Overview for setting up IBM Cloud App ID (beta)
Cloud Pak for Data as a Service supports IBM Cloud App ID to integrate customer's registries for user authentication. You configure App ID on IBM Cloud to communicate with an identiry provider. You then provide an alias to the people in your organization to log in to Cloud Pak for Data as a Service.
- Required roles
-
To configure identity providers for App ID, you must have one of the following roles in the IBM Cloud account:
-
- Account owner
-
- Operator or higher on the App ID instance
-
- Operator or Administrator role on the IAM Identity Service
App ID is configured entirely on IBM Cloud. An identity provider, for example, Active Directory, must also be configured separately to communicate with App ID.
For more information on configuring App ID to work with an identity provider, see Configuring App ID with your identity provider.
Configuring the log on alias
The App ID instance is configured as the default identity provider for the account. For instructions on configuring an identity provider, refer to IBM Cloud docs: Enabling authentication from an external identity provider.
Each App ID instance requires a unique alias. There is one alias per account. All users in an account log in with the same alias. When the identity provider is configured, the alias is initially set to the account ID. You can change the initial alias to be easier to type and remember.
Logging in with App ID (beta)
Users choose App ID (beta) as the login method on the Cloud Pak for Data as a Service login page and enter the alias. Then, they are redirected to their company's login page to enter their company credentials. Upon logging in successfully to their company, they are redirected to Cloud Pak for Data as a Service.
To verify that the alias is correctly configured, go to the User profile and settings page. Verify that the username in the profile is the email from your company’s registry. The alias is correct if the correct email is shown in the profile, as it indicates that the mapping was successful.
You cannot switch accounts when logging in through App ID.
Limitations
The following limitations apply to this beta release:
-
The beta release supports Watson Studio, IBM Knowledge Catalog, Watson Machine Learning, Watson OpenScale, and Watson Query. Other services have not been tested.
-
You must map the name/username/sub SAML profile properties to the email property in the user registry. If the mapping is absent or incorrect, a default opaque user ID is used, which is not supported in this beta release.
-
The IBM Cloud login page does not support an App ID alias. Users log in into IBM Cloud with a custom URL, following this form:
https://cloud.ibm.com/authorize/{app_id_alias}
. -
If you are using the Cloud Directory included with App ID as your user registry, you must select Username and password as the option for Manage authentication > Cloud Directory > Settings > Allow users to sign-up and sign-in using.
Learn more
-
Logging in to Cloud Pak for Data as a Service through IBM App ID (beta)
-
IBM Cloud docs: Enabling authentication from an external identity provider
Parent topic: Managing Cloud Pak for Data as a Service