Table of contents

Set up Security Assertion Markup Language (SAML) in Watson Studio Local

An administrator can set up SAML to redirect Watson Studio Local users to sign in securely through your identity provider's login page.

Important: Watson Studio Local only supports the Bearer subject confirmation method.

To set up SAML on the Watson Studio Local Version 1.2.3 or later cluster, complete the following steps:

  1. SSH to your Watson Studio Local cluster.
  2. Edit the following values in /wdp/utils/saml/samlConfig.json:
    entryPoint
    The URL of your identity provider's login page.
    fieldToAuthenticate
    The parameter you use to authenticate with the identity provider, such as emailAddress.
    issuer
    The name that you want to use to register Watson Studio Local with your identity provider.
    disableRequestedAuthnContext (optional)
    The value that controls the generation of an authentication context. The default value is false. Set the value to true when you're configuring SAML with Active Directory Federation Services ( ADFS) to allow ADFS to determine the method of authentication.
    idpCert (optional)
    The certificate provided by the identity provider to verify SAML responses from the identity provider. If no certificate is specified, the responses will not be verified. Ensure you remove the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines, and paste the certificate as a single line.
    spCert (optional)
    The certificate used to sign SAML requests to the identity provider. The same certificate needs to be set when you register Watson Studio with your identity provider so that the SAML requests can be verified by your identity provider. If no certificate is specified, the requests won't be signed. Ensure you remove the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines, and paste the certificate as a single line.
    identifierFormat (optional)
    The format of requests from Watson Studio to the identity provider. The format must be supported by the identity provider. If the format is not specified, the default (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) is used.
  3. Run the samlEnable.sh script. Wait for the usermgmt pods to restart.
  4. For users to be able to sign in to your cluster, they still need to be added to the cluster. Go directly to https://<your-host-name>/auth/login/login.html, sign in as admin/password, and add new users using your intranet ID. Next time, you can sign in to your cluster through your identity provider's login page.

After enabling SAML, you will still able to login as previously created users by going directly to the login page: https://<your-host-name>/auth/login/login.html instead of letting it redirect you to your organization’s login page.

To disable SAML, run the samlDisable.sh script that is in the same location as the samlEnable.sh script.

Note that with SAML setup, the password fields on the sign up page do not matter. Your input password will be ignored. Your organization's identity provider will handle your password.