During registration, use application URL as cp-console URL and redirect URL as https://<cp-console-url>/ibm/api/social-login/redirect/<name of the oidc>. Once you are registered, you can get the unique client ID, client secret and discovery_url endpoint. Currently, only these platforms are verified to register the OIDC by using the IdP V3 API.

Verified platforms to register OIDC provider using IdP V3
Platform IdP link
IBM Security Verify (ISV)
Note: Whenever you perform the attributes mapping through the OIDC provider in the ISV application, enable the Send all known user attributes in the ID token option. And, ISV groups must not contain spaces.
Google Cloud Platform


To configure SSO, complete the following sequence of steps:

  1. Register the OIDC clients. For more information, see Registering the OIDC clients.

  2. Open the Cloud Pak home page to verify whether the OIDC is successfully configured.

    Note: After the OIDC is successfully configured, you can log in to the cp-console. However, to log in to the Cloud Pak Platform and to get the OIDC successfully configured, first you need to onboard the OIDC users into the Cloud Pak Platform. Then, the OIDC users are able to log in to the Cloud Pak Platform.

  3. To authenticate, click the corresponding OIDC link in the Cloud Pak home page.

Granting an admin role to Cloud Pak Platform

Before you begin, onboard OIDC users into the Cloud Pak Platform.

Important: If you configure multiple authentication types (SAML, LDAP, and OIDC) in your cluster, and onboard same users to all the authentication types, the users might not be able to log in the first time by using OIDC. They might be able to log in the second time. To overcome the limitation, onboard users by following the instructions in Integrating IBM Cloud Pak SAML with Azure Active Directory.

Now, complete the following steps to grant an Admin role for Cloud Pak Platform. The procedure is based on the APIs.

  1. Configure environmental variables:

    1. Obtain an IM access token for the default admin user. For more information, see Preparing to run API commands.

    2. Set the HOST environment variable. To get the host value, run the following command:

      oc get route -n <your-foundational-services-namespace>

      Set the HOST to the cp-console route. For example, export HOST=<cp-console>.

    3. Set CPHOST to the cpd route with corresponding service name, ibm-nginx-svc. For example,

  2. Get the IBM Cloud Pak access token for the admin user.

    curl -ki -X GET 'https://'$CPHOST'/v1/preauth/validateAuth' --header 'username: admin' --header "iam-token: $TOKEN"
  3. Create a user group with the role that you want to assign to the user.

    curl -k -s  -X POST 'https://'$CPHOST'/usermgmt/v2/groups' \
    --header 'Content-Type: application/json'   \
    --header 'Accept: application/json'   \
    --header "Authorization: Bearer $CPTOKEN" \
    '{"name": "isv group",
    "description": "Group default ISV group",
    "role_identifiers": ["zen_user_role"]

    Note: To create an admin group, in "role_identifiers", specify the “zen_administrator_role”.

    Verify whether the group is listed, and get the group ID:

    curl -k -s  -X GET 'https://'$CPHOST'/usermgmt/v2/groups' \
    --header 'Content-Type: application/json'   \
    --header 'Accept: application/json'   \
    --header "Authorization: Bearer $CPTOKEN"
  4. Add the isv group into the user groups:

    curl -k -s  -X POST 'https://'$CPHOST'/usermgmt/v2/groups/<group_ID>/members' \
    --header 'Content-Type: application/json'   \
    --header 'Accept: application/json'   \
    --header "Authorization: Bearer $CPTOKEN" \
    "ldap_groups": ["admin"]

    In the command, the group_ID is the isv group ID that you got in the previous step.

    The configuration is complete.

  5. Verify whether the user who is a member of the isv group can log in to Cloud Pak Platform with proper permissions. To verify, open the Cloud Pak Platform in your browser by using the URL of $CPHOST.