Cloud Services

ModernOps configuration

Identity providers (IdPs)
Published On Sep 04, 2024 - 11:25 AM

Identity providers (IdPs)

Understand how identity providers (IdP) help you manage access and privilege requirements.
You can manage the out-of-the-box IdP or add new ones to connect to your external user repositories. Since the platform may contain multiple IdPs, you can add, edit, and delete different IdPs.
The benefit of IdPs is that you can quickly add primary and secondary access providers to securely manage your Kyndryl Modern Operations Applications.
The following permissions are needed to be able to manage IdPs. The
Platform Administrator
role, which is the out-of-the-box role granted to you when the account is first created, is the only role that includes all these permissions. Alternatively, as a
Platform Administrator
, you can create Custom Roles and assign them the Roles permissions.
Permission
Description
iam.idp-metadata.view
Allow to view identity provider data
iam.idp.view
Allow to view an identity provider
iam.idp.create
Allow to create an identity provider
iam.idp.replace
Allow to replace fields of an identity provider
iam.idp.update
Allow to update an identity provider
iam.idp.delete
Allow to delete identity provider
iam.globalidp.view
Allow to view global identity providers

Accessing the IdP page

To access the identity provider settings page, follow these steps:
  1. Access the IAM page.
  2. Select
    Identity Provider
    from the left navigation bar of the page. The identity provider page opens.
Once in the IdP page, you can perform a series of actions to personalize your IdP settings including the following:
  • Adding a new IdP
  • Editing an existing IdP
  • Deleting an existing IdP
  • Changing the primary IdP

Adding a new IdP

  1. Click
    Add New
    .
  2. Select
    Add Identity Provider
    . The Add Custom ID Provider pages opens.
  3. Select the authentication protocol:
    • OpenID
    • SAML2.0
  4. Name
  5. Display name
If you select
SAML
as your authentication protocol, fill out the following information:
  1. Protocol binding
    • HTTP post
    • HTTP redirect
  2. NameID Format
    • Unspecified
    • Email address
    • Persistent
    • Transient
  3. App federation metadata
    • URL: enter the Url.
    • XML file: upload the XML file.
  4. User attributes and claims options. The claim mappings file maps a set of attribute claims (for example, an email to the representative value from the provider). Email invitations are enabled by default, and you may chose to disable them in the
    Advanced Settings
    page.
    • Form
      • Select the standard claim from the dropdown list.
      • Add a custom claim.
    • File upload
      : upload the attributes and claim file.
  5. Click
    Save
    .
-or-
If you select
OpenID
as your authentication protocol, fill out the following information:
  1. Client ID
  2. Client secret
  3. Issuer
  4. Authorization endpoint
  5. Token endpoint
  6. Scopes
    : select the authorization scopes from the dropdown list.
  7. User profile mappings options. The claim mappings file maps a set of attribute claims (for example, an email to the representative value from the provider). Email invitations are enabled by default, and you may chose to disable them in the
    Advanced Settings
    page.
    • Form
      • Select the standard claim from the dropdown list, and fill out the subject claim information.
      • Add a custom claim.
    • File upload
      : upload the attributes and claim file.
  8. Click
    Save
    .
Additionally, click
Advanced Settings
at the top right side of the page to set up other IdP settings including the following:
  • Invitation options
    : when email invitations are required, the user must use the email link to login for the first time. when email invitations are optional, the user can login with or without the email invitation.
  • Invitation validation options.
  • Trusted domains: the domains that the identity provider trusts to authenticate users.
  • Peer trust domains.
  • Authorization options.
    • External authorization
    • Internal authorization
  • Groups delimiter.
  • Hide IdP.
Simply make your edits and close the advanced settings page by clicking the
X
icon.

Editing an existing IdP

  1. Click the
    overflow menu
    next to the IdP you want to edit.
  2. Select
    Edit
    .
  3. Make the necessary updates.
  4. Click
    Save
    .

Deleting an existing IdP

  1. Click the
    overflow menu
    next to the IdP you want to delete.
  2. Select
    Remove
    .
  3. Confirm the deletion.

Changing the primary IdP

If you have added several IdPs to your platform and want to change which is your primary IdP, follow these steps:
  1. Click the
    overflow menu
    next to the IdP you want to make primary.
  2. Select
    Make Primary
    .
Do you have two minutes for a quick survey?
Take Survey