Configure Identity Providers
The IBM webMethods iPaaS Identity Provider functionality enables you to configure identity providers that can authenticate IBM webMethods iPaaS users. IBM supports SAML 2.0.
The IBM webMethods iPaaS Identity Provider functionality enables you to configure identity providers that can authenticate IBM webMethods iPaaS users. IBM supports SAML 2.0.
Single Sign-On (SSO) is an authentication mechanism that allows users to access multiple applications by using a single ID and password.
IBM webMethods iPaaS supports SSO that allows users to authenticate themselves against an Identity Provider (IdP) rather than obtain and use a separate username and password. Once the IdP authenticates the users, it informs IBM webMethods iPaaS about it, which in turn lets the users access the applications without having to sign in using their IBM webMethods iPaaS credentials. This makes the login process easier, faster, and more secure.
Log on to IBM webMethods iPaaS as a user with Cloud-Tenant-Administrator privileges.
In IBM webMethods iPaaS, you can grant access to external identity provider users by assigning the default IBM webMethods iPaaS roles to the users, or by assigning IBM webMethods iPaaS roles to the users based on external identity provider group membership. If you want to do the latter, go to Administration > Roles and note the role names.
Create the URI for connecting the external identity provider to IBM webMethods iPaaS:
a. Go to Administration > Single-sign on > Add identity provider.
b. Specify the identity provider display name and unique identifier.
c. Copy the auto-created URI that appears in the IBM webMethods iPaaS redirect URI field to the clipboard. You can use the icon at the far right of the field to copy.
Configure your identity provider using the following examples:
Complete the configuration in IBM webMethods iPaaS:
a. Return to the Metadata page and complete the fields. If you copied the external identity provider metadata URI or saved the metadata to file, choose to import and then specify the URI or file.
b. Click Next.
c. Go to the Configuration page and complete the fields as necessary. If you imported the external identity provider metadata, some of the fields are pre-populated with that corresponding metadata. If you did not import metadata, the IBM webMethods iPaaS fields map to external identity provider attributes as follows:
Tab Name | Field Name | Description | Identity Provider Attribute or Field |
---|---|---|---|
Metadata | Single Sign-On Type | SAML 2.0 | ——– |
Metadata | Identity provider display name | Friendly name of the identity provider. | ——– |
Metadata | Identity provider unique identifier for use in IBM webMethods iPaaS redirect URI | Unique identifier for the identity provider. | ——– |
Metadata | IBM webMethods iPaaS redirect URI | URI that redirects external identity provider users to IBM webMethods iPaaS. | Copy the IBM webMethods iPaaS redirect URI to these fields: |
Configuration | NameID policy format | Format to use for the subjects of SAML assertions. | |
Configuration | Single sign-on service URL | URL for the identity provider endpoint/service to which applications must submit service requests (SAML AuthnRequests). | If you are creating the identity provider from scratch in IBM webMethods iPaaS (as opposed to importing a configuration), copy the value from this identity provider field to the IBM webMethods iPaaS field: |
Configuration(SAML advanced settings) | HTTP-POST binding response | Whether the identity provider uses HTTP-POST binding to respond to authentication requests instead of the default HTTP-Request rebinding. Default value is true. | ——– |
Configuration (SAML advanced settings) | HTTP-POST binding for AuthnRequest | Whether the identity provider expects applications to use HTTP-POST binding to submit authentication requests instead of the default HTTP-Redirect binding. Default value is true. | ——– |
Configuration (SAML advanced settings) | Assertions signed (on/ off) | Whether the identity provider signs SAML assertions and send the signed assertion. | If you set the IBM webMethods iPaaS field to On, set this attribute as follows: |
Configuration (SAML advanced settings) | Assertions encrypted | Whether IBM webMethods iPaaS expects an encrypted assertion from the identity provider. | If you set the IBM webMethods iPaaS field to ON, create the certificate as follows: i. Copy the Service Provider Descriptor URL from the Configuration tab in IBM webMethods iPaaS and open it in a browser. Note: This field is visible only after the Single sign-on profile is saved. ii. Copy the content of the X509Certificate attribute from the response to a file, add the header —–BEGIN CERTIFICATE—– and the footer —–END CERTIFICATE—–, and save the file with the extension .cert. Set this attribute and upload the certificate: |
