Authentication process

The REST API services require token-based authentication rather than authentication with a user ID and password.

Users who need to access the IBM Spectrum Discover APIs need to get an authentication token first by using their username and password. Then, use that token to get authenticated to the IBM Spectrum Discover system to perform various operations by using APIs.

Authentication is achieved in IBM Spectrum Discover through the following steps:

  1. The administrator registers an enterprise domain, which can be either Lightweight Directory Access Protocol (LDAP) or Cloud Storage Object, with the authentication service. Registering the enterprise domain with the authentication service includes the following steps:
    1. The administrator gets an authentication token by using the credentials.
      When the administrator (who is in the LDAP domain) logs in to IBM Spectrum Discover, the credentials are passed from IBM Spectrum Discover to LDAP for authentication. Then, the administrator gets an authentication token by using the credentials.
      Note: Users from an external LDAP or Cloud Storage Object domain, need to include domain name in the user name as "<domain>/<user>" to get an authentication token by using the REST APIs.
    2. Register the domain by using the obtained authentication token.

      IBM Spectrum Discover integrates with both LDAP users and Cloud Storage Object users. Administrators can add the Cloud Storage Object domain to IBM Spectrum Discover and the users are imported into IBM Spectrum Discover where the administrator can add the users to the appropriate collections.

      In this case, the Cloud Storage Object users can either use their user name and password or the Cloud Storage Object native Amazon Simple Storage Service (Amazon S3) access key and secret key pair to get authenticated with the IBM Spectrum Discover authentication service to get an authentication token.

      Like the users from LDAP domain, the Cloud Storage Object domain users can use this authentication token to access the IBM Spectrum Discover services and their scope is restricted to the projects to which they can access.
  2. The administrator adds collections to the authentication service and adds users to these collections by assigning them appropriate roles. The records that the users can see or apply policies to are restricted according to the collections to which they have access.
  3. The user requests for an authentication token by using their user name and password.

    The IBM Spectrum Discover RESTful service like DB2WH REST, policy engine, tags, applications, and the various authentication service endpoints require a bearer auth-token to be passed to it in the authorization header.

    The authentication token needs to be obtained by using the authentication token service endpoint, which is the endpoint for a user to log in with user name and password credentials, by using HTTP basic authentication. This token then can be used for authorization across various service endpoints. After a user receives the authentication token, it is valid for 1 hour. Using this token, a user can use various IBM Spectrum Discover services.

  4. Users can access the IBM Spectrum Discover services by using the authentication token.

For more information, see /auth/v1/token: GET.