Authentication types

You can configure multiple authentication types for single sign-on (SSO).

You can then access your IBM Cloud Pak® console by using the configured authentication type.

The following authentication types are supported:

Note: Multiple factor authentication (MFA) uses multiple authentication technologies to verify a user's identity. foundational services IAM supports MFA using the third-party identity provider MFA capability. If IAM is integrated with the third-party identity provider through SAML or OIDC, Cloud Pak can support MFA to authenticate users when the identity provider enables MFA.

After you install your IBM Cloud Pak®, when you access the console, you can see the login options that are available. You can see the login options only for the authentication types that are configured in your cluster. If you configure only the default authentication type (IBM provided credentials), you do not see any login option. You must then access your IBM Cloud Pak® console by using the default authentication type.

The console login cookie saves the authentication type that you select for 24 hours. When you access the login page within 24 hours, you see the login page for the same authentication type. You can choose another authentication type by clicking Change your authentication type.

Note: If you remove the Enterprise LDAP or disable Enterprise SAML configuration from your cluster, first clear the browser cache before you access the console login page.

Setting the preferred login options

When you configure multiple authentication types in your cluster, all the configured types are displayed on the console login page as authentication options.

If you want the console login page to display any one or a selected set of the configured login options, you can set the preferred login options.

To set the preferred login options before IM service installation, see setting the preferred login options in Configuring foundational services by editing the CommonService custom resource.

To set the preferred login options after IM service installation, complete these steps:

  1. Log in to your infrastructure node by using the oc login command.

  2. Edit the platform-auth-idp configmap.

     oc edit cm platform-auth-idp -n <your-foundational-services-namespace>
    

    In the data section, you see the PREFERRED_LOGIN data definition, which has no values set by default.

  3. Add the login options that you want to display on the console page.

    For example, PREFERRED_LOGIN: "SAML","LDAP","OIDC". Use the following parameter values:

    • For default authentication, use DEFAULT
    • For enterprise LDAP, use LDAP
    • For enterprise SAML, use SAML
    • For OpenShift authentication, use ROKS
    • For OpenID Connect, use OIDC
  4. Restart the platform-identity-management pod by deleting it.

    1. Get the platform-identity-management pod name.

      oc get pods -n <your-foundational-services-namespace> | grep platform-identity-management
      

      Following is a sample output:

      platform-identity-management-785df784f5-qcx4z                          1/1     Running   0          39d
      
    2. Delete the platform-identity-management pod.

      oc delete pod <platform-identity-management-pod-name> -n <your-foundational-services-namespace>
      
    1. Restart the common-web-ui pod by deleting it.

      1. Get the common-web-ui pod name.

        oc get pods -n <your-foundational-services-namespace> | grep common-web-ui
        
      2. Delete the common-web-ui pod.

        oc delete pod <common-web-ui-pod-name> -n <your-foundational-services-namespace>
        

    After the pods restart, your preferred login options are visible on the console login page.

Using foundational services IM for authentication

You can log in to the OpenShift Container Platform console by using your foundational services or the IBM Cloud Pak access credentials.