Reference: IBM Verify configuration

Create your IBM Verify tenant

Sign up to create an IBM Security Verify instance. After entering your information details, you will see the Set up your tenant page. In that page you need to provide a Hostname for your IBM Security Verify instance. This will generate an IBM Security Verify instance like the following example: https://<YOUR_HOSTNAME_ENTERED>.verify.ibm.com.

Set up IBM Verify

1. On your IBM Security Verify instance left menu, go to Applications > Applications and add the OpenID Connect (OIDC) application.
   • Click Add an application, select the OpenID Connect option and click Add application.
   • This will take you to the application details screen.
2. Configure your OIDC application. Go to the General tab, and add your Company name.
3. Go to the Sign-on tab and configure the following settings:
   1. Add the application URL (for example: https://<ORG_NAME_HERE>.<SUBDOMAIN_NAME_HERE>.asperatest.net)
   2. Grant types: select the Authorization code option.
   3. Response types: select the code option.
   4. Response modes: select all the options.
   5. Redirect URIs: add two URIs.
      For example: https://api.<SUBDOMAIN_NAME_HERE>.asperatest.net/ibm-callback2 and https://api.<SUBDOMAIN_NAME_HERE>.asperatest.net/api/v1/oauth2/<ORG_NAME_HERE>/ibm-callback.

      Note: Once you add the first URI, a new box will be shown for you to add the next URI.
   6. Deselect the Require proof key for code exchange (PKCE) verification option.
   7. Under Request object settings, set the Signing algorithms value to RS256.
   8. Under Token settings, set the Access token expiry (secs) value to 3600.
   9. Under Token settings, set the Access token format to JWT
   10. Go to Endpoint configuration> Introspect and click the edit button:
       • Click attribute, add email to both Verify attribute and Target attribute options.
       • Select the Update on refresh box.
       • Click OK to save your changes.
   11. Under Consent settings, change the User consent option to Do not ask for consent.
   12. Under Custom scopes and API access, select the Restrict Custom scopes box and add the following scope names: email, openid, and profile.
       Note: When you input one scope name into the text box, another text box will appear for you to add the next value
   13. Click Save.

Add Users

1. To add users, go to Directory > Users & groups > Add user. For the identity provider, select between Cloud directory or IBMid.
2. Fill out the information and click Save.
3. From the left menu, go to Applications, find the OpenID Connect application, and click the gear icon to access the settings.
4. Go to the Entitlements tab and select the users' Access Type.
5. If you choose to add users via Select users and groups, and assign individual accesses:
   1. Click Add, search for the users and click their names.
   2. Click Add and then OK.

Enable different identity providers

1. From the left menu, go to Authentication > Identity providers.
2. Select Cloud directory, and deselect the Enabled box to route to the w3 login directly.

Set up the input variables

Find the client_id, secret, and path from the Open ID Connect Application. These values will be used as environment variables when running asctl config or asctl setup.

1. Under Application > Open ID Connect, click the gear icon to access the settings.
2. Click the Sign-on tab.
   1. Look for Client ID to obtain the client_id value.
   2. Look for Client secret to obtain the secret value.
   3. On the right side under OpenID Connect Single sign-on (SSO) configuration > Configure your OpenID Connect relying party > Step 5, find the URL for the path. The path will look similar to https://<YOUR_HOSTNAME_ENTERED>.verify.ibm.com/oauth2/.well-known/openid-configuration. This will be the link you want to use for the asctl setup ibmVerifyRedirectPath.