Configuring single sign-on using OpenID Connect (OIDC)
Using OIDC, you can configure single sign-on (SSO) between your product and supported providers. You can configure OIDC with just-in-time (JIT) provision only.
OIDC is an authentication protocol layer that is built on the OAuth 2.0 protocol. It allows the third-party applications to:
- Verify the identity of the users.
- Get the basic profile information about the users.
The following steps represent the flow that happens during SSO configuration by using OIDC:
-
A user attempts to access a service in your product through a web browser.
-
Your product verifies whether an authentication token is present.
-
If no authentication token is present, your product redirects the request for authentication to the third-party authorization server of the user.
-
The authorization server presents a login page to the user.
-
If the user logs in successfully, the authorization server redirects the user, along with the OIDC response, to your product.
-
Your product generates an authentication token and grants access to the service that the user requested.
. The IM
service enables PKCE by default. If your OIDC provider configures
PKCE, you can use it for authentication in the IM login flow. If
the OIDC provider does not configure PKCE, it does not impact the
IM login flow.Configuring SSO in your product by using OIDC
See the following notes:
-
You can configure SSO with OIDC support by using the IdP V3 APIs. For more information, see IdP V3 APIs.
-
Currently, OIDC is the only supported protocol with the IdP V3 version.
-
To verify whether you have OIDC support or not, see Getting the list of registered OIDC clients by query.
Before you begin
Log in to any of the following platforms by using the provided
IdP links and register yourself in the application. During
registration, use application URL as cp-console URL and redirect
URL as
https://<cp-console-url>/ibm/api/social-login/redirect/<name
of the oidc>. Once you are registered, you can get the
unique client ID, client secret and discovery_url
endpoint. Currently, only these platforms are verified to register
the OIDC by using the IdP V3 API.
| Platform | IdP link |
|---|---|
| IBM Security Verify (ISV) | https://www.ibm.com/docs/en/erqa?topic=using-security-verify-as-oidc-provider Whenever you perform the attributes mapping through the OIDC provider in the ISV application, enable the Send all known user attributes in the ID token option. And, ISV groups must not contain spaces. |
| Google Cloud Platform | https://cloud.google.com/identity-platform/docs/web/google |
| Microsoft | https://cloud.google.com/identity-platform/docs/web/microsoft |
| Okta | https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm |
Procedure
To configure SSO, complete the following sequence of steps:
-
Register the OIDC clients. For more information, see Registering the OIDC clients.
-
Get the list of registered OIDC clients. For more information, see Getting the list of registered OIDC clients.
If you need to delete the registration of the client, see Deleting the registration of the client.
-
Open the Cloud Pak home page to verify whether the OIDC is successfully configured.
Note: After the OIDC is successfully configured, you can log in to the cp-console. However, to log in to the Cloud Pak Platform and to get the OIDC successfully configured, first you need to grant access to capabilities within an IBM Cloud Pak. Then, the OIDC users are able to log in to the Cloud Pak Platform. -
To authenticate, click the corresponding OIDC link in the Cloud Pak home page.
Granting access to capabilities within an IBM Cloud Pak
For more information, see Granting access to capabilities within an IBM Cloud Pak .