Credential service

Edit online

A credential service can be used to provide credentials to perform single sign-on to protected applications. Single sign-on can be achieved using basic authentication or using a mechanism which automatically submits forms-based logins.

Credential service

A credential service is a light-weight web service which implements two endpoints, one for retrieving credentials and another for storing credentials. At runtime, IAG will contact this service to retrieve the credentials when single sign-on is performed.

Tip: Note that storing credentials is only performed when using forms-based login with credential learning enabled.

  • Refer to the services/credential YAML reference for information about defining a credential service to IAG.

  • Refer to identity_headers#basic_auth for configuring IAG to provide credentials from the credential service as basic authentication headers.

  • Refer to forms_login for configuring IAG to complete forms-based logins using credentials from the credential service.

IBM® Verify

IBM Verify provides a Password Vault API which can be used as a credential service with IBM Application Gateway. Refer to the Password Vault API reference at https://<hostname>.verify.ibm.com/developer/explorer and Verify Application programming interfaces (APIs) for general information about IBM Verify APIs.

Example IBM Verify Credential Service

services:
  credential:
    - name: example_pwdvault
      host: https://<hostname>.verify.ibm.com
      url_pattern: /v1.0/pwdvault/{user}/resources/{resource}
      user_attribute: uniqueSecurityName
      user_attribute_encoding: url
      enc_key: "@pwdvault-rsa.pem"
      authentication:
        sso:
          client_id: 72eaxxxx-xxxx-xxxx-xxxx-xxxxxxxx5c1d
          client_secret: y68xxxxBmw
          endpoint: https://<hostname>.verify.ibm.com/v1.0/endpoint/default/token
          payload: form

Note that IAG must use the OAuth client credential flow to authenticate with IBM Verify and access the Password Vault APIs. The client ID and secret must belong to an API client which has the managePwdvaultAnyUser entitlement.

IBM Verify Identity Access

The Advanced Access Control component of IBM Verify Identity Access (version 10.0.1.0 or greater) provides a SSO service which can be used to store credentials in either the Verify Access user registry or the runtime database. Further information is contained in the Password Vault topic of the IBM Verify Identity Access documentation.

Implementing your own Credential Service

Information about the Credential Service API can be found on the Credential Service page.