EnterpriseGetting started

Managing identity providers

Configure custom identity providers (IdPs) for SAML single sign-on so that your organization's users can authenticate with their existing corporate credentials.

Note:

Identity provider management is available to Enterprise plan admins only.

Configure a custom identity provider (IdP) to enable single sign-on (SSO) for your organization. When an IdP is configured, users are redirected to it for authentication when they log in to IBM Bob across the IDE, Bob Shell, and Bob Web.

Supported identity provider types

IBM Bob supports the following SSO protocols:

  • SAML (Security Assertion Markup Language)

Adding an identity provider

Adding an IdP is a two-step process. First, you configure the IdP and save it. Then you add the email domains that use it.

Step 1: Configure the identity provider

Go to the IBM Bob Administration page.

Select the Authentication tab.

Click Add IdP.

Enter a name for the IdP.

Select the IdP type: SAML.

Enter the configuration details for the IdP.

SAML requires the following configuration details:

  • SSO URL
  • Metadata URL or XML upload
  • Entity ID
  • Certificate

In the Attribute mapping section, map the IdP's user attributes to IBM Bob's user fields:

  • Email attribute: maps to the user's email address they use with Bob.
  • Name attribute: maps to the user's display name.

Click Save.

The IdP is created and appears in the table on the Authentication tab.

Step 2: Add domain filters

After the IdP is saved, add the email domains that should use it for authentication.

On the Authentication tab, locate the IdP you just created and open its settings.

In the Domain filters section, add the email domains that should use this IdP. Users whose email addresses match a configured domain are redirected to this IdP at login.

Save your changes.

Note:

Each email domain can only be associated with one IdP. If a domain is already in use by another IdP, the configuration cannot be saved until the conflict is resolved. Each domain must also be verified before SSO is enforced. See Verifying domain ownership.

Verifying domain ownership

IBM Bob requires you to verify that your organization owns each domain before SSO is enforced for it. Verification is done by adding a DNS TXT record to your domain.

Go to the IBM Bob Administration page.

Select the Authentication tab.

Select the IdP that contains the domain you want to verify.

In the Domain filters section, locate the domain and copy the verification code shown.

In your DNS provider, add a TXT record to the domain with the following format:

bob-verify=<verification-code>

Replace verification-code with the code copied from the Domain filters section.

Return to the Authentication tab and click Check verification for the domain.

The domain verification status updates to Verified when IBM Bob successfully detects the TXT record. DNS changes can take time to propagate.

Removing an identity provider

Go to the IBM Bob Administration page.

Select the Authentication tab.

Locate the IdP you want to remove and click Delete.

In the confirmation dialog, click Confirm.

Warning:

Deleting an IdP removes the SSO configuration for all associated domains. Users who relied on that IdP for authentication will need to log in through another method. A warning is shown if the IdP has verified domains.

How is this topic?