Adding remote users to IBM Security Verify

After user groups are enabled for multifactor authentication on the system, add remote users to the Cloud Directory in IBM® Security Verify.

For remote users that authenticate with LDAP servers, install and configure IBM Security Verify Bridge for Directory Sync on your LDAP server, such as Windows Active Directory. IBM Security Verify Bridge for Directory Sync duplicates any users and groups that are defined on the source LDAP server into the Cloud Directory in IBM Security Verify. Any subsequent changes that are made to the source LDAP server are copied automatically to the Cloud Directory in IBM Security Verify.

To add remote users to IBM Security Verify, complete these steps:
  1. Download and install IBM Security Verify Bridge for Directory Sync on your supported LDAP server. For more information, see IBM Security Verify Bridge for Directory Sync in the IBM Security Verify documentation.
  2. After the installation completes, you need to update the sample JSON file and add properties that define connection settings and the LDAP server. On your supported LDAP server, open the /DirectorySync/ directory, create a copy of the file IcbLdapSync.json.ad-sample and rename it IcbLdapSync.json.
  3. Open the file in a text editor.
  4. Under the ibm-auth-api JSON object, complete the following steps:
    client-id
    Enter the client ID that was automatically generated when you created the system as an application in IBM Security Verify.
    obf-client-secret
    1. Change the name of this JSON object to: client-secret.
    2. Enter the client secret that was automatically generated when you created the system as an application in IBM Security Verify.
    host
    Enter the hostname for the IBM Security Verify tenant.
    port (optional)
    Enter the port for your IBM Security Verify tenant.
    proxy (optional)
    Enter the hostname for the proxy server.
    For more information, see ibm-auth-api JSON object in the IBM Security Verify documentation.
  5. Under the cloud-bridge JSON object, add the following information:
    ldap-poll-time
    Enter a value in seconds to determine how frequently the LDAP directory and the Cloud Directory are synchronized. The default setting is 4 seconds. However, the example JSON file uses the value of 60 seconds. You can change this value based on your needs.
    For more information, see the cloud-bridge JSON object in the IBM Security Verify documentation.
  6. Under the ldap JSON object, add the following information:
    host
    Enter the hostname of the LDAP server.
    port
    Enter the port number for the LDAP server.
    user
    Enter the Administrator account distinguished name (DN) format for the LDAP server. Typically the Administrator account has these permissions, for example: "user":"CN=Administrator,CN=Users,DC=mydomain,DC=com"
    obf-password
    1. Change the name of this JSON object to: password.
    2. Enter the password for the Administrator for the LDAP server.
    For more information, see the ldap JSON object in the IBM Security Verify documentation.
  7. Under the user JSON object, add the following information:
    realm
    Change the realm to "cloudIdentityRealm".
    userCategory
    Change userCategory to "regular".
    Notification
    Ensure that you include the following values:
     "notifyType": "EMAIL",
              "notifyPassword": true,
              "notifyManager": false
    These values specify that an email notification is sent when they are added to the Cloud Directory inIBM Security Verify. In the email notification, they are instructed to access IBM Security Verify and select second factors to authenticate to the management interfaces.
    For more information, see the user JSON object in the IBM Security Verify documentation.
  8. Under the ldap-to-scim JSON object, remove or comment out the following string:
    "append":"@cloudIdentityRealm".
    For more information, see the ldap-to-scim JSON object in the IBM Security Verify documentation.
  9. Save the JSON file. The updated JSON file looks like the following example:
    {
        "ibm-auth-api":{
            "timeout":100,
            "client-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "client-secret":"xxxxxxxxx",
            "protocol":"https",
            "host":"tenant.verify.ibm.com",
            "port":xxx,
            "proxy":"x.xx.xx.x:xxxx",
            "max-handles":16
        },
        "cloud-bridge":{
            "max-ops": 512,
            /* "trace-file":"c:/tmp/cloudbridge.log", */
            "enable-op-log":true,
            "op-log-rollover": 2097152,
            "do-not-sync-delete":  false,
            "ldap-search-filter":"(&(|(objectClass=user)(objectClass=group))(!(isCriticalSystemObject=*)))",
            "ldap-is-deleted-attr":"isDeleted",
            "ldap-poll-time":60,
            /* "log-stats-interval": 30, */
            /* "ldap-base-dn": "DC=mycompany,DC=com", */
            "ldap":{
                "host":"ldapserver.example.com",
                "port":xxx,
                "user":"CN=Administrator,CN=Users,DC=mycompany,DC=com",
                "password":"password",
                "use-tls":false,
                "start-tls":false
            },
            "user":{
                "ldap-object-classes": [ "user" ],
                "scim-external-id-attr":"externalId",
                "scim-outline":{
                    "urn:ietf:params:scim:schemas:extension:ibm:2.0:User":{
                        "realm":"cloudIdentityRealm",
                        "userCategory":"regular"
                    },
                    "urn:ietf:params:scim:schemas:extension:ibm:2.0:Notification": {
                        "notifyType": "EMAIL",
                        "notifyPassword": true,
                        "notifyManager": false
                    },
                    "schemas":[
                        "urn:ietf:params:scim:schemas:core:2.0:User",
                        "urn:ietf:params:scim:schemas:extension:ibm:2.0:User",
                        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
                        "urn:ietf:params:scim:schemas:extension:ibm:2.0:Notification"
                    ]
                },
                "ldap-to-scim":[
                    {
                        "ldap":"sAMAccountName",
                        "tweaks":{
                            /* "append":"@cloudIdentityRealm" */
                        },
                        "new-attr":{
                            "scim":{"userName":"{{value}}"}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"userName","value":"{{value}}"},
                                "remove":{"op":"remove","path":"userName"},
                                "replace":{"op":"replace","path":"userName","value":"{{value}}"}
                            }
                        }
                    },
