Single sign-on by using a custom HTTP header
IBM® Safer Payments can be integrated into a single sign-on environment by using a custom HTTP header.
IBM Safer Payments can be used with any authentication protocol. It does not need to directly support any of the authentication protocols. Therefore, it can typically be integrated in any single sign-on environment. The authentication is handled by the authentication server, for example, ISAM, OIDC, OAuth, SAML, and so on. If the user is successfully authenticated, all requests to IBM Safer Payments need to be enriched by a configurable custom HTTP header that must contain the user name of the authenticated user. The HTTP communication should be secured by mutual authentication between IBM Safer Payments and the authentication proxy server. If the user name exists within IBM Safer Payments, the authentication is successful. If not, access with the user name is not possible.
Preliminary considerations
If you choose to use a custom HTTP header for user authentication, you must ensure that the external authentication server addresses all applicable PCI DSS requirements to achieve compliance. IBM Safer Payments must be set up to perform a client certificate validation on the API to secure the communication between the application and the external authentication server. See Configuring SSL encryption for details.
Before you activate the custom HTTP header authentication in IBM Safer Payments, you must configure the external authentication server to properly send the required HTTP header to the application. Otherwise, you are no longer able to login and must manually revert the configuration change on the file system.
Setting up custom HTTP header authentication in IBM Safer Payments
- In the user interface, click the Administration tab.
- Select from the navigation menu.
- Locate the Authentication Settings section.
- First, select OIDC claim from the Authentication method
drop-down list. Then specify the Token name and the Username
attribute.
In the Token name field, you must specify the name of the HTTP header field that contains the JSON payload. Whereas in the Username attribute field, you must specify the identifier inside the JSON payload that contains the user’s login name.
- Save your changes. Attention: Check the token name and the username before saving, or you are locked out of IBM Safer Payments.
After this system configuration is saved, IBM Safer Payments accepts user logins by using the custom HTTP header. Other authentication mechanisms are no longer possible until you change the authentication settings again.
The following code shows an example HTTP header.
{
"login_name": "jsmith@exampleMail.com",
"last_name": "Smith",
"first_name": "Jane",
"id": "cl.jsmith",
"internal_id": "25",
"emails": {
"personal": "jsmith@personalMail.com",
"business": "jsmith@businessMail.com"
},
"phone_numbers": {
"business": "555-555-1234"
}
}
If you enable the custom HTTP header as an authentication method, a notification will be added to the built-in PCI report.