IBM Security Verify Bridge

The IBM® Security Verify Bridge component provides IBM cloud access to user attributes and authentication controlled by the customer's on-premise LDAP, Active Directory, or custom database.

Introduction

The Verify Bridge provides access to on premises LDAP, Active Directory, or custom database authentication and user attributes from IBM Security Verify components.

The main connection between the Verify Bridge and the IBM Security Verify tenant employs either an HTTP or an HTTPS Long-Poll. This connection is initiated by the Verify Bridge and requires an authorized access token, which the Bridge obtains during startup and refreshes periodically. After the long-poll connection is established, traffic flows from Verify to the Verify Bridge.

Component overview

The following diagram illustrates the main components of the Verify Bridge architecture.

The image shows alternative flows for LDAP and non-LDAP backed identity sources.
Note:
Workloads
Workload requests are dispatched to any connected instance of the agent representing the identity source. This provides high availability (HA) and scalable performance. Any agent is selected.
LDAP Agent identity Source1
Multiple instances of the Bridge Agent can be deployed per Identity Source. Multiple instances enable a cluster of Bridge Agents to service requests and workloads for a given identity source.
LDAP Source 1 (Replica2)
Each Bridge Agent instance must be able to connect to the same, or replica of the actual external data repository. Each primary and replica URL is configured as part of the agent connection information. Connection attempts are made in the order that is supplied in the configuration.
In this diagram:
  1. The flows and boxes that are illustrated within the Verify box are conceptual only.
  2. Multiple instances of the Bridge Agent can be deployed for an Identity Source. This ability enables a cluster of Bridge Agents to server requests and workloads for an Identity Source. Each Bridge Agent instance must be able to connect to the same or replica of the actual external data repository.
Note:
  • LDAP TLS server certificate validation is now enforced when the host is specified by using an IP address. After the upgrade, the existing use of TLS and IP address might fail to operate. Two options are available for those affected by this change:
    • Specify the LDAP server certificate hostname bu using the optional configuration item "LdapCertHostName" "{your cert host name}".
    • Change the LDAP URI to use the LDAP server certificate hostname. If a temporary immediate work-around is required until a solution is chosen, then set the optional configuration "InsecureSkipVerify" to "true".

  • Version 1.0.9 and later no longer accepts certificates that rely on the legacy Common Name field. The certificates must use SAN (subject alternative name) instead. If legacy Common Name field hostname identification must be used, set the GODEBUG='x509ignoreCN=0' environment variable for the Windows onprem.exe process, or pass it into the Docker image.

Supported software

Operating systems
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2012 R2
  • Linux systems that support Docker engine 19.03.0 or higher