Adding remote users to IBM Security Verify
After user groups are enabled for multifactor authentication on the system, add remote users to the Cloud Directory in IBM® Security Verify.
For remote users that authenticate with LDAP servers, install and configure IBM Security Verify Bridge for Directory Sync on your LDAP server, such as Windows Active Directory. IBM Security Verify Bridge for Directory Sync duplicates any users and groups that are defined on the source LDAP server into the Cloud Directory in IBM Security Verify. Any subsequent changes that are made to the source LDAP server are copied automatically to the Cloud Directory in IBM Security Verify.
- Download and install IBM Security Verify Bridge for Directory Sync on your supported LDAP server. For more information, see IBM Security Verify Bridge for Directory Sync in the IBM Security Verify documentation.
- After the installation completes, you need to update the sample JSON file and add properties that define connection settings and the LDAP server. On your supported LDAP server, open the /DirectorySync/ directory, create a copy of the file IcbLdapSync.json.ad-sample and rename it IcbLdapSync.json.
- Open the file in a text editor.
- Under the
ibm-auth-api
JSON object, complete the following steps:client-id
- Enter the client ID that was automatically generated when you created the system as an application in IBM Security Verify.
obf-client-secret
-
- Change the name of this JSON object to:
client-secret
. - Enter the client secret that was automatically generated when you created the system as an application in IBM Security Verify.
- Change the name of this JSON object to:
host
- Enter the hostname for the IBM Security Verify tenant.
port
(optional)- Enter the port for your IBM Security Verify tenant.
proxy
(optional)- Enter the hostname for the proxy server.
- Under the
cloud-bridge
JSON object, add the following information:ldap-poll-time
- Enter a value in seconds to determine how frequently the LDAP directory and the Cloud Directory are synchronized. The default setting is 4 seconds. However, the example JSON file uses the value of 60 seconds. You can change this value based on your needs.
- Under the
ldap
JSON object, add the following information:host
- Enter the hostname of the LDAP server.
port
- Enter the port number for the LDAP server.
user
- Enter the Administrator account distinguished name (DN) format for the LDAP server. Typically
the Administrator account has these permissions, for example:
"user":"CN=Administrator,CN=Users,DC=mydomain,DC=com"
obf-password
-
- Change the name of this JSON object to:
password
. - Enter the password for the Administrator for the LDAP server.
- Change the name of this JSON object to:
- Under the
user
JSON object, add the following information:realm
- Change the realm to
"cloudIdentityRealm"
. userCategory
- Change
userCategory
to
."regular"
Notification
- Ensure that you include the following values:
These values specify that an email notification is sent when they are added to the Cloud Directory inIBM Security Verify. In the email notification, they are instructed to access IBM Security Verify and select second factors to authenticate to the management interfaces."notifyType": "EMAIL", "notifyPassword": true, "notifyManager": false
- Under the
ldap-to-scim
JSON object, remove or comment out the following string:
For more information, see the ldap-to-scim JSON object in the IBM Security Verify documentation."append":"@cloudIdentityRealm".
