Authentication types

You can configure multiple authentication types for single sign-on (SSO).

You can then access your IBM Cloud Pak® console by using the configured authentication type.

The following authentication types are supported:

Note: Multiple factor authentication (MFA) uses multiple authentication technologies to verify a user's identity. The foundational services IAM supports MFA by leveraging third party identity provider MFA capability. When IAM is integrated with the third party identity provider through SAML or OIDC, Cloud Pak can support MFA to authenticate users when the identity provider enables MFA.

After you install your IBM Cloud Pak®, when you access the console, you can see the login options that are available. You can see the login options only for the authentication types that are configured in your cluster. If you configure only the default authentication type (IBM provided credentials), you do not see any login option. You must then access your IBM Cloud Pak® console by using the default authentication type.

The console login cookie saves the authentication type that you select for 24 hours. When you access the login page within 24 hours, you see the login page for the same authentication type. You can choose another authentication type by clicking Change your authentication type.

Note: If you remove the Enterprise LDAP or disable Enterprise SAML configuration from your cluster, first clear the browser cache before you access the console login page.

Setting the preferred login options

When you configure multiple authentication types in your cluster, all the configured types are displayed on the console login page as authentication options.

If you want the console login page to display any one or a selected set of the configured login options, you can set the preferred login options.

To set the preferred login options before IAM service installation, see setting the preferred login options in Configuring foundational services by editing the CommonService custom resource.

To set the preferred login options after IAM service installation, complete these steps:

  1. Log in to your infrastructure node by using the oc login command.

  2. Edit the platform-auth-idp configmap.

    oc edit cm platform-auth-idp --n ibm-common-services

    In the data section, you see the PREFERRED_LOGIN data definition, which has no values set by default.

  3. Add the login options that you want to display on the cosole page. For example, PREFERRED_LOGIN: "SAML","LDAP","OIDC". Use the following parameter values:
    • For default authentication, use DEFAULT
    • For enterprise LDAP, use LDAP
    • For enterprise SAML, use SAML
    • For OpenShift authentication, use ROKS
    • For OpenID Connect, use OIDC

  4. Restart the auth-idp pod by deleting it.

    1. Get the auth-idp pod name.
      oc get pods -n ibm-common-services | grep auth-idp
      Following is a sample output:
      auth-idp-785df784f5-qcx4z                          4/4     Running   0          39d
    2. Delete the auth-idp pod.
      oc delete pod <auth-idp-pod-name> -n ibm-common-services
    3. Restart the common-web-ui pod by deleting it.
    4. Get the common-web-ui pod name.
      oc get pods -n ibm-common-services | grep common-web-ui
    5. Delete the common-web-ui pod.
      oc delete pod <common-web-ui-pod-name> -n ibm-common-services

    After the pods restart, your preferred login options are visible on the console login page.

Using foundational services IAM for authentication

You can log in to the Red Hat® OpenShift® Container Platform console by using your foundational services or the IBM Cloud Pak access credentials. For more information, see Configuring foundational services IAM for single sign-on.