Identity and Access Management (IAM)

Learn how to manage security and access to your platform.

If you are using the IAM operator service as part of an IBM Cloud Pak®, see the documentation for that IBM Cloud Pak® to learn more about how to install and use the operator service. For more information about IBM Cloud Paks, see IBM Cloud Paks that use IBM Cloud Pak foundational services.

What's new for the IAM service

IAM service v3.23.x

• Cloud Pak can use the Azure-IAM integration by using SCIM to manage the users and groups at the Cloud Pak end. The Azure-IAM integration will also help in managing the authentication and authorization for the resources. For more information, see IBM Cloud Pak SCIM Azure AD integration.

• IAM supports recursive method to enable nested search for Tivoli Directory Server (TDS) and Security Directory Server (SDS) by using SCIM APIs. For more information, see Recursive method to support nested search for TDS/SDS.

• From foundational services version 3.23 and later, while configuring LDAP connection, IAM supports all special characters for Group filter and User filter. However, for validated and tested special characters for Group filter and User filter, see LDAP filters.

IAM service v3.22.x

• CloudPak can leverage the OKTA-IAM integration by using SCIM to manage the users and groups at the CloudPak end. For more information, see IBM CloudPak SCIM Okta integration.

• IAM supports the Nested search for the Tivoli Directory Server (TDS) and Security Directory Server (SDS). For more information, see Enabling LDAP Nested Search.

• Custom search base for LDAP user entity is supported through the SCIM APIs. For more information, see Custom search base support for LDAP group and user entity in SCIM group and user APIs.

• The LDAP Group filter value is supported when you query for a group of SCIM user. For more information, Custom Group filter support in SCIM User API.

IAM service v3.21.x

• From the foundational services version 3.21 and newer, the server-side pagination is supported for the LDAP. For more information, see SCIM pagination support for LDAP server.

• From the foundational services version 3.21 and newer, you can use custom search base for LDAP group in SCIM APIs. For more information, see Custom search base support for LDAP group in SCIM group APIs.

IAM service v3.20.x

• You can enable Nested search for Microsoft Active Directory using the console. For more information, see Enabling nested group search for Microsoft Active Directory.

• From IBM Cloud Pak foundational services version 3.20 and later, you can register the SAML clients by using the IdP V3 API. For more information, see Registering the SAML clients using IdP V3.

IAM service v3.19.x

• From foundational services version 3.19.0 and later, you can export the SAML metadata by using the samlmetadata API. For more information, see Export metadata.

• You can register OIDC provider by using the IdP V3 API. For more information, see IdP V3 API.

• From foundational services version 3.19 and later, Group filter and Group member ID map filters support one or more than one value. For more information, see Default LDAP filters by LDAP type.

• From foundational services version 3.19 and later, the LDAP search is enhanced. Now, by default, foundational services supports the LDAP query filter size limit to up to 5000. With the LDAP query filter size enhancement, the group API performance has also enhanced because the bulk of group members can be searched in a single LDAP search. For more information, see Enhanced SCIM group API performance.

IAM service v3.16.x

• You can configure the system for cross-domain identity management (SCIM) by using your product UI. You can select the attributes (User and Group attributes) to map the Identity provider attributes to the SCIM attributes. For more information, see SCIM configuration by using your product UI.

IAM service v3.12.x

• Identity Provider APIs are introduced. For more information, see Identity Provider APIs.

IAM service v3.11.x

• You can change the default custom hostname and TLS secret by using cs-onprem-tenant-config configmap and apply the changes by running the job. For more information, see Updating custom hostname and TLS secret.

• LDAP configuration is not necessary for SAML integration for IBM Cloud Pak foundational services version 3.11.0 and later. For more information, see IAM for your product platform users.

• To support the SCIM APIs for a configured LDAP connection in the IBM Cloud Pak foundational services, you can update SCIM_LDAP_ATTRIBUTES_MAPPING data with attributemapping API. For more information, see Updating SCIM LDAP attributes mapping.

IAM service v3.10.x

• Support for the new OAuth client authentication flow for application to service authentication and authorization. For more information, see Getting access token by using cpclient_credentials.

IAM service v3.9.x

• The Cloud Pak Administrator role has been added. The Cloud Pak Administrator role has admin access to the namespaces the namespace operator is watching. It has all the permissions account administrator has, in addition, it can configure IdPs, SAML and directory connections. For more information, see Platform roles and actions.

• The IAM APIs for authentication have been updated. Support for the JWK endpoint is added, and client_credentials and signature changes to /userInfo and /introspect endpoints were added. For more information, see OIDC Registration APIs.

• The Platform UI service is available with IBM Cloud Pak foundational services Installer version 3.7.x. This service includes new features for managing users and console access. If you have both the IAM service and the Platform UI service installed, use the IAM service to configure your LDAP connections and the Platform UI service features to manage users. This service is available when you install the ibm-zen-operator.

IAM service v3.8.x

• You can add users to teams by providing user information instead of the team payload. For more information, see Assign users to a team by providing the user information.

• You can remove a user from a team by providing the user ID. For more information, see Assign users to a team by providing the user information.

• Cluster permissions that the IAM service needs are documented in Table 9. Cluster permissions of IBM IAM Operator and Table 10. Cluster permissions of IBM IAM Operand.

IAM service v3.7.x

• Authentication with Red Hat OpenShift is now enabled by default. For more information, see Delegating authentication to OpenShift.

• If you are delegating authentication to OpenShift, you can now change the default admin username that is created during installation. For more information, see Using a custom default cluster administrator username.

• You can now customize the OpenID Connect (OIDC) claims based on your authentication requirements. For more information, see Adding custom OIDC claims.

  • To customize the claims before IAM service installation, see Adding custom OIDC claims.
  • To customize the claims after IAM service installation, see Adding custom OIDC claims.

• You can now disable nonce. For more information, see Disabling nonce.

IAM service v3.5.0 and v3.6.0

The service is now available as an operator-based service, ibm-iam-operator.

The following capabilities are now available for you to use with the service:

• Use the IAM service for single sign-on (SSO) to access the OpenShift Container Platform console. For more information, see Configuring foundational services IAM for single sign-on.

• Use a CustomResourceDefinition (CRD) for OpenID Connect (OIDC) registration. For more information, see Automated client registration method 3.

• Add a redirect page that is displayed when you log out of the OpenShift Container Platform console. For more information, see Adding a logout redirect URL.

IAM service v3.4.0

The service is now available as a part of IBM Cloud Pak foundational services for managing security and access to your platform.

Available versions

• IAM guide v3.x.x (v3.5.0 and newer)
• IAM guide v3.4.0

How to check which service version you are using

You can check the installer version in the configmap by running the following command:

oc -n kube-public get ConfigMap ibmcloud-cluster-info -o jsonpath=’{.data.version}’

   3.6.0

You can check the Common service operator full version and deployed namespace by running the following command:

oc get csv --all-namespaces | grep common-service-

common-service        IBM Cloud Platform Common Services     3.6.3                   ibm-common-service-operator.v3.5.6             Succeeded
ibm-common-services  IBM Cloud Platform Common Services     3.6.3                   ibm-common-service-operator.v3.5.6             Succeeded

If there is no ibmcloud-cluster-info configmap in your cluster, it means that the service was installed by installer version 1.1.0 and the service is version 3.5.0 or newer. You can check the Installed Operators tab in the Red Hat OpenShift Container Platform console to find the accurate version.