- Save the JSON file. The updated JSON file looks like the following example:
{ "ibm-auth-api":{ "timeout":100, "client-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "client-secret":"xxxxxxxxx", "protocol":"https", "host":"tenant.verify.ibm.com", "port":xxx, "proxy":"x.xx.xx.x:xxxx", "max-handles":16 }, "cloud-bridge":{ "max-ops": 512, /* "trace-file":"c:/tmp/cloudbridge.log", */ "enable-op-log":true, "op-log-rollover": 2097152, "do-not-sync-delete": false, "ldap-search-filter":"(&(|(objectClass=user)(objectClass=group))(!(isCriticalSystemObject=*)))", "ldap-is-deleted-attr":"isDeleted", "ldap-poll-time":60, /* "log-stats-interval": 30, */ /* "ldap-base-dn": "DC=mycompany,DC=com", */ "ldap":{ "host":"ldapserver.example.com", "port":xxx, "user":"CN=Administrator,CN=Users,DC=mycompany,DC=com", "password":"password", "use-tls":false, "start-tls":false }, "user":{ "ldap-object-classes": [ "user" ], "scim-external-id-attr":"externalId", "scim-outline":{ "urn:ietf:params:scim:schemas:extension:ibm:2.0:User":{ "realm":"cloudIdentityRealm", "userCategory":"regular" }, "urn:ietf:params:scim:schemas:extension:ibm:2.0:Notification": { "notifyType": "EMAIL", "notifyPassword": true, "notifyManager": false }, "schemas":[ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:ibm:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "urn:ietf:params:scim:schemas:extension:ibm:2.0:Notification" ] }, "ldap-to-scim":[ { "ldap":"sAMAccountName", "tweaks":{ /* "append":"@cloudIdentityRealm" */ }, "new-attr":{ "scim":{"userName":"{{value}}"} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"userName","value":"{{value}}"}, "remove":{"op":"remove","path":"userName"}, "replace":{"op":"replace","path":"userName","value":"{{value}}"} } } }, /* Example of using a custom attribute: */ /* { "ldap":"carLicense", "is-multi-value":true, "new-attr": { "scim":{ "urn:ietf:params:scim:schemas:extension:ibm:2.0:User":{"customAttributes":[{"values":["{{value}}"],"name":"myattrscim"}]} } }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes", "value":[{"name":"myattrscim","values":["{{value}}"]}]}, "remove-all":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes[name eq \"myattrscim\"]"}, "remove":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes[name eq \"myattrscim\"].values", "value":["{{value}}"]}, "replace":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes", "value":[{"name":"myattrscim","values":["{{value}}"]}]} } } }, */ { "ldap":"cn", "new-attr":{ "scim":{"displayName":"{{value}}"} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"displayName","value":"{{value}}"}, "remove":{"op":"remove","path":"displayName"}, "replace":{"op":"replace","path":"displayName","value":"{{value}}"} } } }, { "ldap":"telephoneNumber", "new-attr":{ "scim":{"phoneNumbers":[{"type":"work","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"phoneNumbers","value":[{"type":"work","value":"{{value}}"}]}, "remove":{"op":"remove","path":"phoneNumbers[type eq \"work\"]"}, "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"work","value":"{{value}}"}]} } } }, { "ldap":"mobile", "new-attr":{ "scim":{"phoneNumbers":[{"type":"mobile","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"phoneNumbers","value":[{"type":"mobile","value":"{{value}}"}]}, "remove":{"op":"remove","path":"phoneNumbers[type eq \"mobile\"]"}, "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"mobile","value":"{{value}}"}]} } } }, { "ldap":"homePhone", "new-attr":{ "scim":{"phoneNumbers":[{"type":"home","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"phoneNumbers","value":[{"type":"home","value":"{{value}}"}]}, "remove":{"op":"remove","path":"phoneNumbers[type eq \"home\"]"}, "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"home","value":"{{value}}"}]} } } }, { "ldap":"ipPhone", "new-attr":{ "scim":{"phoneNumbers":[{"type":"pager","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"phoneNumbers","value":[{"type":"pager","value":"{{value}}"}]}, "remove":{"op":"remove","path":"phoneNumbers[type eq \"pager\"]"}, "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"pager","value":"{{value}}"}]} } } }, { "ldap":"facsimileTelephoneNumber", "new-attr":{ "scim":{"phoneNumbers":[{"type":"fax","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"phoneNumbers","value":[{"type":"fax","value":"{{value}}"}]}, "remove":{"op":"remove","path":"phoneNumbers[type eq \"fax\"]"}, "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"fax","value":"{{value}}"}]} } } }, { "ldap":"givenName", "new-attr":{ "scim":{"name":{"givenName":"{{value}}"}} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"name.givenName","value":"{{value}}"}, "remove":{"op":"remove","path":"name.givenName"}, "replace":{"op":"replace","path":"name.givenName","value":"{{value}}"} } } }, { "ldap":"sn", "new-attr":{ "scim":{"name":{"familyName":"{{value}}"}} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"name.familyName","value":"{{value}}"}, "remove":{"op":"remove","path":"name.familyName"}, "replace":{"op":"replace","path":"name.familyName","value":"{{value}}"} } } }, { "ldap":"displayName", "new-attr":{ "scim":{"name":{"formatted":"{{value}}"}} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"name.formatted","value":"{{value}}"}, "remove":{"op":"remove","path":"name.formatted"}, "replace":{"op":"replace","path":"name.formatted","value":"{{value}}"} } } }, { "ldap":"streetAddress", "new-attr":{ "scim":{"addresses":[{"type":"work","streetAddress":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"addresses","value":[{"type":"work","streetAddress":"{{value}}"}]}, "remove":{"op":"remove","path":"addresses[type eq \"work\"]"}, "replace":{"op":"add","path":"addresses","value":[{"type":"work","streetAddress":"{{value}}"}]} } } }, { "ldap":"manager", "is-dn":true, "new-attr":{ "scim":{"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"manager":{"value":"{{value}}"}}} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value","value":"{{value}}"}, "remove":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value"}, "replace":{"op":"replace","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value","value":"{{value}}"} } } }, { "ldap":"mail", "new-attr":{ "scim":{"emails":[{"type":"work","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"emails","value":[{"type":"work","value":"{{value}}"}]}, "remove":{"op":"remove","path":"emails[type eq \"work\"]"}, "replace":{"op":"add","path":"emails","value":[{"type":"work","value":"{{value}}"}]} } } }, { "ldap":"department", "new-attr":{ "scim":{"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"department":"{{value}}"}} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department","value":"{{value}}"}, "remove":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department"}, "replace":{"op":"replace","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department","value":"{{value}}"} } } }, { "ldap":"objectGUID", "is-binary":true, "new-attr":{ "scim":{"externalId":"{{value}}"} } }, { "ldap":"userAccountControl", "new-attr":{ "cond-scim":{ "if":{"&":["{{value}}", "2"]}, "then":{"active":false}, "else":{"active":true} } }, "mod-attr":{ "cond-scim":{ "if":{"&":["{{value}}","2"]}, "then":{ "add":{"op":"add","path":"active","value":false}, "remove":{"op":"remove","path":"active"}, "replace":{"op":"replace","path":"active","value":false} }, "else":{ "add":{"op":"add","path":"active","value":true}, "remove":{"op":"remove","path":"active"}, "replace":{"op":"replace","path":"active","value":true} } } } } ] }, "group":{ "ldap-object-classes": [ "group" ], "scim-external-id-attr":"externalId", "scim-outline":{ "schemas":[ "urn:ietf:params:scim:schemas:core:2.0:Group", "urn:ietf:params:scim:schemas:extension:ibm:2.0:Group" ] }, "ldap-to-scim":[ { "ldap":"sAMAccountName", "new-attr":{ "scim":{"displayName":"{{value}}"} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"displayName","value":"{{value}}"}, "remove":{"op":"remove","path":"displayName"}, "replace":{"op":"replace","path":"displayName","value":"{{value}}"} } } }, { "ldap":"objectGUID", "is-binary":true, "new-attr":{ "scim":{"externalId":"{{value}}"} } }, { "ldap":"description", "new-attr":{ "scim":{"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group":{"description":"{{value}}"}} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group:description","value":"{{value}}"}, "remove":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group:description"}, "replace":{"op":"replace","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group:description","value":"{{value}}"} } } }, { "ldap":"member", "is-dn":true, "is-multi-value":true, "new-attr":{ "scim":{"members":[{"type":"{{type}}","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"members","value":[{"type":"{{type}}","value":"{{value}}"}]}, "remove":{"op":"remove","path":"members[value eq {{jq_value}}]"}, "remove-all":{"op":"remove","path":"members"}, "replace":{"op":"replace","path":"members","value":[{"type":"{{type}}","value":"{{value}}"}]} } } } ] } } }
- To synchronize the LDAP server and the Cloud Directory for the first time, run
IcbLdapSync.exe
.
Depending on your security requirements, you can either require only a certain type of second factor or let users select from the supported list of available factors when they log in for the first time. If you want to control which factors and their settings users can specify, select Security from the IBM Security Verify administrator dashboard.
After you have added all users to IBM Security Verify, each user receives an email notification with instructions on setting up the second factors for their account. When these users log in to the management interfaces that are configured to use multifactor authentication, they are directed to IBM Security Verify to present the second factor.