Configuring SSO for platform access

Edit online

Enable Single Sign-On (SSO) to allow users to log in to the watsonx Orchestrate platform by using their company domain credentials instead of creating separate IBMids.

Single Sign-On (SSO) for platform access allows users to log in to IBM watsonx Orchestrate by using their company domain credentials. As an instance administrator, you must register and configure your company domain with watsonx Orchestrate to enable SSO login for your users.

Before you begin

Before you contact IBM Support to request SSO registration, prepare the following information:

Contact information
- Name, email, and phone number of your team
- Times of availability and time zone for the registration callback
  1. Environment details
    - Tenant CRN string
    - Tenant ID of the instance in the production environment
      1. SSO configuration details
        Single sign-on option: OIDC or SAML
        Client ID (App ID): The customer secret ID, or if using SAML, the XML Metadata exchange file
        Secret ID: The customer secret ID
        Customer Endpoint: Well-known endpoint

Note:

You need not provide any sensitive information in the support ticket.

AWS

Register your organization for SSO

To enable SSO login for your organization:

Contact IBM Support to request SSO registration.
In the support ticket, provide:
- Your contact details (name, email, phone number, times of availability, time zone)
- General environment details, such as the tenant CRN string
The support team schedules a meeting with the development team to complete the registration process.
During the follow-up meeting, provide your SSO configuration information (OIDC/SAML details, tenant ID, client ID, secret ID, and customer endpoint).

Verifying SSO setup

Once SSO is configured for your organization:

Users can log in to watsonx Orchestrate by clicking Log in with SSO on the login page.
Users enter their company domain and be redirected to your organization's login page.
After you authenticate with company credentials, users will be redirected to the watsonx Orchestrate landing page.

For user instructions on logging in with SSO, see Logging in with Single Sign-On.

What to do next

After configuring SSO for your organization:

Share login instructions with your users: Logging in with Single Sign-On
Set up user access and permissions: Managing users on AWS or Managing users on IBM Cloud
Monitor user adoption and troubleshoot any login issues by reviewing the Logging in to IBM watsonx Orchestrate guide