Enabling single sign-on for the Product Master

Enable single sign-on for the Product Master service.

Before you begin

Verify that Identity and Access Management (IAM) Service enabled. By default, the Identity and Access Management (IAM) Service is enabled with the IBM Cloud Pak for Data Version 5.2. For more information, see Integrating with the Identity Management Service.
Configure Identity provider (IdP) - LDAP or AD federation. For more information, see Connecting to your identity provider.
Add key values (enable_sso=true and company_name=<user_defined>) in the app-secret file. For more information, see Creating a company for Product Master.

About this task

Single sign-on (SSO) implementation for the Product Master service enhances the user experience by allowing accessing multiple related services and applications with a single set of credentials. This approach not only streamlines the login process, but also improves security by reducing the number of passwords that need to be managed. The cpdmin user can be used to configure access, such as connecting with LDAP/AD federation, configuring SSO, creating users, and groups.

Product Master service uses CP4D Front Door extension that ensures that all the HTTP access arrives through just one service (Front door), and none of the other HTTP ports are exposed. This extension enables redirection only for sign-in, introduces cookies, facilitates browser session management, uses API keys and JSON Web Tokens (JWT)-based bearer tokens that simplify non-browser access.

Procedure

Install the Product Master service. For more information, see Installing.
Assign roles and permissions.
To access the application with IdP user, you must assign the ProductMaster custom role to the IDP user. The ProductMaster custom role consists of set of permissions. For more information, see Roles-based feature access in the IBM Product Master documentation. An admin has privileges to add or remove the specific permission to a particular role and can map a role to a user.
1. Get the hostname for the IBM Cloud Pak for Data cluster and login to the Cloud Pak Platform UI.
```
$ oc get route cpd
$ oc extract -n ${PROJECT_CPD_INST_OPERANDS} secret/platform-auth-idp-credentials --keys=admin_username --to=-
$ oc extract -n ${PROJECT_CPD_INST_OPERANDS} secret/platform-auth-idp-credentials --keys=admin_password --to=-
```
2. Add an user, and assign the ProductMaster custom role to the IdP user. For more information, see Managing access to the platform. You can manage the ProductMaster custom role through Administration > Access control. For more information, see Managing roles in Cloud Pak for Data.
Populate SAML attributes in the SSO Configuration Lookup table.
1. Login to the Red Hat® OpenShift® Container Platform cluster as a cluster administrator.
```
oc login ${OCP_URL}
```
2. Go to the Admin pod.
```
oc rsh productmaster-admin-0
```
3. Run the Migration script to update the login script.
```
$ source /home/default/.bash_profile; sh /opt/MDM/bin/db/migration/migrateToInstalledFP.sh
```
4. Get the URL for the Admin UI of the Product Master service.
```
$ oc get route productmaster-admin
```
5. Log in to the Admin UI, and use the same company you provided in the app-secrets file. For more information, see sso_company.
6. Populate SAML attributes in the SSO Configuration Lookup table. For more information, see the Step 2 in the IBM Product Master documentation.

What to do next

Log in to the Persona-based UI of the Product Master service by using the IdP user. Get the CPD route and append /mdm_ui/ in the URL.
1. Open the Cloud Pak for Data login page.
2. In the Login in with field, select Enterprise LDAP or Enterprise SAML.
3. Enter the IdP user credentials to access the Persona-based UI.
In case of any login issues, log in to the Admin UI, and clear cache. Go to System Administrator > Performance Info > Caches. In the Display cache for list, select Lookup Table and click Flush Cache. Repeat for Role and Script.