Configuration (SAML advanced settings) | Validate signature | Whether IBM webMethods iPaaS validates SAML assertion signatures. | If you set the IBM webMethods iPaaS field to On, copy the public certificate from the identity provider to the Validating X509 Certificates field in IBM webMethods iPaaS. You can obtain the certificate as follows: i. Copy the X.509 Certificate from the View Setup Instructions link in the Sign-on tab of the application and remove the —–BEGIN CERTIFICATE—– header and the —–END CERTIFICATE—– footer. ii. Copy the X.509 Certificate by downloading the metadata file provided at the Identity provider Metadata link in the Sign-on tab of the application. Go to Azure Active directory > Enterprise applications > Symantec Web Security Service (WSS) > Single sign-on > SAML Signing Certificate and download the certificate provided at the Certificate (Base64) link. Auto-populated if the federation metadata was imported using a file. If the Create from scratch option was used, then copy the content inside the tag |
Attributes | Username | Name of the SAML attribute that identifies the user. | Always the NameID attribute value in the Identity provider (for example, an email address or user name). |
Attributes | Work email | Name of the SAML attribute that provides the user’s email address. | |
Attributes | First name | Name of the SAML attribute that provides the user’s first name. | |
Attributes | Last name | Name of the SAML attribute that provides the user’s last name. | |
Roles | IBM webMethods iPaaS Roles | Roles set in the Identity provider. The values are reflected in the SAML assertion. In the SAML assertion response, IBM webMethods iPaaS looks for a key named “roles” to get the list of roles. |
d. Click Next.
e. On the Attributes page, type the user attribute names you specified in identity provider.
f. Click Next.
g. On the Roles page, you can grant access to identity provider users as follows:
By assigning default IBM webMethods iPaaS roles to Identity Provider user
Click Assign default IBM webMethods iPaaS roles to users. Later, you can go to individual IBM webMethods iPaaS products and modify the access.
By assigning IBM webMethods iPaaS roles to identity provider users based on Identity Provider group membership
Click Assign IBM webMethods iPaaS roles to users by mapping to identity provider roles.
Click +, select a IBM webMethods iPaaS role, and then type the name of the Identity Provider group that corresponds to the role. IBM webMethods iPaaS updates the user role assignments at each login. If an external-Identity Provider role matches the SAML assertion, the role is added. If not, the role is removed.
h. Save the identity provider configuration.
IBM webMethods iPaaS allows you to configure one or more identity providers for authenticating against your corporate user directory. This eliminates the need for users to manage separate credentials for IBM webMethods iPaaS environments.
On the default login page, you can enter IBM webMethods iPaaS credentials and also find the links to your identity providers for Single Sign-on.
If most of your users expect to sign in with a primary identity provider, you have the option to set it as the default login page using the following steps:
Sign in to IBM webMethods iPaaS as a user with Cloud-Tenant-Administrator privileges.
Go to IBM webMethods iPaaS > Administration page, and click the Single sign-on tab.
The Identity Providers section appears on the main page which gives an overview of the identity providers configured in the tenant.
The table provides information such as the Identity provider name, Single sign-on type, Status, and Login URL for each identity provider. The Login URL functions as a direct link for redirecting the users to the identity provider login page and you can copy this URL to use it directly in the browser.
For detailed steps on how to Add Identity provider see the section on Basic Flow
Use the Default Identity provider option to establish the primary login interface for authenticating across all IBM webMethods iPaaS products.
By default, IBM webMethods iPaaS is selected as the Default identity provider. You can also select from any one of your Identity Providers (IdP) as the default identity provider from the dropdown menu.
For example, if OKTA is selected as the default identity provider, all login requests will be redirected to the OKTA login page for authentication.
When you select your IdP as the default identity provider, the IBM webMethods iPaaS login URL option becomes active, which you can use to login to IBM webMethods iPaaS in case the default identity provider URL is inaccessible.