Configuring Microsoft Azure Entra ID authentication for Db2 intelligence center

Configure Microsoft Azure Entra ID as an identity provider to enable secure user authentication for IBM® Db2® Intelligence Center.

1. Register IBM Db2 Intelligence Center in Microsoft Entra ID
   1. Sign in to Azure Portal.
   2. Go to Microsoft Entra ID > App registrations.
   3. Click + New registration.
   4. Enter the following details:
      • Name: Enter IBM Db2 Intelligence Center in the name field.
      • Supported account types: Choose based on your requirement.
      • Redirect URL: Select Web from ht namedrop and provide the given redirect URL:

        https://<DIC host name>:11091/dbapi/v4/callback

   5. Click Register.

      

2. Copy the settings
   1. In your app registration, go to Overview.
   2. Copy the Application (client) ID and Directory (tenant) ID to a notepad.

      

3. Create client secret.
   1. Go to Certificates & secrets.
   2. Click + New client secret.
   3. Add a description and set the expiration period.
   4. Click Add and copy the secret value immediately.

      

4. Configure API permissions (required for group role mapping only)
   1. Go to API permissions.
   2. Click + Add a permission.
   3. Select Microsoft Graph > Application permissions.
   4. Add Group.Read.All permission.
   5. Click Grant admin consent.

      

5. Configure a custom API scope (required for group role mapping only)
   1. Go to Expose an API.
   2. Click + Add a scope.
   3. Click Save and continue.
   4. Provide Scope name and Admin consent display name as read.user.profile.
   5. Set Who can consent as Admins and users and provide an Admin consent description.
   6. Set State as Enabled.
   7. Click Add scope at the bottom.

      

6. Token configuration (required for group role mapping only)
   1. Go to Token configuration.
   2. Click Add groups claim.
   3. Select All groups option.
   4. Click Add at bottom.

      

7. Configure multiple app roles (required for app role mapping only)
   1. To add app user roles, go to Application role.
   2. Under Create app role, enter the user roles to be mapped for Console Admin, Database Admin, and Database User.
8. Assigning custom app roles to users/groups (required for app role mapping only)
   1. Go to Microsoft Entra ID > Enterprise applications.
   2. Select Db2 intelligence center.
   3. Click Assign user and groups.
   4. Click + Add user/group.
   5. Select a user/group and assign any of the roles that were created in Configure app role.
   6. Click Assign button assign the IBM Db2 Intelligence Center role to that user.
      Note: Repeat these steps to assign roles to all the users of IBM Db2 Intelligence Center.
      
9. Update IBM Db2 Intelligence Center configuration
   1. Login to IBM Db2 Intelligence Center using the setup admin credentials.
   2. Click Administration tab from right panel.
   3. Click Authentication under User Management.

      

   4. Select Azure Entra ID and provide the Client ID, Tenant ID, and Client Secret generated from Step 2: Copy the settings and Step 3: Create client secret. If you select App Role Mapping, provide the app roles created in Entra ID. When mapping multiple roles to a single DIC role, separate them using a pipe (|). For Group Mapping, multiple groups can also be mapped to a single DIC role using the same separator.
   5. Click Save.
   6. If all the provided credentials are correct, the Entra app summary details can be viewed in Authentication window.

      

10. Test the authentication flow
    1. Sign out of IBM Db2 Intelligence Center. The Login to IBM Db2 Intelligence Center window opens.
    2. Click Sign in with Entra ID which will redirect to the Microsoft page for authentication.
    3. After login, you will get redirected back to IBM Db2 Intelligence Center application.