Authentication types
You can configure multiple authentication types for single sign-on (SSO).
You can then access your IBM Cloud Pak® console by using the configured authentication type.
The following authentication types are supported:
- IBM provided credentials (admin only). The default authentication type that you configure during IBM Cloud Pak®
installation. This configuration is usually the Administrator username and password. The foundational services installer generates a password for the default username
admin
, which is a cluster administrator role. - Enterprise LDAP
- Enterprise SAML
- OpenShift authentication
- OpenID Connect username
Note: Multiple factor authentication (MFA) uses multiple authentication technologies to verify a user's identity. foundational services IAM supports MFA using the third-party identity provider MFA capability. If IAM is integrated with the third-party identity provider through SAML or OIDC, Cloud Pak can support MFA to authenticate users when the identity provider enables MFA.
After you install your IBM Cloud Pak®, when you access the console, you can see the login options that are available. You can see the login options only for the authentication types that are configured in your cluster. If you configure only the default authentication type (IBM provided credentials), you do not see any login option. You must then access your IBM Cloud Pak® console by using the default authentication type.
The console login cookie saves the authentication type that you select for 24 hours. When you access the login page within 24 hours, you see the login page for the same authentication type. You can choose another authentication type by clicking Change your authentication type.
Note: If you remove the Enterprise LDAP or disable Enterprise SAML configuration from your cluster, first clear the browser cache before you access the console login page.
Setting the preferred login options
When you configure multiple authentication types in your cluster, all the configured types are displayed on the console login page as authentication options.
If you want the console login page to display any one or a selected set of the configured login options, you can set the preferred login options.
To set the preferred login options before IM service installation, see setting the preferred login options in Configuring foundational services by editing the CommonService custom resource.
To set the preferred login options after IM service installation, complete these steps:
-
Log in to your infrastructure node by using the oc login command.
-
Edit the
platform-auth-idp
configmap.oc edit cm platform-auth-idp -n <your-foundational-services-namespace>
In the data section, you see the
PREFERRED_LOGIN
data definition, which has no values set by default. -
Add the login options that you want to display on the console page.
For example,
PREFERRED_LOGIN: "SAML","LDAP","OIDC"
. Use the following parameter values:- For default authentication, use
DEFAULT
- For enterprise LDAP, use
LDAP
- For enterprise SAML, use
SAML
- For OpenShift authentication, use
ROKS
- For OpenID Connect, use
OIDC
- For default authentication, use
-
Restart the
platform-identity-management
pod by deleting it.-
Get the platform-identity-management pod name.
oc get pods -n <your-foundational-services-namespace> | grep platform-identity-management
Following is a sample output:
platform-identity-management-785df784f5-qcx4z 1/1 Running 0 39d
-
Delete the platform-identity-management pod.
oc delete pod <platform-identity-management-pod-name> -n <your-foundational-services-namespace>
-
Restart the
common-web-ui
pod by deleting it.-
Get the common-web-ui pod name.
oc get pods -n <your-foundational-services-namespace> | grep common-web-ui
-
Delete the
common-web-ui
pod.oc delete pod <common-web-ui-pod-name> -n <your-foundational-services-namespace>
-
After the pods restart, your preferred login options are visible on the console login page.
-
Using foundational services IM for authentication
You can log in to the OpenShift Container Platform console by using your foundational services or the IBM Cloud Pak access credentials.