GitHubContribute in GitHub: Open doc issue|Edit online

OIDC with IBM Security Verify

IBM Security Verify provides identity-as-a-service for employees, including SSO, multifactor authentication, and user lifecycle management. It can be used as an Identity Provider by the IBM® Application Gateway (IAG) using the Open ID Connect authentication protocol (as depicted below).

Authorization Code Flow


Before attempting to configure IBM Security Verify as an identity provider for IAG:

  1. You need a IBM Security Verify tenant. If you do not already have a IBM Security Verify tenant a free tenant can be obtained from
  2. You need to create an IAG application in your IBM Security Verify tenant. Information on how to do this can be obtained from the Protecting Web Applications with IBM Security Verify page. When creating the application you need to take special note of the created client ID and secret and the discovery endpoint URL.


The IBM Security Verify configuration is contained within the 'identity/oidc' node of the IAG configuration YAML:

  • A description of the configuration options is available from the oidc page within the YAML reference. A minimal configuration requires the following configuration data:
    • Discovery Endpoint (also known as the Client Identity endpoint)
    • Client Identity
    • Client Secret
  • An example configuration file is also available in the Basic Configuration example page.