Configuring single sign-on with IBM Security Verify
IBM Security Verify can be configured as the authentication provider for the system.
Prerequisites
- Create a subscription for IBM Security Verify. You need an IBMid to create a subscription. A 90-day free trial subscription is also available. For more information, see Cloud identity and access management (IAM) solutions. During subscription creation, you specify a tenant that is used to create a URL to access the IBM Security Verify dashboard.
- Access the IBM Security Verify administrator
dashboard by entering the following URL in a web
browser:
Where tenant is the name of the tenant that you specified when you created your subscription. Usually this tenant name is associated with your company or organization.https://tenant.verify.ibm.com/ui/admin
- In the IBM Security Verify interface, select .
- Select . Note: Each system must be added as a separate application.
The following table shows the required fields and actions for the General tab in the IBM Security Verify interface.
Table 1. General tab Field Action Name Enter a name to identify the system on IBM Security Verify. If you are adding multiple systems, enter a unique name. Description Enter a brief description of the system. Company name Name of organization or company. The following table shows the required fields and actions for the Sign-on tab in the IBM Security Verify interface. The Sign-on tab is used to add the management GUI as an API-based client.
Table 2. Sign-on tab Field Action Details Application URL Enter the URL for your system. Enter the URL that is used to access the management GUI. Grant type Select Authorization code and JWT bearer. Two grant types are required for setting up SSO for the system. Authorization code indicates that the client can request access to protected resources on behalf of users. Client ID This value is automatically generated when the system is saved as an application. This value must be entered to the Single Sign-on page in the management GUI under OpenID Credentials. Client secret This value is automatically generated when the system is saved as an application. This value must be entered to the Single Sign-on page in the management GUI under OpenID Credentials. User consent Select Do not ask for consent. Redirect URIs Enter the locations where the authorization server sends users after they are successfully authorized and granted an authorization code or access token. Multiple redirect URIs can be specified for the management GUI. The redirect URI is comprised of the management IP address or hostname followed by /sso. For example, https://hostname.com/ssoJWT bearer user identification Select Username. Indicates that the username field in the JWT bearer is used to find users in the Cloud Directory and determines what second factors IBM Security Verify presents to users when they log into the system. JWT bearer default identity source Ensure Cloud Directory is selected. Indicates that the IBM Security Verify Cloud Directory is used to look up the second factor for the username. After you configure multifactor authentication on the system, users and user groups must be added to the Cloud Directory. Generate refresh token Ensure that this option is unchecked. Send all known user attributes in the ID token Ensure that this option is checked. Access policies Complete these steps: - Deselect Use default policy.
- Click the Edit icon.
- Select Always require 2FA in all devices.
- Click OK.
This action creates an access policy which controls the authentication steps for system access. Access policies can specify different authentication requirements based on properties of the user or connection. In this case, all users must complete a second factor authentication every time they access the system from all devices. Restrict custom scopes Ensure this option is unchecked. There is no action required for the API access tab in IBM Security Verify.
The following table shows the required fields and actions for the API access tab in the IBM Security Verify. Click Save. After the system is saved as a new application, the Custom Application reloads with the Entitlements tab selected.
- On the Entitlements tab, select Automatic access for all users and groups.
- Click Save.
- Select and select the application name that represents the system.
- On the Sign-on tab, copy the Client ID and the Client secret. These values must be specified as the OpenID credentials on the Single sign-on page in the management GUI
- Ensure the authentication provider is configured to send back the group claim in the ID Token sent to the system. The group claim identifies which groups the authenticating user belongs to. Some authentication providers do not send the group claim by default, so this typically requires some configuration on the authentication provider.
Using the management GUI
- Select Settings > Security > Single Sign-on.
- Enter the OpenID Configuration Endpoint URL of the authentication server. For IBM Security
Verify, enter the
following:
https://tenant.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration
where tenant is the name that is associated with your subscription.
- For the OpenID Credentials, add the Client ID and Client Secret that you copied on from the Sign-on tab in the IBM Security Verify interface.
- For the User claim, the value to enter depends on how your authentication provider is configured. The User claim must match the name that the authentication service uses to specify the username attribute in the ID Token it sends to the system. Typically this value is preferred_username, but can be customized on the authentication provider.
- For the Group claim, the value to enter depends on how your authentication provider is configured. The Group claim must match the name that the authentication service uses to specify the group attribute in the ID Token it sends to the system. Typically, this value is groupIds, but can be customized on the authentication provider.
- For Proxy server, consider how the system accesses the authentication provider. For an authentication provider within your network, a proxy server usually is not needed. If you connect to the authentication provider through the internet, check the box and ensure a proxy server is defined on the system.
- Click Save. On the confirmation page, click Confirm to enable single sign-on for the system.
Single sign-on is enabled for the system. You can configure user groups to use single sign-on. Click Navigate to launch the User Groups page.
Using the command-line interface
To enable single sign-on, enter the following command:
chauthsinglesignon -oidcconfigurationendpoint https://tenant.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration -clientid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -clientsecret xxxxxxxx -userclaim preferred_username -groupclaim groupIds -enable
In
the example, tenant is the tenant name that is associated with your subscription. The values for the
-clientid and the -clientsecret are the Open ID Client and
Open ID Secret that are automatically generated when you created your system as a custom application
in IBM Security Verify on the Sign-on tab in the IBM Security Verify interface. The values for the
-userclaim and the -groupclaim should match the name of
the claims configured for the ID Token on the authentication provider.