Setting up federated identity management

Federated identity management provides the following benefits:

• It allows your company to control the type of authentication and authentication options. For example, you might restrict access to specific networks, use VPN connections, define custom password strength or password expiration periods, use smartcards, or require two-factor authentication.
• Users can use their familiar, on-premises credentials to access the cloud service.
• While users are logged on to the on-premises identity provider, they can access a cloud service without being re-prompted for credentials.

After you implement federated identity management, you must accommodate users of mobile apps. If all of your mobile users have one or more IBM® mobile apps such as Connections, Chat, Meetings, or most versions of IBM Traveler, you have the following options:

• Set up an additional, separate federated identity management endpoint for the IBM mobile apps. For more information about this, see the Flow models section of SAML federated identity concepts.
• Use the partial authentication type when setting up federated identity management, which allows you to specify a group of users to whom federated identity management does not apply. In this case, you would specify your mobile device users. For more information about the partial authentication type, see the Authentication types section of SAML federated identity concepts.
• Use application passwords. For information about application passwords, see Enabling application passwords.

All other mobile apps must use application passwords when federated identity management is implemented.

Traveler version 9.0.1.3 or greater for Android and Verse for Android are exceptions to the rule. They can connect to the same federated identity management system that non-mobile apps use.