Authentication via the Bluemix Single Sign On Service in Bluemix.info

Bluemix provides a Single Sign On Service to authenticate users against the IBM identity provider, Facebook, Google or LinkedIn. Once authenticated applications can access the profile information of the current users, e.g. name, email, etc. Bluemix.info uses the IBM identity provider which is the one that is also used for bluemix.net and most other IBM sites using the IBM id.

The Single Sign On services comes with a sample. The sample works and is well documented but requires a bigger amount of Java code. I’ve reimplemented this sample as one single servlet in one file. In the servlet I use the Apache Fluent API which makes the code significantly shorter and easier to read. The servlet has to be defined in web.xml.

Before you can use the Single Sign On service you need to configure it.

Since you need to provide the redirect URL, the client id and secret and the url cannot be put in the Bluemix environment variable VCAP_SERVICES. Instead I pass this information to the servlet via a Bluemix user provided services. I’ll blog more about this separately.

To identify an unique user I currently use the property “username”, e.g. “http://www.ibm.com/johnsmith@somewhere.com” and use this information to check for authorization. As I’ve learned later however I should use the property “userUniqueID”, e.g. “{‘http://www.ibm.com/110000Z99Z’}”. Turns out the userUniqueID array has only and always exactly one element.