Cloud Services


Hybrid IdP tenant configuration
Published On May 16, 2024 - 1:22 PM

Hybrid IdP tenant configuration

Learn how to configure a hybrid IdP on a tenant.
The following sections use three different roles to explain the process:

Steps for Kyndryl Admin

To provision a new tenant on MT environment:
  1. Click
    + Create Tenant
    . The Create Tenant page displays.
  2. Complete the following fields:
    a. Customer Name: The name you want to use for the customer (for example, demo-customer)
    b. Enter Tenant Hostname: You can use the customer domain name (for example,
    c. Enter Customer Email: Kyndryl Customer Admin Kyndryl ID
    d. Enter Kyndryl Client ID: Kyndryl Customer ID
    e. API Host URL: The URL will be populated automatically once you enter the Tenant Hostname. It is the API server address
    f. Choose an Identity Provider: Select
    from the dropdown list
    g. Choose a Database Connection: Select
    from dropdown list
  3. Under Applications, click the checkbox beside
    IBM Multicloud Core Plus
  4. Select
    from the Choose Connection Type dropdown list.
  5. Click
  6. When the page refreshes, check the tenant status by entering the tenant name in the text box.
Provisioning the tenant will take approximately 5 to 10 minutes. Once the tenant is provisioned successfully, an email invitation will be sent to the Kyndryl Customer admin email entered in step 3c above.

Steps for Kyndryl Customer Admin

In order to perform these steps, you need the email invitation sent to you by the system (see above). To add the identity provider:
  1. Click
    Get Started
    from the email.
  2. Enter your Kyndryl ID log-in credential and click
    . The privacy statement screen displays.
  3. Click
    IBM Privacy Statement
    and read the document.
  4. Click
    I Accept
    . The Kyndryl Modern Operations Applications welcome screen displays with your user name and role(s).
  5. Verify that the System Admin role is displayed beneath your name.
  6. Click
    and select
    Identity Providers
    from the list.
  7. Click
    Add Identity Provider
    . The Add Identity Provider window displays. Fill in the following:
    a. Select
    b. Name: Enter the name of Identity Provider (IdP) you want to see when you try to log in to your tenant.
    c. App Federation Metadata: Select
In order to perform the next steps, you will need to have the App Federation Metadata URL and User Claim Mappings. If you do not have them, ask for them from your Customer IdP Admin.
  1. In the list below, click the link corresponding with the Identity Provider that you are adding. Follow the instructions, and then return to the next step (that is, Save the User Claims Mappings to a file).
  2. Save the User Claims Mappings to a file. You will need to upload that file later.
  3. Using the data in the App Federation Metadata URL and User Claim Mappings, fill in the text fields and other data options on the Add Identity Provider Page.
    a. Invitation Options: Select
    Disable Email Invitations
  4. Click
    . The new IdP is added to the list of Identity Providers.
  5. Ask the Customer IdP Admin to login to the tenant ( by clicking
    Sign in with okta
  6. Sign in as an Okta user who is a member of the Okta group (for example, Admin). This is required for a later step to create and configure hybrid mapping. At this point, the Okta user (Customer IdP Admin) has no associated roles and cannot perform any operations.
  7. Log in as Customer IdP Admin.
  8. As the Kyndryl Customer Admin, assign the newly added user to the Okta User tenant and to the INITIAL-SYS-ADMIN team so it will have the System Admin role.
  9. Click the Main menu on the upper-left corner of the page and select Admin and then User Access from the dropdown list.
  10. Go to Teams.
  11. Click on stocked bullets icon on the far-right end of the row of the team that you want to work with, and select
    View Details
  12. Scroll down to the Assign User(s) text box.
  13. Click the down arrow and select the newly added Okta user (Customer IdP Admin).
  14. Click

Steps for Customer IdP Admin (Okta user)

To create the Auth Config document and Mapping to IdP using Developer Console:
  1. Logout and log back in. Now the System Admin role is activated.
  2. Click the user icon in the upper-right corner of the screen and select Developer Console. The Developer Console displays the API Documentation tab. (If not, click the API Documentation tab.)
  3. Select
    from the Application dropdown list and
    from the Service dropdown list.
  4. Locate "API - POST/core/authorization/v1/authtype/configurations" for adding the auth config.
    a. Click
    Try it out
    and modify the payload as follows. Set the initial team code:
    • initial_system_admin_team_code: Team code to be set
    • initial_system_admin_org_code: Organization code for your Kyndryl Modern Operations Applications team
    • initial_system_admin_team_external_ref_id: Set this to the Group name Okta, or, if for another IdP, the user of that IdP belonging to that IdP. For example: Okta user belonging to the Admin Group.
    • auth_type: Hybrid
    • name: Any name to identify
For example:
{ "initial_system_admin_team_code": "KyndrylAdmin", "initial_system_admin_org_code": "admin_org", "initial_system_admin_team_external_ref_id": "Admin", "auth_type": "hybrid", "name": "oktahybrid" }
  1. Click
    . The Response Payload is created. Take note of the ID from the response payload as it is needed in the next step.
  2. Optionally check if the team got created by selecting
    User Access
    from the Main menu dropdown list. Then select
    . The team created as KyndrylAdmin with System Admin Role should be in the list.
  3. Back in the API in the Developer console, locate POST/core/authorization/v1/configuration/idp.
  4. Create the mapping between IdP and authtype_config.
  5. Click
    Try it out
    and modify the payload as follows. The value for
    is the value of the id that you took note of in step 1, above.
    { "auth_type_id": "5e78f90143aea39e54d7c885" }
If successful, the response payload will be as follows. IdP ID is mapped to Auth Config ID.
Configuring IdP response payload
Configuring IdP response payload
Okta IdP is configured as Hybrid.
  1. Log out and log back in as Okta user (Customer IdP Admin) using the Okta login credentials.
To assign a different role to other Okta users, create a new team in the Kyndryl Modern Operations Applications with that Role and enter the group name to which those users will belong as a value for the field external_reference_id.
Do you have two minutes for a quick survey?
Take Survey