Migrating identity management
Migrate Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
Prerequisites
Back up IBM Cloud Pak foundational services.
Migrate SAML
Complete these steps to migrate the SAML component. Use the Identity Provider APIs.
-
Log in to your Red Hat® OpenShift® Container Platform console.
-
Confirm that SAML is not enabled in your new foundational services instance. Use the Getting SAML registration by UID API.
-
Download the identity provider SAML metadata XML file of your old foundational services instance from the console. Use the SAML metadata export by using samlmetadata API.
-
Configure single sign-on (SSO) for your new foundational services instance. For more information about the SAML SSO options, see Configuring single sign-on.
Important: Make sure to use the identity provider SAML metadata of the old foundational services instance when you configure SSO for the new foundational services instance. Later in the configuration process, you must also download the SAML metadata XML file that your service provider provides.
-
To restore SAML communication, update your new foundational services instance with the service provider SAML metadata information that you downloaded in a previous step. Follow these steps to update the SAML information:
- Edit the SAML connection details on your Red Hat OpenShift Container Platform console and download the service provider metadata XML file.
- Upload the service provider metadata XML file to the external identity provider.
The users that you registered in your old instance of foundational services must now be able to log in to the console of the new foundational services instance.
IBM Cloud Paks® must manually add users to their new IBM Cloud Pak® instances.
Migrate OIDC
Complete these steps to back up and restore the OIDC component. Use the Identity Provider APIs.
-
Set up an OIDC provider for the new foundational services instance. For the supported OIDC providers, see register OIDC provider.
-
Get information about the existing OIDC instances. Use the Getting the list of registered OIDC clients API.
-
Delete the OIDC instance of the old foundational services instance. Use the Deleting the registration of the client API.
-
Register the new OIDC instance that you set up in a previous step. Use the Registering the OIDC clients API.
-
Add users to your IBM Cloud Pak® instance. For information about how to add users, see Onboarding OIDC users into the Cloud Pak Platform.
The OIDC option must now be available on your console login page.
Existing users can log in to the console.
Note: If you are using the OIDC curl commands to log in, make sure to use the access token from the new instance of foundational services. You can use the following command to get the access token. In the command, $username
and $password
are the admin credentials, $master_ip
is the cp-console
URL, and $router_https_port
is 443.
curl -s -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
-d "grant_type=password&username=$username&password=$password&scope=openid" \
https://$master_ip:$router_https_port/idprovider/v1/auth/identitytoken --insecure \
| jq '.access_token' | tr -d '"'