Skip to Main Content
Digital Business Automation Ideas


This is an IBM Automation portal for Digital Business Automation products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Please use the following category to raise ideas for these offerings for all environments (traditional on premises, containers, on cloud):
  • Cloud Pak for Business Automation - including Business Automation Studio and App Designer, Business Automation Insights

  • Business Automation Workflow (BAW) - including BAW, Business Process Manager, Workstream Services, Business Performance Center, Advanced Case Management

  • Content Services - FileNet Content Manager

  • Content Services - Content Manager OnDemand

  • Content Services - Daeja Virtual Viewer

  • Content Services - Navigator

  • Content Services - Content Collector for Email, Sharepoint, Files

  • Content Services - Content Collector for SAP

  • Content Services - Enterprise Records

  • Content Services - Content Manager (CM8)

  • Datacap

  • Automation Document Processing

  • Automation Decision Services (ADS)

  • Operational Decision Manager

  • Robotic Process Automation

  • Robotic Process Automation with Automation Anywhere

  • Blueworks Live

  • Business Automation Manager Open Edition

  • IBM Process Mining


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Created by Guest
Created on Jun 25, 2024

IM/Zen support for authentication/authorization with OIDC+LDAP

CPFS Support for OIDC+LDAP ( to support CP4BA migration use cases)

Description:

The main request is about support for OIDC+LDAP in IM, but this RFE has in fact a much broader scope.
It also includes requests for:
improvements to the IM UI, to make it easier to understand what each configuration is for and how it will be used.
improvements to the documentation, to better explain which scenarios are supported, and what are the authentication/authorization flows between the configured IdPs, IM, Zen and the Cloud Pak components.

Today a lot is missing or is very difficult to find or understand. For example:
* what is the purpose the LDAP SCIM mapping, when do they come into play?
* when is a call made to the various providers to retrieve information about the user?
 when is the call skipped and the system relies on the content of the token instead?
* how are IM, Zen, and Cloud Pak components (for example, BAW) working together to manage authentication and authorization?
* what information is required for IM to act as a SCIM provider for the Cloud Pak components, and where does it get this information from (token, LDAP/SCIM, etc.)

Regarding support for OIDC+LDAP: an OIDC token doesn't always contain all the information that is currently mandatory in the IM OIDC configuration.
In particular, groups or roles are not always included.
The Cloud Pak must be able to authenticate the users with a minimal amount of information extracted from the token,
and should be able to fetch any missing information required for authorization (group membership) from LDAP or SCIM providers.

The mandatory OIDC mapping should therefore be kept to a minimum, and should only include the sub (or equivalent) and optionally another attribute that will be used for the LDAP or SCIM search (preferred_username or something equivalent, for when the sub itself cannot be used as an LDAP/SCIM attribute).
The other OIDC mappings (groups, email, display name, etc.) should only be optional, or should be requested only when authorization must also be managed via OIDC.

NOTES:
- it should be possible to work with multiple LDAP/SCIM providers.
- all the previous requirements also apply to SAML or SAML+LDAP, there is no reason to treat SAML and OIDC differently.

A typical scenario that should be supported by this enhancement is:
- An Active Directory domain containing the business users for one entity. (In our customer situation these are the system administrators)
- An additional LDAP provider (possibly of a different type, such as TDS, LDS, etc.) containing users from a different entity. (using attributes which are not the same as the AD default attributes)
- A Keycloak IdP, federating all the users from both LDAP domains and acting as an OIDC (or SAML) provider. It is not including groups in the token.(That is not the case with BIT but shouldn’t
- CP4BA, configured to authenticate users via Keycloak/OIDC (for SSO) and to authorize users based on LDAP group membership.
- The CP4BA components would be configured to use IM as a SCIM provider to retrieve user/group information.

Idea priority Medium