Logging in to IBM watsonx Orchestrate

Edit online

Access watsonx Orchestrate for the first time by following the steps for your deployment environment. This guide covers login procedures for IBM Cloud, AWS, AWS GovCloud (US), and on-premises installations.

At a glance

The following table provides a quick overview of the topics covered in this guide. Use it to jump directly to the section that matches your environment or login method.

Table 1. Overview

Topic

Description

Quick start

Get started in 4 simple steps

Logging in by environment

Environment-specific login instructions:

- IBM Cloud

- AWS

- AWS GovCloud (US)

- AWS HIPAA

- On-premises

Authentication methods

- Logging in with an IBMid

- Logging in with SSO

- Direct login with secure access links

What to do next

Resources for getting started

Quick start

Follow these steps to access your watsonx Orchestrate instance:

  1. Open your watsonx Orchestrate instance from your console or the welcome email you received.

  2. Sign in using your IBMid or SSO credentials (if enabled by your administrator).

  3. Accept the terms and conditions if prompted.

  4. You land on the watsonx Orchestrate home page.

For detailed instructions specific to your environment, see the following sections.

Choose your environment

If you're not sure which login instructions apply to you, use the following guidance:

  • IBM Cloud: Use this option if you access your instance through the IBM Cloud console.

  • AWS: Use this option if your subscription was purchased through AWS Marketplace or deployed in your organization’s AWS environment.

  • AWS GovCloud (US): Use this option if your organization operates in a regulated U.S. federal environment.

  • AWS HIPAA: Use this option if you were onboarded into a HIPAA-compliant AWS environment.

  • On-premises: Use this option if your organization hosts the platform internally using solutions such as Cloud Pak for Data.

Choose your deployment environment for specific login instructions. Each environment has its own onboarding flow and access path, depending on where your watsonx Orchestrate instance is hosted.

IBM Cloud

Use these steps if your organization provisions watsonx Orchestrate as a managed service on IBM Cloud.

This login path applies when you access watsonx Orchestrate directly through the IBM Cloud console as part of your cloud resources. To log in to watsonx Orchestrate on IBM Cloud:

  1. Go to the IBM Cloud console.

  2. Start your IBM watsonx Orchestrate instance from the resource list. For more information on how to search for your instance, see Try out IBM Cloud.

  3. Acknowledge the terms and conditions set by your administrator.

You're now ready to explore watsonx Orchestrate.

Note: If your deployment uses IBM Cloud IAM with SAML federation, see Configuring SAML federation with IBM Cloud IAM.

AWS

Use this option if your watsonx Orchestrate subscription was purchased through the AWS Marketplace or is deployed in your organization's AWS environment.

Authentication begins from the welcome email sent after provisioning. To access watsonx Orchestrate on AWS:

  1. Open the welcome email that you received upon purchasing watsonx Orchestrate.

  2. If you don't have an IBMid, create one.

  3. Click the access URL provided in the email.

  4. Log in using your IBMid credentials.

  5. Accept the terms and conditions set by your administrator.

You're now ready to explore watsonx Orchestrate.

Note:

  • You might be automatically logged in and redirected to the watsonx Orchestrate landing page while switching between environments - for example, logging in to the IBM SaaS console and then starting a watsonx Orchestrate instance. This is expected behavior that is enabled by IBM's shared authentication model, where a single IBMUniqueID supports seamless single sign-on (SSO) across IBM applications.

  • To switch between different watsonx Orchestrate credentials in the same browser session, clear the browsing data that is linked to the previous IBMid before logging in with new credentials.

AWS GovCloud (US)

This login path is for organizations operating in regulated environments where workloads must meet U.S. federal compliance requirements.

AWS GovCloud (US) offers an isolated and secure cloud region restricted to approved U.S. entities. You can access watsonx Orchestrate on AWS GovCloud (US) using either of the following methods:

Method 1: Login via IBM SaaS Console

  1. Open the welcome email that you received during onboarding.

  2. If you don't have an IBMid, create one.

  3. Click the access URL provided in the email. This takes you to the IBM SaaS console.

  4. Log in using your IBMid credentials.

  5. On the Subscriptions page, locate your watsonx Orchestrate entry.

  6. Click View subscription details or View instances to open your instance.

  7. Click Open. You are redirected to the watsonx Orchestrate login page.

  8. Log in again using your IBMid credentials to confirm access.

You're now ready to explore watsonx Orchestrate.

