Managing identity providers

An identity provider is a repository that is used for user authentication and for provisioning accounts. You can configure more than one identity provider. All configured and enabled identity providers are displayed as options in the Verify Sign In page. Users can sign in to Verify with any of these identity providers.

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Security Verify administration console.

About this task

Note: Verify does not support IDP logout. Logging out of Verify does not log you out of your identity provider or any of the applications Subscribed that you logged in to through that identity provider.
Verify supports the following types of identity providers:
Cloud Directory

It uses a user registry that is hosted in the cloud.

You can add users and groups information to this identity provider through Directory > Users & groups.

This identity provideris used in an outbound SAML single sign-on setup. Verify verifies the user identity against data in this identity provider.

SAML Enterprise

It uses a local user registry and exchanges SAML tokens to complete the authentication.

In a SAML single sign-on, Verify can be either of the following providers:
Identity provider

Verify depends on its own cloud registry or cloud directory as an identity provider.

Service provider

You can integrate Verify with multiple identity providers to authenticate users. Users from external identity providers can single sign-on into Verify and their entitled applications without their Verify password.

This identity provider is used in an inbound SAML single sign-on setup; Verify is the service provider, and the target application is the identity provider.

You can use any identity provider that supports the SAML protocol as a SAML Enterprise identity provider. The identity provider authenticates the user identity against data in this identity provider before it grants access to Verify.

Note: When you add a SAML enterprise identity source, its signer certificate is automatically imported in the Security > Certificates > Signer certificates page.
OIDC Enterprise
Any identity provider that supports the OIDC protocol can be used as an OIDC Enterprise identity source. The identity provider authenticates the user identity against data in this identity source before it grants access to IBM Security Verify.
IBMid

It uses the IBM identity access and management solution to provide users single sign-on to all of IBM's applications, services, communities, support, and others.

IBMid is the default sign-in option for first-time administrator sign-in to Verify. Only the Verify administrator can sign in to Verify by using IBMid. This identity provider is not applicable for end user sign-in.

After first-time administrator sign-in, you can enable the Cloud Directory or the configured SAML Enterprise identity providers as more sign-in options for subsequent administrator sign-in.

MaaS360 Cloud Extender

The users' identities are verified against information that is stored in the enterprise repository or local user registry but the authentication request is delegated or passed through a different server or agent.

The identities of the authenticated users are federated in Verify. You can view their information in Directory > Users & groups.

Social
The users' identities are verified against their social network account. A social identity provider can be set up one time and it is used as a sign-in option for applications only. It cannot be used to sign in to the Verify Admin Console or My Homepage. Verify supports the following social identity providers:
  • Apple
  • Baidu
  • Facebook
  • GitHub
  • Google
  • LinkedIn
  • QQ
  • Renren
  • Twitter
  • WeChat
  • Weibo
  • Yahoo
  • ZenKey

The identities of the authenticated users are federated in Verify. You can view their information in Directory > Users & groups.

You can show or hide all identity providers from the administrator or end user Sign In page except for social identity providers. If more than one identity provider is enabled and displayed, the user must select which identity provider to use for authentication. For a simple user experience, enable and show only one identity provider. If only one identity provider is enabled, it becomes the default sign-in option for the user. The user does not have to select a preferred identity provider.

Tip: If you are unable to sign in to Verify by using a configured SAML Enterprise identity provider, and the Cloud Directory sign-in option is unavailable or not visible, use the following URL:
https://<hostname>.verify.ibm.com/authsvc/mtfim/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:basicldapuser

Procedure

  1. Select Authentication > Identity providers
  2. Select an identity source to view its information.
    Note: The displayed information varies depending on the identity provider.
    Table 1. Identity source information
    Information Descriptions
    Name

    The name that you assign to represent the user registry that is used by identity providers such as Microsoft Active Directory, Microsoft Azure Active Directory, or others.

    If there is more than one identity provider that is configured and enabled, the identity provider name is displayed in the Verify Sign In page.

    This information is also displayed in the Directory > Users & Groups > Users tab, Add User dialog box, when you select an Identity Provider.

    Realm

    It is an identity source attribute that helps distinguish users from multiple identity providers that have the same username.

    This information is displayed in Directory > Users & groups, and in the Edit User dialog box.

    For the following identity providers:
    • Cloud Directory, the realm value is cloudIdentityRealm.
    • IBMid, the realm value is www.ibm.com.
    • SAML Enterprise, the realm value can be any unique name that you assigned when you created the identity provider.
    • LDAP Pass-Through, the realm value can be any unique name that you assigned when you created the identity provider.
    • Apple, the realm value is www.apple.com.
    • Baidu, the realm value is www.baidu.com.
    • Facebook, the realm value is www.facebook.com.
    • Github, the realm value is www.github.com.
    • Google, the realm value is www.google.com.
    • LinkedIn, the realm value is www.linkedin.com.
    • QQ, the realm value is www.qq.com.
    • Renren, the realm value is www.renren.com.
    • Twitter, the realm value is www.twitter.com.
    • WeChat, the realm value is www.wechat.com.
    • Weibo, the realm value is www.wiebo.com.
    • ZenKey, the realm value is www.myzenkey.com.
    ID An ID is generated for the identity provider when you select Save.
    Enabled

    Indicates whether the identity provider is active and available.

    When the identity provider is configured and enabled, users can single sign-on to Verify and into their entitled applications with the selected identity provider. If the identity provider is not enabled, it is not displayed as an option in the Sign In page.
    Note:
    • There must be at least one identity provider that is enabled to sign in to Verify.
    • If only one identity provider is enabled, it becomes the default sign-in option for the user.
    Identity Linking

    Enabled

    Turns on identity linking for a specific identity provider. Shadow accounts are not created in Cloud Directory at the realm that was specified for this identity provider.
    This feature is available for SAML applications and these social identity providers:
    • Apple
    • Facebook
    • GitHub
    • Google
    • LinkedIn
    • SAML Enterprise
    • Twitter
    • WeChat
    • Yahoo
    • Zenkey
    Note:
    1. You cannot enable linking on the identity provider that is set as your default identity provider.
    2. You cannot disable or delete your default linking identity provider.
    Unique User Identifier
    Select the attribute from the menu that acts as the identifier for the linked account.
    Just-in-time Provisioning
    If the user account is not found in the primary identity provider, this option creates a shadow account in that primary realm.
    Unique User Identifier

    This feature is available for SAML applications.

    The user attribute that acts as the identifier for the linked account in Cloud Directory.
    Enable JIT Provisioning

    This feature is available for SAML applications.

    If the account is not found in the default identity provider, this option creates a shadow account in that default realm.
  3. Optional: Enable password reset for identity providers.
  4. Optional: Adding a SAML Enterprise identity source.
  5. Optional: Adding a MaaS360 Cloud Extender identity provider.
  6. Optional: Setting the MaaS360 identity provider and user identifier.
  7. Optional: Adding a social identity provider.
  8. Optional: Deleting an identity source.
    Note: You cannot delete a Cloud Directory or an IBMid identity source.
    1. Select the identity source and select Delete from the Edit Identity Source dialog box.
    2. Confirm that you want to permanently delete the selected identity source.
      Note:
      • You cannot delete an identity source that is used as the default for MaaS360. You must choose a different identity source for MaaS360 before you delete the current default.
      • You cannot delete an identity source that is assigned to an application as a sign-in option. You must remove it as an option from the application before you can delete it.