I wrote a while ago about Identity Federation and the IBM Cloud, which is basically the ability to use your enterprise credentials to log into your IBM Cloud account. This works by IBM Cloud asking the enterprises Identity Provider (e.g. Active Directory / ADFS) and the Identity Provider passing back a SAML token which ‘vouches’ for the identity of the user.
At the time of writing that article, that’s pretty much as far as Identity Federation went but I have just discovered that it now goes further, in the form of Dynamic Rules for Access Groups.
Now, if you’re wondering what an Access Group is, well under IBM Cloud’s Identity Access Management (IAM), rather than grant user’s rights to resources on a user by user basis, you can instead create an Access Group, grant the resource rights to the Access Group and then make users members of the Access Group. It’s quite easy to do and reduces admin headaches as you don’t end up in a situation where working out what access a user has in a large account is like figuring out a mass of tangled wires.
Since the end of Summer ’18, if you use Identity Federation, you can dynamically assign users to these groups via the SAML token that is sent from the Identity Provider. Basically, you simply add an assertion to the token and the rule looks at the value of the assertion and grants access if it meets the criteria of the rule. So, if the user is in the ‘Developer’ AD, this can be transmitted to IBM Cloud through an assertion in the SAML token, at which point the Dynamic Rule on the Access Group will place the user into the Developer’s access group (which you will have pre-created) when they log in. This is really nice, as it means that another step of user admin can be kept with the identity provider, rather than having to be repeated in the cloud console.
For further information, check out the documentation. I’ve already started to talk about this with a number of customers and I think it’s a great feature that eases user administration.