Federation FAQ

Why is IBM Enabling such "Federated Authentication" features on IBMid?

The IBM business is enabling enterprise federation capabilities for its customer identity system, IBMid, to support IBM customers by using security controls over their users' use of IBM cloud services. Such federated authentication capabilities are a standard feature of most cloud services in the industry, typically a firm requirement for most enterprises to even consider the adoption of a cloud service. See Introduction for more information.

What is the user experience for an IBM partner with federation enabled?

Users type their email address in the IBMid field just as they do today, and the IBMid interface will detect if they are a federated user and automatically send them to their enterprise authentication. See User Experience for more information.

How does an IBM partner sign up to enable enterprise federation?

To begin the enterprise federation onboarding process, please see the Onboarding Requirements for more information.

How does "federated authentication" change the actual users IBMid?

By default, any new IBMid account registration associated with the company’s email domain(s) are created automatically via the IBMid JIT (“Just-In-Time”) provisioning service and are always authenticated through the company’s identity provider (IdP). Any company’s IBMid user accounts which existed prior to establishing the IBMid EF configuration (and which use the standard IBMid native password-based authentication) can be converted to be authenticated by the company’s IdP at the company’s Enterprise Federation Business Owner option. Once the IBMid is converted to federated status, it will still have the same unique identifier however it will no longer have an IBMid password and must authenticate via the company’s identity provider SSO page. Please see Federation Management for more information.

Which identity providers do Enterprise Federation service support?

Any identity provider which supports SAML 2.0 might enable IBMid Enterprise Federation Service. Please see Technical Requirements for more information.

What attributes does Enterprise Federation service require?

To successfully authenticate with enterprise federation, IBMid requires the following mandatory attributes below (these attributes are case sensitive):
  • firstName
  • lastName
  • emailAddress
  • country

NOTE: For country, the expectation is to receive 2 characters per ISO Alpha-2 standard. (For example: US for United States, AU for Australia, GB for United Kingdom). Please see Technical Requirements for more information.

Who do I contact at IBM to resolve issues related to IBMid federated authentication?

You can simply open a case at https://www.ibm.com/mysupport and select the product option: IBMid Enterprise Federation and an Enterprise Federation Specialist will further assist you. Please see Enterprise Federation Support for more information.