Single Sign On(SSO) for Bluemix Web Apps


IBM® Bluemix™ is a Platform as a Service(PaaS) cloud offering from IBM®. It enables organizations and developers to quickly and easily create, deploy, and manage applications on the cloud.

IBM Single Sign ON is a policy based authentication service that provides an easy to embed Single SIGN ON capability for NODE JS Or Java Applications.

Single SIGN ON supports several identity sources where users credentials are stored:

  • SAML Enterprise: A user registry with an exchange of SAML token that completes the authentication.
  • Cloud Directory: A user registry that is hosted in the IBM Cloud
  • Social Identity Sources: The user registries that are maintained by Google,Facebook and LinkedIn

This blog will help you to ADD SOCIAL IDENTITY SOURCE FROM FACEBOOK for Single SIGN ON (SSO) for Bluemix App



Step 1: From Bluemix CATALOG, Select Single Sign On Security service


Step 2: Insert a Service Name and then click on CREATE


Step 3: Provide a name to the service. This name will be part of the service URL and Click on Continue


Step 4: Click FACEBOOK to add identity source.


Step 5: After changing the name (optional), Click on “Click here” which will redirect you to facebook for developers page.


Step 6: Click on My Apps and then click on Add a New App


Step 7: Click on Website


Step 8: Enter App Name and then Click on Create New Facebook App ID


Step 9: Choose a Category and then click on Create APP ID


Step 10: You can now see your App listed on My Apps section. Click on TweetAuth which will take you to Dashboard of the App


Step 11: In the Dashboard, Copy APP ID and APP Secret


Step 12: Go back to Bluemix Dashboard and then Paste the APP ID and APP Secret. Copy the OAuth Redirect URI and then Click on SAVE


Step 13: In the facebook for developers page, SETTINGS TAB>Basic enter your Contact Email and Website URL and click on SAVE CHANGES


Step 14: In Facebook for developer page, SETTINGS>ADVANCED, toggle from NO to YES for Client OAuth Login and then paste the OAuth Redirect URI in the textbox and then click on SAVE CHANGES


Step 15: Go back to Bluemix DASHBOARD, you will now find VERIFY button,click on that and Verify Access to Facebook by clicking on “Click here”


Step 16: Awesome! It’s working!!


Step 17: You can now see your identity source app in the list


The next step is to Configure APP by creating an APP:

Configuring a Liberty for Java APP with SSO:

  • For Liberty for Java Applications, the Single Sign On service leverages the OpenID Connect (OIDC) client feature from Liberty and the Bluemix Liberty buildpack. As a result, Java applications running on Bluemix do not need to include any code to support the OpenID Connect protocol or Single Sign On.
  • However, you must enable security constraints. To enable them, you can use declarative J2EE security to secure the application and all protocol support is completely “built-in.”

    After you bind the app to an instance of the single sign-on service, the Bluemix buildpack detects that the application is bound and automatically configures the OIDC client in the Liberty runtime server.xml to enable the application for the service. The configuration is done when you deploy the application in Bluemix using either the cf push command or using the restaging process in the Bluemix dashboard.

    To complete the configuration of the application, you must add security constraints. You can add the constraints in the same manner as you would for traditional J2EE applications using EAR/WAR binding files to declare roles and protected resources.

    The following example illustrates security constraint configuration for a Java application that uses the web.xml and the Liberty server.xml files.

  • Create a HelloWorld Servlet in com package with twitter as the Java application name
  • Open the web.xml file in a text editor.
  • Set security constraints: Consider the below as example.

  • Save the web.xml file.


  • Open the server.xml file in a text editor.
  • Enable the security constraints. Use the following example as a guide.
    <server description="new server">
    <httpEndpoint httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>
    <applicationMonitor updateTrigger="mbean"/>
    <application type="war" id="twitter" name="twitter"
    <security-role name="TESTROLE">
    <special-subject type="ALL_AUTHENTICATED_USERS"/>

  • Push the app(twitter.war) along with server.xml to Bluemix using CF Push command . Learn how to push application to bluemix using CF command through my earlier blog.
  • Bind the SSO service to the Java APP and then Restage it.
  • Open the app .Here eg: ,It will redirect you to facebook page for logging in

Hurray your Bluemix App is now secured by Single Sign On facebook authentication!!



Courtesy: ( IBM Bluemix and Facebook for Developers (


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s