Table of contents

Connecting to your identity provider

You can optionally configure a connection to an existing identity provider, such as an LDAP server. At a minimum, you can use the identity provider to validate users' credentials. However, you can also use your identity provider to manage access to the platform. The information that you specify when you connect to your identity provider determines whether you use the identity provider for password management or for access management.

Restriction: If you configure a connection to an identity provider, all password management tasks, such as changing or resetting passwords, must be completed by the identity provider administrator.

If the Identity and Access Management Service (IAM Service) is not enabled, you can connect to a single LDAP server.

If the IAM Service is enabled, you can connect to multiple identity providers.

Permissions you need for this task
The permissions that you must have depend on whether Cloud Pak for Data is configured to use the Identity and Access Management Service (IAM Service):
IAM Service is not configured (default)
To configure the connection to your LDAP server, you must have one of the following permissions:
  • Administer platform
  • Manage platform roles
IAM Service is configured
To configure the connection to your identity provider, you must have the Administer platform permission.
When you need to complete this task
Complete this task when you set up Cloud Pak for Data.

You can configure a connection to your LDAP server from the Access control page.

Follow the appropriate instructions for your environment:

The IAM Service is not enabled

  1. Log in to the Cloud Pak for Data web client.
  2. From the menu, click Administration > Access control.
  3. Click LDAP configuration.
  4. In the LDAP server information section, provide the following information about your LDAP server:
    Field Description
    LDAP protocol
    • If you are connecting to a secure port on your LDAP server, select ldaps://.
    • If you are connecting to an unsecured port on your LDAP server, select ldap://.
    LDAP hostname Enter the host name of the LDAP server.
    LDAP port Enter the port that you are connecting to.

    Standard ports are 389 for ldap and 636 for ldaps.

    User search base Enter the point in the LDAP tree from which users are searched.
    User search field Enter the LDAP attribute that is used to identify users.

    For example, cn, uid, or sAMAccountName.

    If you plan to use LDAP and a SAML identity provider, ensure that you use the same attribute to identify users. This field should have the same value as the fieldToAuthenticate parameter in your SSO configuration.

    Domain search user If your LDAP server requires authentication to perform lookups, enter the username of a user that can perform lookups on the LDAP server
    Domain search password If you specified a Domain search user, specify the password for this user.
  5. If you want to add LDAP groups to user groups, select Use LDAP group and provide the following information about your LDAP server:
    Field Description
    Group search base Enter the point in the LDAP tree from which groups are searched.
    Group search field Enter the LDAP attribute that is used to identify groups.

    For example, cn.

  6. If you want to use the LDAP server to manage access to the platform, provide the LDAP attributes that map to the following values:
    Field Description
    First name Enter the LDAP attribute that is used to identify a user's given name. For example, givenName.
    Last name Enter the LDAP attribute that is used to identify a user's surname. For example, sn.
    Email Enter the LDAP attribute that is used to identify a user's email address. For example, mail.
    Group membership If you selected Use LDAP group, enter the LDAP attribute that is used to identify all of the LDAP groups that a user is a member of. For example memberOf.
    Group member field If you selected Use LDAP group, enter the LDAP attribute that is used to identify all of the members of a given group. For example member.
  7. To verify that you can connect to your LDAP server, enter the following information in the Test connection section:
    Field Description
    Username Enter the username of a user that exists in one of the following locations:
    • The user search base
    • The group search base
    Password Enter the password for the specified user.
    Note: These credentials are not saved.
  8. Click Test connection.
  9. After you verify that you can connect to your LDAP server, click Save.

The IAM Service is enabled

You can configure a connection to one or more identity providers from the IBM Cloud Pak® Administration Hub.

To access the IBM Cloud Pak Administration Hub

  1. Log in to the Cloud Pak for Data web client.
  2. From the menu, click Administration > Access control.
  3. Click Identity provider configuration.

To configure a connection to an identity provider, see Configuring an LDAP connection in the IBM Cloud Pak foundational services documentation.