Method 2: Direct login using the welcome email link

You can also login using the direct link provided in the welcome email when you are added to a tenant:

  1. Click on the Access product button in the welcome email.

  2. You will be redirected to a URL similar to: https://wxo.example.com?mcsp_metadata=<base64encoded crn+realm+accountid>

  3. Enter your email and you will be logged in to the invited tenant directly.

The direct link accessed through the Access product button is the same as the one accessed through the Open button in the IBM SaaS console.

AWS HIPAA

If you use watsonx Orchestrate in an AWS HIPAA environment, log in by using the welcome email link that you receive during onboarding.

  1. In your welcome email, click the login link.
  2. Complete the authentication process.
  3. After you authenticate successfully, you will be logged in to the invited tenant directly.

Note: The login method is the same as Method 2: Direct login using the welcome email link .

On-premises

Use these steps if your organization runs watsonx Orchestrate entirely on‑premises through platforms such as IBM Cloud Pak for Data or IBM Software Hub.

After completing installation and provisioning:

  1. Log in to your On-premises environment (for example, IBM Cloud Pak for Data or IBM Software Hub).

  2. Go to Services > Instances.

  3. In the watsonx Orchestrate service, click the vertical ellipsis ⋮, and select Open.

You are redirected to the watsonx Orchestrate home page.

Authentication methods

IBM watsonx Orchestrate supports multiple authentication methods, including IBMid, Single Sign-On (SSO), and secure access links. The sign-in method is automatically determined based on your organization’s configuration.

Logging in with IBMid

Create an IBMid if you are a first-time user and your organization does not use SSO.

To create your IBMid:

  1. On the watsonx Orchestrate login page, click Create an IBMid or go to Sign up for My IBM account.

  2. Complete the following details:

    • Email and Password

    • Country or region of residence

    • State or province

  3. Click Next to receive a verification email.

  4. Enter the 7-digit verification code from the email.

  5. Click Create account.

You can now use your IBMid to log in to watsonx Orchestrate.

Logging in with Single Sign-On (SSO)

Single Sign-On (SSO) allows you to access IBM watsonx Orchestrate using your company domain credentials instead of creating a separate IBMid. Your instance administrator must register your company domain to enable SSO.

Important: This feature is available only for deployments in AWS environments.

To log in using SSO:

  1. On the watsonx Orchestrate login page, click Log in with SSO.

  2. Enter your company domain (for example, your_company_domain) under "Enter your company domain".

  3. Click Next. You are redirected to your organization's login page.

  4. Enter your company domain credentials and click Next.

You are now redirected to the watsonx Orchestrate landing page.

Note:

If SSO is not working, contact your administrator to verify that your company domain is registered. For administrator instructions, see Configuring SSO for platform access.

Direct login with secure access links

In some environments (such as AWS MCSP 2.0 deployments), you might access watsonx Orchestratethrough a secure URL that contains preconfigured metadata (mcsp_metadata), see Understanding authentication in AWS and regulated environments for more details. These links are typically provided through provisioning workflows or marketplace integrations and function similarly to the welcome email access link.

Authentication begins when you open the secure link provided during provisioning or onboarding.

When you use a secure access link:
  • Open the secure access URL provided by your organization.
  • watsonx Orchestrate reads the embedded configuration data in the link.
  • You are automatically redirected to your organization’s identity provider (IdP).
  • Sign in using your organization credentials.
  • After authentication, you are redirected to the watsonx Orchestrate home page.

You might not see the watsonx Orchestrate login screen because the system automatically determines your tenant and authentication method.

The required configuration is embedded in the link, so you are redirected directly to your organization’s sign-in experience.

How this differs from standard email based login

  • When you use the welcome email link (Method 2), you might still see a watsonx Orchestratelogin screen to enter your email.

  • With a metadata-enabled link, watsonx Orchestrate already has the required context, so it skips the login screen and redirects you directly to your identity provider.

This flow gives you a faster and more seamless single sign-on (SSO) experience.

What to do next