IBM Z Software


This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Under review
Workspace z/OS Connect
Created by Guest
Created on May 7, 2026

RELATED IDEAS

Introduce some parameter to enable basic auth and OIDC(ADFS) be mixed.

Hi guys, I hope you are well.
We have third party authentication using OIDC (ADFS) feature in zCEE to access ADFS server. To do this we don’t use EJBROLES, only ALL_AUTHENTICATED_USERS.

I have to enable SAF to get access thru EJBROLES as well, So I’m trying to mix ADFS with BASIC. I introduced a SAF registry. I also introduced a filter in OIDC to isolate jwt users and I set fallback to basic as true.

With that configuration and as the ADFS user is not defined in ACF2/RACF, the APIs fail. The problem is: as soon as SAF is enabled a check is enforced to see if the distributed id is in ACF2/RACF registry. Our ADFS entities are not going to be defined in the ESM. So maybe an option like mapIdentityToRegistryUser="none" meaning “no registry (SAF) check” could be added. Also as you can see the mapIdentityToRegistryUser parameter description is confusing. It says “if false the registry is not used”. But it is indeed.

I worked with IBM in a case TS021322314 since Jan 30, but no solution was provided. THis prevents us to use some interesting tools needing EJBrole authorization.
Could you please analyze this enhancement?

Regards
Carlos

mapIdentityToRegistryUser: boolean false: Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject.

Open Id client configuration

<openidConnectClient id="CoreApiClient"
inboundPropagation="required"
mapIdentityToRegistryUser="false" <-- this one
userIdentifier="JPMCIdentifier"
signatureAlgorithm="RS256"
jwkEndpointUrl="${idaKey}"
issuerIdentifier="${idaIss}"
audiences="${idaAud1},${idaAud2},${idaAud3},${idaAud4},${idaAud5}"
authFilterRef="jwtToken"
sslRef="defaultSSLConfig" >
</openidConnectClient>

<authFilter id="jwtToken">
<requestHeader matchType="contains" name="Authorization" value="Bearer "/>
</authFilter>

Idea priority High

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.