IBM Security Verify

Configuration steps

The configuration steps are divided into two sections. In the first section, an organization administrator sets up the OIDC IdP. In the second section, developers build application images with the OIDC details provided by the administrators.

For identity provider administrators:

1. Log in to IBM Security Verify. If you cannot find your IBM Security Verify tenant URL, the welcome email from ibmacct@iam.ibm.com contains your tenant details. Your IBM Security Verify tenant URL is https://<tenant-id>.ice.ibmcloud.com/ui/admin.
2. Navigate to the Configuration section.
   
   
3. In the Configuration section, navigate to API Access > API clients where you can add an API Client.
   
   
4. Click Add API Client.
   
   
5. Name and configure the new API Client.
   
   
6. Select Manage OIDC client registration dynamically to ensure that applications are automatically registered with IBM Security Verify as the identity provider. This setting simplifies the experiences for application registration with product runtime operators.
   
   

   Other API permissions can be configured. For more information, see Managing API access.

7. Save the new API Client. Verify that it is added to the API access table.
   
   
8. Click the edit button to enter the newly created API Client.
   
   
9. When selecting the recently created API client, you can see the client ID and secret that are needed to configure IBM Security Verify with IBM Enterprise Application Runtimes. The copy buttons next to each field make it easier to grab the data to paste into IBM Enterprise Application Runtimes Custom Resource Definitions (CRDs).
   
   
10. In addition to the Client ID and Secret that are associated with your API Client, you must add your Discovery Endpoint URL to your product custom resource definitions. To construct your Discovery Endpoint URL, append your IBM Security Verify Tenant ID to the beginning of the following generic Discovery Endpoint URL:

    .ice.ibmcloud.com/oidc/endpoint/default/.well-known/openid-configuration.

    You can find your IBM Security Verify Tenant ID in the address bar of your browser when you are logged in to IBM Security Verify. Your IBM Security Verify Tenant ID is the leading text string in the address bar, directly preceding .ice. For example, if the URL of your IBM Security Verify address is tenant-id.ice.ibmcloud.com/ui/admin, your IBM Security Verify Tenant ID is tenant-id, then your Discovery Endpoint URL is tenant-id.ice.ibmcloud.com/oidc/endpoint/default/.well-known/openid-configuration.

    In the following example IBM Security Verify URL, xxxxxx is the text that you append to the beginning of the generic tenant endpoint URL to construct the full tenant endpoint URL of xxxxxx.ice.ibmcloud.com/oidc/endpoint/default/.well-known/openid-configuration.

    
    
    
11. The data elements that you need when you configure the operator are:
    • Discovery Endpoint URL, which can be constructed from the tenant ID from your IBM Security Verify URL, along with the other items defined in step #10.
    • Client ID and secret, which can be found in step #9.
12. Provide the details in step #9 and #10 to the corresponding developers that might need to configure their application images with an OIDC IdP.

For developers:

1. Open your Red Hat OpenShift portal or command line.
2. Create an OpenLibertyApplication custom resource and enter your Discovery Endpoint URL. You will get your Discovery Endpoint URL from step #10 or from your administrator. For more information, see the OpenLiberty operator documentation.

       apiVersion: openliberty.io/v1beta1
       kind: OpenLibertyApplication
       metadata:
         name: test1-app
       spec:
         replicas: 1
         applicationImage: image-registry.openshift-image-registry.svc:5000/test1/rp1
         expose: true
         service:
           port: 9443
         route:
           termination: passthrough
         sso:
           oidc:
             - discoveryEndpoint: <discovery-endpoint-url>
               autoRegisterSecret: my-autoreg-secret-olapp-sso
    

   For example:

       apiVersion: openliberty.io/v1beta1
       kind: OpenLibertyApplication
       metadata:
         name: test1-app
       spec:
         replicas: 1
         applicationImage: image-registry.openshift-image-registry.svc:5000/test1/rp1
         expose: true
         service:
           port: 9443
         route:
           termination: passthrough
         sso:
           oidc:
             - discoveryEndpoint: <tenant-id>.ice.ibmcloud.com/oidc/endpoint/default/.well-known/openid-configuration
               autoRegisterSecret: my-autoreg-secret-olapp-sso
    

3. Create a Kubernetes secret that holds the client ID and secret that are associated with IBM Security Verify that you captured in step #9 or that is provided by your administrator. For more information, see the OpenLiberty operator documentation.

       apiVersion: v1
       kind: Secret
       metadata:
         name: my-autoreg-secret-olapp-sso
         # Secret must be created in the same namespace as the OpenLibertyApplication instance
         namespace: demo
       type: Opaque
       data:
         # base64 encode the data before entering it here.
         #IBM Security Verify requires a special clientId and clientSecret for registration, and the registration URL.
          clientId: <client_ID>
          clientSecret: <secret>

   For example:

       apiVersion: v1
       kind: Secret
       metadata:
         name: my-autoreg-secret-olapp-sso
         # Secret must be created in the same namespace as the OpenLibertyApplication instance
         namespace: demo
       type: Opaque
       data:
         # base64 encode the data before entering it here.
         #IBM Security Verify requires a special clientId and clientSecret for registration, and the registration URL.
          clientId: 4c94878a-ba69-44ae-a164-038j84b9022m
          clientSecret: y7fwHBvDBJ