User authentication

To access the cloud portal and its components, you use basic or SAML authentication.

When you provision your cloud portal, you select a type of user authentication:

Basic authentication
The user logs in to the cloud portal directly. The user has a user account in the portal, and logs in with an email address and a password that meets the security requirements of the portal.
SAML authentication
The user signs in to the cloud portal through a non-portal login service. Security Assertion Markup Language (SAML) is an XML standard for exchanging single sign-on information. SAML delegates authentication to a third party. When a customer subscribes to Operational Decision Manager on Cloud through SAML, authentication is typically delegated to the customer's organization. The organization stores and manages its own user credentials. There is no duplication of credentials between IBM® and the customer.
Important:

If you log in to the cloud portal by using SAML authentication, you cannot run decision services or download archive files for a hybrid cloud environment. You need basic authentication for these tasks.

Using SAML

To use SAML, you must submit metadata for your login service. IBM uses the metadata to delegate authentication to your service. SAML support is configured per portal tenant for the users of the tenant, and for their email domain.

When the cloud administrator first logs in to the cloud portal:

  1. The administrator enters an email address.
  2. Operational Decision Manager on Cloud determines the type of authentication:
    • Basic authentication: The account administrator is prompted for a password.
    • SAML authentication: The administrator is redirected to another login page.
  3. If the authentication is successful, the account administrator is logged in to Operational Decision Manager on Cloud.

Authorizing users

The cloud administrator invites users to Operational Decision Manager on Cloud, and assigns them roles. For SAML authentication, Operational Decision Manager on Cloud stores only the user roles and not the user passwords, which stay in users' login service.

Authenticating client applications

You must use basic authentication to connect client applications to the cloud portal. You cannot use SAML to authenticate a client application. Service credentials are specifically designed for authenticating client applications (see Service credentials for client applications).