    /* Example of using a custom attribute: */
    /*
                    {
                        "ldap":"carLicense",
                        "is-multi-value":true,
                        "new-attr": {
                            "scim":{
                                "urn:ietf:params:scim:schemas:extension:ibm:2.0:User":{"customAttributes":[{"values":["{{value}}"],"name":"myattrscim"}]}
    			}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes",
                                    "value":[{"name":"myattrscim","values":["{{value}}"]}]},
                                "remove-all":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes[name eq \"myattrscim\"]"},
                                "remove":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes[name eq \"myattrscim\"].values",
                                    "value":["{{value}}"]},
                                "replace":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes",
                                    "value":[{"name":"myattrscim","values":["{{value}}"]}]}
                            }
                        }
                    },
    */
                    {
                        "ldap":"cn",
                        "new-attr":{
                            "scim":{"displayName":"{{value}}"}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"displayName","value":"{{value}}"},
                                "remove":{"op":"remove","path":"displayName"},
                                "replace":{"op":"replace","path":"displayName","value":"{{value}}"}
                            }
                        }
                    },
                    {
                        "ldap":"telephoneNumber",
                        "new-attr":{
                            "scim":{"phoneNumbers":[{"type":"work","value":"{{value}}"}]}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"phoneNumbers","value":[{"type":"work","value":"{{value}}"}]},
                                "remove":{"op":"remove","path":"phoneNumbers[type eq \"work\"]"},
                                "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"work","value":"{{value}}"}]}
                            }
                        }
                    },
                    {
                        "ldap":"mobile",
                        "new-attr":{
                            "scim":{"phoneNumbers":[{"type":"mobile","value":"{{value}}"}]}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"phoneNumbers","value":[{"type":"mobile","value":"{{value}}"}]},
                                "remove":{"op":"remove","path":"phoneNumbers[type eq \"mobile\"]"},
                                "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"mobile","value":"{{value}}"}]}
                            }
                        }
                    },
                    {
                        "ldap":"homePhone",
                        "new-attr":{
                            "scim":{"phoneNumbers":[{"type":"home","value":"{{value}}"}]}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"phoneNumbers","value":[{"type":"home","value":"{{value}}"}]},
                                "remove":{"op":"remove","path":"phoneNumbers[type eq \"home\"]"},
                                "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"home","value":"{{value}}"}]}
                            }
                        }
                    },
                    {
                        "ldap":"ipPhone",
                        "new-attr":{
                            "scim":{"phoneNumbers":[{"type":"pager","value":"{{value}}"}]}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"phoneNumbers","value":[{"type":"pager","value":"{{value}}"}]},
                                "remove":{"op":"remove","path":"phoneNumbers[type eq \"pager\"]"},
                                "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"pager","value":"{{value}}"}]}
                            }
                        }
                    },
                    {
                        "ldap":"facsimileTelephoneNumber",
                        "new-attr":{
                            "scim":{"phoneNumbers":[{"type":"fax","value":"{{value}}"}]}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"phoneNumbers","value":[{"type":"fax","value":"{{value}}"}]},
                                "remove":{"op":"remove","path":"phoneNumbers[type eq \"fax\"]"},
                                "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"fax","value":"{{value}}"}]}
                            }
                        }
                    },
                    {
                        "ldap":"givenName",
                        "new-attr":{
                            "scim":{"name":{"givenName":"{{value}}"}}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"name.givenName","value":"{{value}}"},
                                "remove":{"op":"remove","path":"name.givenName"},
                                "replace":{"op":"replace","path":"name.givenName","value":"{{value}}"}
                            }
                        }
                    },
                    {
                        "ldap":"sn",
                        "new-attr":{
                            "scim":{"name":{"familyName":"{{value}}"}}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"name.familyName","value":"{{value}}"},
                                "remove":{"op":"remove","path":"name.familyName"},
                                "replace":{"op":"replace","path":"name.familyName","value":"{{value}}"}
                            }
                        }
                    },
                    {
                        "ldap":"displayName",
                        "new-attr":{
                            "scim":{"name":{"formatted":"{{value}}"}}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"name.formatted","value":"{{value}}"},
                                "remove":{"op":"remove","path":"name.formatted"},
                                "replace":{"op":"replace","path":"name.formatted","value":"{{value}}"}
                            }
                        }
                    },
                    {
                        "ldap":"streetAddress",
                        "new-attr":{
                            "scim":{"addresses":[{"type":"work","streetAddress":"{{value}}"}]}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"addresses","value":[{"type":"work","streetAddress":"{{value}}"}]},
                                "remove":{"op":"remove","path":"addresses[type eq \"work\"]"},
                                "replace":{"op":"add","path":"addresses","value":[{"type":"work","streetAddress":"{{value}}"}]}
                            }
                        }
                    },
                    {
                        "ldap":"manager",
