Managing identity providers

An identity provider is a repository that is used for user authentication and for provisioning accounts. You can configure more than one identity source provider. All configured and enabled identity providers are displayed as options in the Verify Sign In page. Users can sign in to Verify with any of these identity providers.

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Security Verify administration console.

About this task

Note: Verify does not support IDP logout. Logging out of Verify does not log you out of your identity provider or any of the applications Subscribed that you logged in to through that identity provider.
Verify supports the following types of identity providers:
Cloud Directory

It uses a user registry that is hosted in the cloud.

You can add users and groups information to this identity provider through Directory > Users & groups.

This identity provider is used in an outbound SAML single sign-on setup. Verify verifies the user identity against data in this identity provider.

SAML Enterprise

It uses a local user registry and exchanges SAML tokens to complete the authentication.

In a SAML single sign-on, Verify can be either of the following providers:
Identity provider

Verify depends on its own cloud registry or cloud directory as an identity provider.

Service provider

You can integrate Verify with multiple identity providers to authenticate users. Users from external identity providers can single sign-on into Verify and their entitled applications without their Verify password.

This identity provider is used in an inbound SAML single sign-on setup; Verify is the service provider, and the target application is the identity provider.

You can use any identity provider that supports the SAML protocol as a SAML Enterprise identity provider. The identity provider authenticates the user identity against data in this identity provider before it grants access to Verify.

Note: When you add a SAML enterprise identity provider, its signer certificate is automatically imported in the Security > Certificates > Signer certificates page.
OIDC Enterprise
Any identity provider that supports the OIDC protocol can be used as an OIDC Enterprise identity provider. The identity provider authenticates the user identity against data in this identity provider before it grants access to IBM Security Verify.
IBMid

It uses the IBM identity access and management solution to provide users single sign-on to all of IBM's applications, services, communities, support, and others.

IBMid is the default sign-in option for first-time administrator sign-in to Verify. Only the Verify administrator can sign in to Verify by using IBMid. This identity provider is not applicable for end user sign-in.

After first-time administrator sign-in, you can enable the Cloud Directory or the configured SAML Enterprise identity providers as more sign-in options for subsequent administrator sign-in.

MaaS360 Cloud Extender

The users' identities are verified against information that is stored in the enterprise repository or local user registry but the authentication request is delegated or passed through a different server or agent.

The identities of the authenticated users are federated in Verify. You can view their information in Directory > Users & groups.

Social
The users' identities are verified against their social network account. A social identity provider can be set up one time and it is used as a sign-in option for applications only. It cannot be used to sign in to the Verify Admin Console or My Homepage. Verify supports the following social identity providers:
  • Apple
  • Baidu
  • Facebook
  • GitHub
  • Google
  • LinkedIn
  • QQ
  • Renren
  • Twitter
  • WeChat
  • Weibo
  • Yahoo

The identities of the authenticated users are federated in Verify. You can view their information in Directory > Users & groups.

You can show or hide all identity providers from the administrator or end user Sign In page except for social identity providers. If more than one identity provider is enabled and displayed, the user must select which identity provider to use for authentication. For a simple user experience, enable and show only one identity provider. If only one identity provider is enabled, it becomes the default sign-in option for the user. The user does not have to select a preferred identity provider.

Tip: If you are unable to sign in to Verify by using a configured SAML Enterprise identity provider, and the Cloud Directory sign-in option is unavailable or not visible, use the following URL:
https://<hostname>.verify.ibm.com/authsvc/mtfim/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:basicldapuser

Procedure

  1. Select Authentication > Identity providers
  2. Select an identity provider to view its information.
    Note: The displayed information varies depending on the identity provider.
    Table 1. Identity provider information
    Information Descriptions
    Name

    The name that you assign to represent the user registry that is used by identity providers such as Microsoft Active Directory, Microsoft Azure Active Directory, or others.

    If there is more than one identity provider that is configured and enabled, the identity provider name is displayed in the Verify Sign In page.

    This information is also displayed in the Directory > Users & Groups > Users tab, Add User dialog box, when you select an Identity Provider.

    Realm

    It is an identity provider attribute that helps distinguish users from multiple identity providers that have the same username.

    This information is displayed in Directory > Users & groups, and in the Edit User dialog box.

    For the following identity providers:
    • Cloud Directory, the realm value is cloudIdentityRealm.
    • IBMid, the realm value is www.ibm.com.
    • SAML Enterprise, the realm value can be any unique name that you assigned when you created the identity provider.
    • OnPrem LDAP, the realm value can be any unique name that you assigned when you created the identity provider.
    • Apple, the realm value is www.apple.com.
    • Baidu, the realm value is www.baidu.com.
    • Facebook, the realm value is www.facebook.com.
    • GitHub, the realm value is www.github.com.
    • Google, the realm value is www.google.com.
    • LinkedIn, the realm value is www.linkedin.com.
    • QQ, the realm value is www.qq.com.
    • Renren, the realm value is www.renren.com.
    • Twitter, the realm value is www.twitter.com.
    • WeChat, the realm value is www.wechat.com.
    • Weibo, the realm value is www.wiebo.com.
    ID An ID is generated for the identity provider when you select Save.
    Enabled

    Indicates whether the identity provider is active and available.

    When the identity provider is configured and enabled, users can single sign-on to Verify and into their entitled applications with the selected identity provider. If the identity provider is not enabled, it is not displayed as an option in the Sign In page.
    Note:
    • There must be at least one identity provider that is enabled to sign in to Verify.
    • If only one identity provider is enabled, it becomes the default sign-in option for the user.
    Identity Linking

    Enabled

    Turns on identity linking for a specific identity provider. Shadow accounts are not created in Cloud Directory at the realm that was specified for this identity provider.
    This feature is available for SAML applications and these social identity providers:
    • Apple
    • Facebook
    • GitHub
    • Google
    • LinkedIn
    • SAML Enterprise
    • Twitter
    • WeChat
    • Yahoo

    This option is also available for OnPrem LDAP identity providers. For OnPrem LDAP ID sources, the user account must exist in the primary linked identity provider for runtime authentications to succeed. If a matching user account is not present in the primary linked identity provider, the authentications fail.

    Note:
    1. You cannot enable linking on the identity provider that is set as your default identity provider.
    2. You cannot disable or delete your default linking identity provider.
    Unique User Identifier
    Select the attribute from the menu that acts as the identifier for the linked account.
    Just-in-time Provisioning
    If the user account is not found in the primary identity provider, this option creates a shadow account in that primary realm. For OnPrem LDAP ID sources, the user account is created in the primary linked identity provider if the account does not exist. Account attributes are updated in the primary linked account with the attributes that are retrieved from the on-prem or external identity system.
    Unique User Identifier

    This feature is available for SAML applications and Onprem LDAP identity sources.

    The user attribute that acts as the identifier for the linked account in Cloud Directory.
    Just-in-time provisioning for OnPrem LDAP identity providers. Applies to OnPrem LDAP ID providers only.

    When turned on, administrators can configure migration of user records from external identity providers to the Cloud Directory realm. When used with password just-in-time provisioning, the user passwords are also migrated with the user records.

    When turned off, administrators pause migration of identity provider passwords to the Cloud Directory realm and permit users to authenticate by Cloud Directory.

    Password just-in-time provisioning

    This switch button is active only if the switch Just-in-time provisioning is already turned on.

    When turned on, administrators enable a migration phase in which accounts and their passwords of the identity provider are migrated to the Cloud Directory realm. Users that are linked to an OnPrem identity provider cannot authenticate with Cloud Directory during this phase.

    When turned off, administrators pause the migration of identity provider passwords to the Cloud Directory realm and permit users to authenticate with Cloud Directory.

    Considerations when enabling the password just-in-time provisioning (identityLinkingJitPwdEnabled) option

    When this option is enabled, the Verify platform attempts to “Just in time” provision (JITP) both the users' account attributes and their passwords into the primary identity provider realm that is configured for your tenant. This provisioning occurs after the username and password is successfully validated by the OnPrem or external identity provider. When an attempt is made to provision the password, Verify ensures that the password meets the password policy settings that are associated with the primary identity provider. If the password that was validated by your OnPrem identity provider does not satisfy this Verify policy, the authentication attempt fails. The account attributes and password are not provisioned into the Verify primary identity provider realm. The user receives an error message that indicates that the username or password is invalid and to contact the system administrator.

    To avoid the situation, define a password policy of equal or lesser strength to the policy that is accepted by the OnPrem or external identity system. Associate this policy with the primary identity provider that is configured for your Verify tenant. Typically, the primary identity provider realm is the Verify Cloud Directory, which is often configured with the default password policy.

    Because just-in-time provisioning of the password is performed on each successful OnPrem authentication, the password history setting in the primary identity provider realm might cause account attribute and password synchronization failures. You might want to disable that password history enforcement to prevent such failures.

    When the password just-in-time provisioning option is toggled from enabled to disabled, the OnPrem to Cloud Directory migration phase is considered complete. Migrated users can authenticate with Cloud Directory by using their migrated password. You might want to reenable the Cloud Directory password policy settings that were changed to accommodate the migration phase.

    Enable JIT Provisioning

    This feature is available for SAML applications.

    If the account is not found in the default identity provider, this option creates a shadow account in that default realm.
  3. Optional: Enable password reset for identity providers.
  4. Optional: Adding a SAML Enterprise identity provider.
  5. Optional: Adding a MaaS360 Cloud Extender identity provider.
  6. Optional: Setting the MaaS360 identity provider and user identifier.
  7. Optional: Adding a social identity provider.
  8. Optional: Deleting an identity provider.
    Note: You cannot delete a Cloud Directory or an IBMid identity provider.
    1. Select the identity provider and select Delete from the Edit Identity Provider dialog box.
    2. Confirm that you want to permanently delete the selected identity provider.
      Note:
      • You cannot delete an identity provider that is used as the default for MaaS360. You must choose a different identity provider for MaaS360 before you delete the current default.
      • You cannot delete an identity provider that is assigned to an application as a sign-in option. You must remove it as an option from the application before you can delete it.