Managing and authenticating Users for Bluemix Applications

In order to build collaborative applications one of the first things you need are ways to define and identify different users. I’m still learning Bluemix but it looks like there are currently different options available.

Single Sign On Service

Bluemix provides a Single Sign On Service to authenticate users against either the IBM identity provider or against Facebook. Once authenticated applications can access the profile information of the current users, e.g. name, email, etc.

The IBM identity provider is the one used for bluemix.net and most other IBM sites using the IBM id. This mechanism works well for external facing applications which the majority of users can access anonymously and only few people have write access to. The Facebook identity provider is especially useful for consumer oriented applications if Facebook is widely used by the target group of users.

Both alternatives have the advantage that no extra user registry needs to be created and maintained. Check out the sample to find out more.

App User Registry Service

If you can’t rely on the IBM or Facebook identity provider, Bluemix provides an App User Registry Service (formerly add-on) to define your own users in the cloud. This service can be bound to multiple applications in a Bluemix space.

In order to find out more check out the sample or read the developerWorks article which comes with a slightly different sample.

External Systems like IBM Connections

Alternatively to the app user registry service in Bluemix external platforms like IBM Connections Social Cloud can be used. Connections provides advanced user profiles including pictures, networks, etc. and even customizability, e.g. to add custom meta data. Read the documentation to find out more about this functionality.

In order to access this information from applications REST APIs are provided. Check out this simple sample.

Connections supports different types of authentication – OAuth, basic, form and SAML. The big advantage of SAML in Connections compared to the app user registry is that applications in the cloud can leverage existing profile information. So as my colleague Van Staub writes “In short, the partner’s application is saying, ‘This user is tamado@demos.ibm.com … Trust me.’ ”