Connection overview
The Connection feature establishes a federation between an IBM Security Access Manager deployment and IBM Cloud Identity.
IBM Security Access Manager contains several modules, including a Federation module. The Federation module provides features such as SAML 2.0 runtime and SAML 2.0 federation management. The connectivity to IBM Cloud Identity uses these Federation features, in addition to other features such as mapping modules. The Federation module must be activated before IBM Security Access Manager users can access IBM Cloud Identity Connect.
Activation of the Federation module usually requires a separate license. However, when you create a connection to IBM Cloud Identity, you can activate the Federation module without a Federation license. In this case, your entitlement to the Federation module is limited solely to use of a connection to IBM Cloud Identity.
You can use a wizard to automatically create the artifacts that are needed to connect to IBM Cloud Identity. You do not have to specify any values. Take note of the names of the artifacts. After the connection is fully configured, you can later use the LMI to customize them for your deployment.
| Type of artifact | Configuration entry | Value |
|---|---|---|
| Federation | IBM Cloud Identity Federation | ibmci |
| Mapping rule | IBM Cloud Identity mapping rule | ibmci |
| SSL Certificate | IBM Cloud Identity Personal SSL Certificate | Certificate label ibmci_federation |
The wizard exports IBM Security Access Manager configuration information to IBM Cloud Identity, and imports IBM Cloud Identity configuration information to IBM Security Access Manager.
| Exported configuration information | |
| Identity Provider federation metadata | The metadata necessary for communication between the identity provider and service provider, for single sign-on. |
| Single Sign On Initialization URL | The URL that starts the IP-initiated single sign-on during the sign-on flow. |
| Redirect URL | The URL to return the IBM Cloud Identity artifacts to IBM Security Access Manager. |
| Security code | The one-time security code that the IBM Cloud Identity administrator must confirm during the configuration. |
| Imported configuration information | |
| Service Provider federation metadata | The service provider federation metadata, from Cloud Identity, necessary for communication between the identity provider and service provider, for single sign-on. |
| Administration URL | The URL that is used to access IBM Cloud Identity for configuration and administration tasks. |
- After you create a connection, you can test, update, or delete the connection. You can audit connection and disconnection events.
- When you conduct IBM Security Access Manager administration actions, ensure that you do not delete any of the artifacts that are used in the IBM Cloud Identity connection. For example, in addition to mapping rules and keys, your connection might use an attribute source if you edited the federation to use attribute mapping. In this case, ensure that the needed attribute source is retained.
- You can check for any known limitations with the Connection feature on the IBM Support site: