Managing custom token types

Use this page to create and manage custom token types. These token types will be used in the OpenID Connect applications.

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Security Verify administration console as an Administrator.

About this task

Configure a custom token type.

Procedure

  1. Navigate to Applications > Custom token types.
  2. Click Add custom token type.
  3. Provide Verify with general information.

    Choose a unique name and configure the issuer of this token type.

    Table 1. General settings
    Field Description
    ID Optional.
    Note: The ID cannot be changed after it is created.
    Name A unique name for the token type. This name is used as the value of subject_token_type or actor_token_type during token exchange.
    Note: The name cannot be changed after it is created.
    Description Optional.
    Issuer The issuer of this token type.
    JWKS URI Optional. The URI where the token issuer publishes its public keys in JSON Web Keys Set (JWKS) format. This URI is used for JWT signature verification or encryption. The system can reject an unreachable or unresponsive JWKS URI. The system can also reject the JWKS URI if the JWKS size is too large. If the token issuer does not publish a JWKS URI, a public key can be added, in the form of a X509 certificate, into the system. See Managing certificates. The 'Friendly Name' that is associated with the public certificate is the value of the key ID (kid) header of JWT.
  4. Configure the validation settings.

    Specify how this token is validated.

    Table 2. Validation settings
    Field Description
    Allowed signing algorithms A list of allowed signing algorithms for the signed JWT
    Allowed key IDs Optional. The signature verification key IDs that can be used to verify the JWT.
    Validity period (sec) The maximum amount of time (in seconds) that the JWT can be valid for.
    Validate JTI Indicates whether the JTI is validated for single-use.
  5. Configure the identity linking settings.

    Specify how the identity of this token is mapped to a user in Cloud Directory.

    Table 3. Identity linking
    Field Description
    Incoming token claim The incoming token attribute that is used to link the unique user identifier in IBM Security Verify.
    Identity source The identity provider that the user is mapped to.
    Search by The unique user identifier in IBM Security Verify to map to.
    Just-in-time provisioning Enables the creation and update of the user account in the identity source realm that is associated with the token.
    1. Optional: Add attribute mappings.

      Map the attributes that are provided from the incoming token to IBM Security® Verify's Cloud Directory.

      Attributes are managed through the https://webui-devenv.ite1.idng.ibmcloudsecurity.com/ui/admin/directory/attributes page.

      Incoming token claim
      The token claim to take the value from.
      Transformation
      Select a transformation to transform the attribute value, or leave it empty to not perform any transformation. The transformation is applied on the attribute value after the attribute’s functions are executed.
      Attribute Name Description
      Uppercase Transforms attribute to uppercase.
      Lowercase Transforms attribute to lowercase.
      Base64 Encode Transforms attribute that uses base64 encoding algorithm.
      Base64 Decode Transforms attribute that uses base64 decoding algorithm.
      Encode URI Transforms attribute that uses encode URI method.
      Encode URI Component Transforms attribute that uses encode URI component method.
      Decode URI Transforms attribute that uses decode URI method.
      Decode URI Component Transforms attribute that use decode URI component method.
      Generate UUID if no value is evaluated Transforms attribute to generate universally unique identifiers.
      Current Time (seconds) Transforms attribute to time in seconds.
      Current Time (milliseconds) Transforms attribute to time in milliseconds.
      SHA-256 Hash Transforms attribute that uses an SHA-256 algorithm.
      SHA-512 Hash Transforms attribute that uses an SHA-512 algorithm.
      IBM Security Verify attribute
      Specify an IBM Security Verify attribute. For more information on attributes, see Managing attributes.
      Store attribute in user profile
      Specify how the attribute is stored in the user profile.
      • Always - Store or update the attribute at each token exchange.
      • On user creation only - Store the attribute only on account creation.
      • Disable - Never store or update the attribute.