Integrating Watson Care Manager with your organization's identity provider

By default, the IBM App ID service authenticates users when they sign in to Watson Care Manager applications. If your organization has a Federated Identity Management arrangement with a third-party SAML identity provider like Keycloak, you can request that Watson Care Manager integrate with your identity provider. This means that your identity provider authenticates users' access to Watson Care Manager and other applications used by your organization, not IBM App ID.

About this task

You can request that Watson Care Manager integrate with a single identity provider for your organization. With this integration, users can sign in to Watson Care Manager with the user ID or email address that is stored by your organization's identity provider. For example, a username that is associated with your organization and not Watson Care Manager only. Your identity provider determines and manages users' password reset process and password rules.

Assuming they have access to both applications, users can SSO between Watson Care Manager and the Watson Care Manager Reporting applications, without having to sign in separately to each. Note: This integration does not support SSO between Watson Care Manager applications and the Connect applications.

To take advantage of this integration, complete the procedure.

Procedure

  1. Request that Watson Care Manager integrate with your identity provider by submitting a case on the Watson Health Support Portal.
  2. Ensure that the items in Required information to integrate with your organization's identity provider are exchanged between you and Watson Care Manager. You must work with your IBM client executive to do this.
  3. In addition, you must provide your IBM client executive with the details of a Security Administrator user for Watson Care Manager. You can nominate any user in your identity provider.
  4. Then, onboard the user accounts from your identity provider to Watson Care Manager. Choose an option.
    • Automatically onboard the user accounts by using the Federated Users API.
      1. Familiarize yourself with Integrating via Watson Care Manager REST APIs. In particular, API security and access.
      2. Review the Federated Users API swagger documentation in the API Catalog.
    • Alternatively, as a Security Administrator, you can manually onboard the user accounts to the Security Administrator workspace instead of using the API. For more information, see Creating user accounts. The user's email address must match the email address that is stored by your identity provider.

Results

Onboarded users can sign in to Watson Care Manager with their credentials that are stored by your organization's identity provider. For more information see Signing in to your account with SSO.