IBM Cloud Identity and Access Management (IAM) is a suite of products from IBM for Directory-as-a-Service. Zeplin SAML SSO is confirmed to work with IBM IAM. This article walks through configuring the IBM Cloud Identity product, which will be similar for other IBM IAM products.
☝️ This feature is only available to teams on the Enterprise Plan.
Before you begin
IBM does not generate application details (needed by Zeplin) until it has Zeplin-generated values (which need IBM data to generate). You will need to contact us at email@example.com to have us manually generate and supply your specific SSO URL and SP EntityID.
Configure Cloud Identity from the IBM Cloud Identity Console (https://zeplin.ice.ibmcloud.com/ui/admin)
Log in to Zeplin (https://app.zeplin.io) as an Owner or Admin for your Zeplin Organization
In IBM Cloud Identity:
Select Applications from the main menu
Click the “Add Application” button, choose Custom Application and click the “Add Application” button
Name this Application, enter a Company Name, then select the Sign-on tab
Enter the SP EntityID we gave you into the IBM field Provider ID
Enter the SSO URL we gave you into the IBM field Assertion Consumer Service URL and also into the IBM field Service Provider SSO URL
Under Attribute Mappings, add a new Attribute:
- Attribute Name: email
- Attribute Name Format: leave blank
- Attribute Source: email
On the right side of the screen is the information you will need to configure Zeplin. Don’t click on Save just yet.
From the Organization Dashboard, click the settings button on the top right to access Settings, and select the AUTHENTICATION tab.
In the SAML 2.0 section, click on the “Enable” button
In the Zeplin popup:
- Copy the string from the IBM field Login URL into the Zeplin field IdP SAML 2.0 Endpoint
- Copy the string from the IBM field Provider ID into the Zeplin field IDP Issuer
- Copy the contents of the IBM field Signing Certificate into the Zeplin field IdP Public Certificate
Click on the “Enable” button
Back in IBM Cloud Identity:
Click the “Save” button on the IBM console
Confirm everything works!
Go to the Zeplin login page, and click on the Login with SSO link (or go directly to https://app.zeplin.io/login/sso). Enter the email address of an existing Zeplin user. You should redirect to your IBM IdP to authenticate, then back to that user's Project page.
Your company's identity management policies may require you to first assign this application to your users. Usually, this is via an existing IBM IAM user group that will need to be assigned to the Application under the Entitlements tab in the IBM Cloud Identity Console. Select the appropriate group, and assign the Zeplin application and specific users if required.
When it is confirmed users can log in with SAML, you can restrict login to be via SAML only for all users in your domain by setting Require SSO on the AUTHENTICATION tab in Zeplin.
- Don't Require: Users can continue to log in with username/password or SSO
- Require for All Members: Users in your domain who try to log in with username/password will be redirected to your IdP instead.
For safety, the Owner will still be able to log in using their username/password even if this option is set to Require.
You can specify a Session timeout. Zeplin will check with your IdP at the shorter period of this setting and the Session Duration as sent by your IdP (if it sends one) to verify the user is still authenticated.
You can choose to Allow inviting users from different domains. If not ticked, only users with an email address in your domain will be permitted to be invited to the Workspace.
Extra information for IBM IAM users
IBM sends a session duration value in its SAML assertion. Zeplin will expire and attempt session re-authentication at the shorter of this interval, or the value chosen in the Zeplin setting Session Timeout, on the AUTHENTICATION tab in Zeplin’s Organization settings. The default session duration value sent by IBM in the SAML assertion is 1 hour.
IBM IAM can sign either the Assertion or Response. Zeplin will verify either signature against the IBM IAM-generated IdP Public Certificate.
By default, IBM IAM does not encrypt the Assertion. Zeplin will accept unencrypted assertions, and also decrypt assertions encrypted with the Zeplin-generated x.509 certificate (available from Zeplin Support). Zeplin can decrypt all of the ciphers that IBM supports.