You can configure IBM Security Guardium Key Lifecycle Manager to use a
supported OpenID Connect (OIDC) provider for user authentication.
About this task
You can use the graphical user interface or the REST interface to configure OIDC.Note: On a
multi-master or replication setup, if you update the certificate that is used to trust the OIDC
server in
IBM Security Guardium Key Lifecycle Manager, restart the clone server
manually for the change to take effect. For instructions, see
Restarting the Guardium Key Lifecycle Manager server.
- Using graphical user interface
- Log in to the graphical user interface by using your credentials.
- Click User Management.
The Users page opens
that displays a list of the users and their assigned roles and groups.
- Click the Authentication Providers tab.
The
current user authentication properties are displayed.
- To configure or modify the existing user authentication settings, click
Update.
- To configure or update the OIDC-based authentication, click the
LDAP/OIDC tab, and select OIDC.
- To enable OIDC as the authentication method, select Enable OIDC-based
Authentication.
- Specify the Client ID and Client secret value that you used to register this
application on the OpenID Connect provider, and click Next.
- Specify values for the following parameters:
Authentication server details
Property name |
Description |
Authentication Server Details |
Discovery URL |
Specify the discovery URL. The discovery URL includes the base URL
(https://host_name:port_number/oidc/endpoint/provider_name )
suffixed with /.well-known/openid-configuration . The following is the discovery
URL format:
https://host_name:port_number/oidc/endpoint/provider_name/.well-known/openid-configuration
Where,
- host_name
- The hostname of the OpenID Connect provider.
- port_number
- The secure port number that is configured on the OpenID Connect server.
- provider_name
- The OpenID Connect provider name.
|
Method |
Select the validation method, introspect or
userinfo. |
Endpoint URL |
Specify the endpoint URL in the following format.
- For the method introspect
-
https://host_name:port_number/oidc/endpoint/provider_name/introspect
- For the method userinfo
-
https://host_name:port_number/oidc/endpoint/provider_name/userinfo
|
User Identifier |
Specify a unique identifier for the user. You can specify one of the following identifiers:
sub (default); profile;
email. For more information, see https://openid.net/specs/openid-connect-core-1_0.html.
|
- Click Next.
- To import the OIDC provider certificate into the truststore, click
Add. Specify a certificate name and click Browse to
select a new provider certificate and upload it, or select an existing
certificate.
The selected provider certificate is listed in the
table.
- Click Next.
- Review the summary of the parameter values and click Test
Connection to ensure connection to the OIDC provider is successful.
- Click Submit.
- In the dialog box that opens, click Close.
The
values of the OIDC configuration parameters are displayed on the Authentication Providers
page.
- Using REST interface
What to do next
Add redirect URL in the OIDC server. For more information, see Adding redirect URL.