Configure SSO partners (Accelerated deployment)
To configure SSO partners, complete the following tasks.
- Configure SAML attribute mappings on the single sign-on partner.
- Add an identity provider by using metadata of the identity provider (IdP).
- Export the Service Provider metadata file.
Configure SAML attribute mappings on the single sign-on partner
The SAML subject identifies the authenticated user. Product Master SAML SSO requires that the single sign-on partner should configure NameID as the SAML assertion subject.
The single sign-on partner should also define attribute mappings for Group memberships.
Setting NameID and Group mappings in the SAML assertion are mandatory for Product Master login. Other optional mapping can be defined for user attributes. For example, First Name, Last Name, Title, Email Address, Telephone, Fax, and Address.
If you want to enable Vendor users to login with SAML SSO, Organization mapping is mandatory to be set in the SAML assertion. Ensure that the Organization attribute value matches the Vendor organization present in the Product Master Vendor Organization Hierarchy.
Add an identity provider by using metadata of the identity provider
Use the metadata file export from Identity Provider as an input for sso_idp_metadata secret in the app_secrets.yaml file.Export the Service Provider metadata file
- Export the service provider metadata file for the Admin UI using the following
URL.Kuberneteshttps://<IPM_HOSTNAME>:<PORT>/ibm/saml20/adminSP/samlmetadataOpenShift®https://<IPM_HOSTNAME>/ibm/saml20/adminSP/samlmetadata
- Export the service provider metadata file for the Persona-based UI using the following
URL.Kuberneteshttps://<IPM_HOSTNAME>:<PORT>/ibm/saml20/personaSP/samlmetadataOpenShifthttps://<IPM_HOSTNAME>/ibm/saml20/adminSP/samlmetadata