Credit: IBM
How IBM Cloud users are managed in hybrid environments
Editor’s note: Bluemix is now IBM Cloud. All the Bluemix products,
services, support, and more will continue being offered with no
changes. Find out more.
The different options within IBM Cloud bear diverse requirements to the
authentication of users. This article explains the various possibilities
on how IBM Cloud users are managed and authenticated. If you are using a
dedicated or local cloud, then this article is for you.
Types
of IBM Cloud environments
Before we cover the different authentication methods, know which
environment best suits your application. There are two deployment
methods that are available in IBM Cloud:
- IBM Cloud
Public provides more than 130 unique services,
including offerings like Weather.com, and millions of running
applications, containers, servers, and more. Developers can start
running their applications on IBM Cloud right away. - IBM Cloud
Dedicated provides enterprises with their own
cloud environment with physically isolated hardware in a data center.
A single tenant and provisioned on a combination of bare metal and
virtual machines, this IBM Cloud environment is created for a single
customer.
These different methods within IBM Cloud bear diverse requirements to the
management of users. We explain the various possibilities on how you can
manage and authenticate users.
Supported authentication methods
IBMid
Availability: Public and Dedicated
An IBMid provides access to several IBM applications, service trials,
communities, support, online purchasing, and more. An IBMid is managed by
the owner of the IBMid and its properties, including profile information
and password, both of which are stored on IBM servers. Password management
(changing a password or retrieving a new password if the old one is
forgotten) is done through IBM pages. The password policy for IBMids must
follow certain restrictions, which are described here.
IBMid with
SAML federation
Availability: Public and Dedicated
IBMid also provides support for IBM customers and partners to incorporate
IBMid authentication to their organizations’ SAML identity provider
through IBMid federation. This support allows an organization’s SAML
identity provider to handle all of the users who are leveraging IBM web
applications and cloud services. The organization handles all
password-related tasks and the authentication of its users. With IBMid
federation, a company can use its own login page and security controls to
secure access to IBM Cloud apps or IBM services.
For details on IBMid federation, the prerequisites, and the adoption
process, refer to the IBMid Enterprise
Federation Adoption Guide.
Clients and authentication methods
Authentication for the
browser-based IBM Cloud client
The IBM Cloud console is a browser-based application. For authenticating a
user in IBM Cloud, the OAuth 2.0 protocol is used. This means that the IBM
Cloud Authentication component issues an OAuth 2.0 token containing the
user’s identity to the IBM Cloud Console—independent on the
selected authentication method.
Figure 1. General authentication flow for the
browser-based IBM Cloud client
In case of IBMid or IBMid with SAML federation, the IBM Cloud
authentication component redirects the user’s browser to another server
and retrieves the identity of the user from the response of that server.
Authentication
for command line and native applications
Widely known native applications that leverage IBM Cloud authentication
are:
All applications, including the above, are not based on a browser
interaction to authenticate to IBM Cloud and share these common
characteristics:
- Prompting for credentials: These applications show an own dialog to
enter the user name and password. Be aware that you have to trust the
source of your application, as you are providing your credentials. A
malware version of this application can capture your credentials. - Authentication validation: These applications send the user name and
password directly to the IBM Cloud authentication component with the
OAuth 2.0 “password grant” method.
The IBM Cloud authentication component will send the user name and password
to the back-end authentication server, if possible. This works for IBMid
without federation, but not for IBMid with SAML federation. The underlying
authentication protocol does not support a compatible authentication
mechanism.
To allow those clients to authenticate with IBM Cloud (and with those
configurations), you can use your web browser to get a “one-time passcode”
to log in with those applications. This login requires support for this
interaction type by the native application. The following flow diagram
shows the sequence to successfully log in for those environments:
Figure 2. Authentication flow with one-time
password
Summary
To summarize, we provide characteristics for each of the four different
authentication methods in one table.
Table 1. Characteristics of the different authentication
methods
IBMid | IBMid with federated users |
|
---|---|---|
Availability | ||
IBM Cloud Public | X | X |
IBM Cloud Dedicated | X | X |
Password management and policy |
||
IBM | X | |
Customer | X | |
Application types supported |
||
Browser-based | X | X |
CLI/native with credentials |
X | |
CLI/native with one-time passcode |
X | X |
Enabled for customer-provided two-factor authentication |
X | |
Authentication to IBM Cloud Public without re-login |
X | X |
Appendix
Required information for IBMid/IBMid with federated users
IBMid is active in IBM Cloud Public by default and is automatically used
for IBM Cloud Dedicated without providing any further details.
Customers who want to federate their SAML Identity Provider with IBMid need
to follow this
process.
The steps in the federation process are independent of the configuration of
the Dedicated or Local instance and can be executed before or after the
IBM Cloud environment is configured for the customer.
Downloadable resources
Related topics
Credit: IBM