Configuring single sign-on with IBM Security Verify

IBM Security Verify can be configured as the authentication provider for the system.

Note: Ensure that the prerequisite tasks are completed on the system before you configure single sign-on. For more information, see the Prerequisites section in Configuring single sign-on.

Prerequisites

The following prerequisite steps on IBM® Security Verify must be completed before you can enable single-sign on the system:
  1. Create a subscription for IBM Security Verify. You need an IBMid to create a subscription. A 90-day free trial subscription is also available. For more information, see Cloud identity and access management (IAM) solutions. During subscription creation, you specify a tenant that is used to create a URL to access the IBM Security Verify dashboard.
  2. Access the IBM Security Verify administrator dashboard by entering the following URL in a web browser:
    https://tenant.verify.ibm.com/ui/admin
    Where tenant is the name of the tenant that you specified when you created your subscription. Usually this tenant name is associated with your company or organization.
  3. In the IBM Security Verify interface, select Applications > Applications > Add application.
  4. Select IBM Storage Virtualize > Add Application.
    Note: Each system must be added as a separate application.

    The following table shows the required fields and actions for the General tab in the IBM Security Verify interface.

    Table 1. General tab
    Field Action
    Name Enter a name to identify the system on IBM Security Verify. If you are adding multiple systems, enter a unique name.
    Description Enter a brief description of the system.
    Company name Name of organization or company.

    The following table shows the required fields and actions for the Sign-on tab in the IBM Security Verify interface. The Sign-on tab is used to add the management GUI as an API-based client.

    Table 2. Sign-on tab
    Field Action Details
    Application URL Enter the URL for your system. Enter the URL that is used to access the management GUI.
    Grant type Select Authorization code and JWT bearer. Two grant types are required for setting up SSO for the system. Authorization code indicates that the client can request access to protected resources on behalf of users.
    Client ID This value is automatically generated when the system is saved as an application. This value must be entered to the Single Sign-on page in the management GUI under OpenID Credentials.
    Client secret This value is automatically generated when the system is saved as an application. This value must be entered to the Single Sign-on page in the management GUI under OpenID Credentials.
    User consent Select Do not ask for consent.  
    Redirect URIs Enter the locations where the authorization server sends users after they are successfully authorized and granted an authorization code or access token. Multiple redirect URIs can be specified for the management GUI. The redirect URI is comprised of the management IP address or hostname followed by /sso. For example,
    https://hostname.com/sso
    JWT bearer user identification Select Username. Indicates that the username field in the JWT bearer is used to find users in the Cloud Directory and determines what second factors IBM Security Verify presents to users when they log into the system.
    JWT bearer default identity source Ensure Cloud Directory is selected. Indicates that the IBM Security Verify Cloud Directory is used to look up the second factor for the username. After you configure multifactor authentication on the system, users and user groups must be added to the Cloud Directory.
    Generate refresh token Ensure that this option is unchecked.  
    Send all known user attributes in the ID token Ensure that this option is checked.  
    Access policies Complete these steps:
    1. Deselect Use default policy.
    2. Click the Edit icon.
    3. Select Always require 2FA in all devices.
    4. Click OK.
    This action creates an access policy which controls the authentication steps for system access. Access policies can specify different authentication requirements based on properties of the user or connection. In this case, all users must complete a second factor authentication every time they access the system from all devices.
    Restrict custom scopes Ensure this option is unchecked.  

    There is no action required for the API access tab in IBM Security Verify.

    The following table shows the required fields and actions for the API access tab in the IBM Security Verify. Click Save. After the system is saved as a new application, the Custom Application reloads with the Entitlements tab selected.

  5. On the Entitlements tab, select Automatic access for all users and groups.
  6. Click Save.
  7. Select Applications and select the application name that represents the system.
  8. On the Sign-on tab, copy the Client ID and the Client secret. These values must be specified as the OpenID credentials on the Single sign-on page in the management GUI
  9. Ensure the authentication provider is configured to send back the group claim in the ID Token sent to the system. The group claim identifies which groups the authenticating user belongs to. Some authentication providers do not send the group claim by default, so this typically requires some configuration on the authentication provider.

Using the management GUI

  1. Select Settings > Security > Single Sign-on.
  2. Enter the OpenID Configuration Endpoint URL of the authentication server. For IBM Security Verify, enter the following:
    https://tenant.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration

    where tenant is the name that is associated with your subscription.

  3. For the OpenID Credentials, add the Client ID and Client Secret that you copied on from the Sign-on tab in the IBM Security Verify interface.
  4. For the User claim, the value to enter depends on how your authentication provider is configured. The User claim must match the name that the authentication service uses to specify the username attribute in the ID Token it sends to the system. Typically this value is preferred_username, but can be customized on the authentication provider.
  5. For the Group claim, the value to enter depends on how your authentication provider is configured. The Group claim must match the name that the authentication service uses to specify the group attribute in the ID Token it sends to the system. Typically, this value is groupIds, but can be customized on the authentication provider.
  6. For Proxy server, consider how the system accesses the authentication provider. For an authentication provider within your network, a proxy server usually is not needed. If you connect to the authentication provider through the internet, check the box and ensure a proxy server is defined on the system.
  7. Click Save. On the confirmation page, click Confirm to enable single sign-on for the system.

Single sign-on is enabled for the system. You can configure user groups to use single sign-on. Click Navigate to launch the User Groups page.

Using the command-line interface

To enable single sign-on, enter the following command:

chauthsinglesignon -oidcconfigurationendpoint https://tenant.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration -clientid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -clientsecret xxxxxxxx -userclaim preferred_username -groupclaim groupIds -enable
In the example, tenant is the tenant name that is associated with your subscription. The values for the -clientid and the -clientsecret are the Open ID Client and Open ID Secret that are automatically generated when you created your system as a custom application in IBM Security Verify on the Sign-on tab in the IBM Security Verify interface. The values for the -userclaim and the -groupclaim should match the name of the claims configured for the ID Token on the authentication provider.