Cloud applications and single sign-on

When you develop an application that supports multiple users, you need to decide how to authenticate them. It might seem like a simple approach to create a database table and populate it with credentials, but this quickly creates further challenges. For one, how will your application be able to integrate with existing applications and their authentication services?

You can configure external authentication for Bluemix web applications with the Single Sign On (SSO) service.

SSO requires the application to use an OpenID Connect client interface

IBM Single Sign On for Bluemix is an authentication service that provides an easy to embed single sign on capability for web applications. The service can be bound to multiple Bluemix applications to provide a common authentication service. Applications call the SSO service through an OpenID Connect compatible client implementation.

Applications using SSO can support cloud directories, social media sites, and enterprise directory as identity sources

The SSO service acts as an authentication broker for multiple identity sources. Identity sources are collections of users and each collection is identified as a realm.  The following identity services are supported:

Cloud Directory

This is a basic LDAP in the cloud that can be populated with simple user name and password authentication and several other user attributes.

Social providers

Facebook, LinkedIn, and Google are currently supported. These commonly used identity providers allow your application to authenticate users and obtain identity information including an email address.

Enterprise directory identity repositories

This integration uses SAML post single sign on. The on-premises website authenticates users (acting as the identity provider) and then uses SAML to securely transmit that identity information to the SSO service instance, which acts in the role of a SAML service provider. A virtual appliance is available to implement an authentication portal to an LDAP server if one is not already configured in the enterprise.

Integration requires the implementation of an authentication callback

To add the SSO service to an application, do the following main steps:

  1. Add the Single Sign On service to the dashboard.
  2. Select the identity source or sources to configure.
  3. Configure settings for the identity source.
  4. If you use Node.js, bind the SSO service to the application and click the Integrate tab to download the Node.js module.
  5. Insert the integration code into the application, which implements the callback method URL.
    Node.js and Java samples are provided. Others can use an OpenID Connect compatible client library.
  6. Provide the authentication callback URL and specify one or more configured identity sources for the application to use through the Service Integrate tab.

Related links

External authentication services (presentation slides)

Getting started with Single Sign On