IBM Cloud Account Single Sign-on using IBM Cloud App ID and Microsoft Azure AD
Overview
IBM Provides two Single sign-on approaches for the enterprise customers to log in to the IBM Cloud. The focus of the article is to highlight the difference between two approaches and also to show the step by step instruction on how to set up the self-service federation using IBM Cloud App ID by integrating with Microsoft Azure Active directory.
Two Single sign-on approaches
- Manual federation using IBMid
- Self-service federation using IBM Cloud App ID
Manual Offline Federation using IBMid
One can sign up for IBM Cloud with a federated ID only if your company is already registered with IBM. Registering a company’s domain with IBM enables users to log in to the IBM products and services by using their existing company user credentials. Authentication is then handled by the company’s identity provider through a single sign-on (SSO).For information about how to register your company for a federated ID, see the IBMid Enterprise Federation Adoption Guide
Key features and benefits of Offline Federation Process
- Federate only once using the domain name
- IBMid federation will work for IBM Cloud and other IBM services such as Cognos and Planning analytics
- In an Enterprise account scenario, all the sub-accounts of IBM Cloud will have the same login home page cloud.ibm.com
- Users need to be invited in each account wherever the user needs access
Self Service Federation using IBM Cloud App ID
IBM Cloud can now leverage the IBM Cloud App ID service to connect to the identity providers and allow those users to log into an IBM Cloud account.
Key features and benefits of the Federation using IBM Cloud App ID
- Self Service
- Users can be automatically onboarded, no separate invite required
- In an Enterprise account scenario, each sub-account needs a separate App ID Instance
- For each account, the login URL will be different for eg. cloud.ibm.com/authorize/<uniquenameforaccount>
Setup Self-service Single Sign-on using the App ID
The remaining section of this article focuses on the steps to achieve Single sign-on using the App ID
Create App ID
Log in to IBM Cloud > Locate the APP ID from the Catalog > Create the App ID by choosing the appropriate plan
Download SAML metadata
Open the newly created APP ID Service > Click Identity Providers > Click SAML 2.0 Federation > Click “Download SAML metadata File” to download the metadata file
Create Application in Azure Directory
Sign in to the Azure portal using your administrator account, and browse to the Active Directory > Enterprise Applications > New application > Non-gallery application section> Enter the name of the application > Click Add
Configure Single Sign-on in Azure AD
Click the newly created application > Click Single Sign-on under Manage > Click SAML
Configure Basic SAML Configuration
- Click the edit pencil icon under Basic SAML Configuration
- Copy the entityID value from the EntityDescriptor XML tag of the downloaded metadata file and paste it in Identifier field as shown below
- Copy the Location value from the AssertionConsumerService XML tag of the downloaded metadata file and paste it in the Reply URL field as shown below
- Click Save
Configure User Attributes and Claim
- Click edit pencil Icon under User Attributes & Claims
- Delete all the additional claims
- Add new claims as shown below in the “Final mapping of User Attribute & Claims” image
- Make Sure the claim name and values are exactly similar as shown in the “Final mapping of User Attribute & Claims” image
- When adding claim keep the namespace empty
- Claim name “username” should have the email ID of the user but for some reason when trying to map the username to user.mail, attribute username is not passed in SAML to the IBM App ID. To workaround, edit the user and fill the alternate email field with the user email ID
- Make sure the user has access to the newly created application in the Azure AD
Configure SAML 2.0 Federation in the APP ID
- Go to the App ID Instance > Identity Providers > SAML 2.0 Federation
- Copy and paste the Azure AD Identifier from the Azure AD application SAML-based-Sign-on page to the “Entity ID” Field of App ID
- Copy and paste the Login URL from the Azure AD application SAML-based-Sign-on page to the “Sign In URL” Field of App ID
- Download the Base 64 Certificate from Azure AD application SAML-based-Sign-on page. Paste the contents of the certificate to the “Primary Certificate” Field of App ID and click save
- Click Test
Configure Identity Provider in the APP ID
Replicate the exact settings as shown in the below image by going to App ID Service in the IBM Cloud> Manage Authentication
Create Identity Provider in the IBM Cloud IAM
- Go to Manage > Access (IAM) from the top menu of the IBM Cloud > Click Identity Providers > Click Create
- Give a name for IDP and choose the App ID service from the drop-down for service Instance
- Complete the remaining settings as shown below and click create
- Edit the “Default IDP URL” on the Identity Provider page. This URL will be the login page for Cloud account
Login and Test
Type the IdP URL in the browser. In this case, it is https://cloud.ibm.com/authorize/AzureTest, the browser will redirect to Microsoft for authentication. Once authenticated the browser will be redirected to the IBM Cloud console and the user will be onboarded to the IBM Cloud automatically.
Summary
This article highlights the differences between two Single sign-on approaches for the IBM Cloud Account login and also provides the step by step instructions on how to set up the self-service federation using IBM Cloud App ID by integrating with the Microsoft Azure Active directory
References