                        "is-dn":true,
                        "new-attr":{
                            "scim":{"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"manager":{"value":"{{value}}"}}}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value","value":"{{value}}"},
                                "remove":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value"},
                                "replace":{"op":"replace","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value","value":"{{value}}"}
                            }
                        }
                    },
                    {
                        "ldap":"mail",
                        "new-attr":{
                            "scim":{"emails":[{"type":"work","value":"{{value}}"}]}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"emails","value":[{"type":"work","value":"{{value}}"}]},
                                "remove":{"op":"remove","path":"emails[type eq \"work\"]"},
                                "replace":{"op":"add","path":"emails","value":[{"type":"work","value":"{{value}}"}]}
                            }
                        }
                    },
                    {
                        "ldap":"department",
                        "new-attr":{
                            "scim":{"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"department":"{{value}}"}}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department","value":"{{value}}"},
                                "remove":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department"},
                                "replace":{"op":"replace","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department","value":"{{value}}"}
                            }
                        }
                    },
                    {
                        "ldap":"objectGUID",
                        "is-binary":true,
                        "new-attr":{
                            "scim":{"externalId":"{{value}}"}
                        }
                    },
                    {
                        "ldap":"userAccountControl",
                        "new-attr":{
                            "cond-scim":{
                                "if":{"&":["{{value}}", "2"]},
                                "then":{"active":false},
                                "else":{"active":true}
                            }
                        },
                        "mod-attr":{
                            "cond-scim":{
                                "if":{"&":["{{value}}","2"]},
                                "then":{
                                    "add":{"op":"add","path":"active","value":false},
                                    "remove":{"op":"remove","path":"active"},
                                    "replace":{"op":"replace","path":"active","value":false}
                                },
                                "else":{
                                    "add":{"op":"add","path":"active","value":true},
                                    "remove":{"op":"remove","path":"active"},
                                    "replace":{"op":"replace","path":"active","value":true}
                                }
                            }
                        }
                    }
                ]
            },
            "group":{
                "ldap-object-classes": [ "group" ],
                "scim-external-id-attr":"externalId",
                "scim-outline":{
                    "schemas":[
                        "urn:ietf:params:scim:schemas:core:2.0:Group",
                        "urn:ietf:params:scim:schemas:extension:ibm:2.0:Group"
                    ]
                },
                "ldap-to-scim":[
                    {
                        "ldap":"sAMAccountName",
                        "new-attr":{
                            "scim":{"displayName":"{{value}}"}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"displayName","value":"{{value}}"},
                                "remove":{"op":"remove","path":"displayName"},
                                "replace":{"op":"replace","path":"displayName","value":"{{value}}"}
                            }
                        }
                    },
                    {
                        "ldap":"objectGUID",
                        "is-binary":true,
                        "new-attr":{
                            "scim":{"externalId":"{{value}}"}
                        }
                    },
                    {
                        "ldap":"description",
                        "new-attr":{
                            "scim":{"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group":{"description":"{{value}}"}}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group:description","value":"{{value}}"},
                                "remove":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group:description"},
                                "replace":{"op":"replace","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group:description","value":"{{value}}"}
                            }
                        }
                    },
                    {
                        "ldap":"member",
                        "is-dn":true,
                        "is-multi-value":true,
                        "new-attr":{
                            "scim":{"members":[{"type":"{{type}}","value":"{{value}}"}]}
                        },
                        "mod-attr":{
                            "scim":{
                                "add":{"op":"add","path":"members","value":[{"type":"{{type}}","value":"{{value}}"}]},
                                "remove":{"op":"remove","path":"members[value eq {{jq_value}}]"},
                                "remove-all":{"op":"remove","path":"members"},
                                "replace":{"op":"replace","path":"members","value":[{"type":"{{type}}","value":"{{value}}"}]}
                            }
                        }
                    }
                ]
            }
        }
    }
    
  10. To synchronize the LDAP server and the Cloud Directory for the first time, run IcbLdapSync.exe.

Depending on your security requirements, you can either require only a certain type of second factor or let users select from the supported list of available factors when they log in for the first time. If you want to control which factors and their settings users can specify, select Security from the IBM Security Verify administrator dashboard.

After you have added all users to IBM Security Verify, each user receives an email notification with instructions on setting up the second factors for their account. When these users log in to the management interfaces that are configured to use multifactor authentication, they are directed to IBM Security Verify to present the second factor.