Configuring Global settings

Use these settings to determine how the tenant authenticates users.

Procedure

  1. Select Authentication > Identity providers > Global settings.
  2. Select the primary identity provider from the menu that your tenant uses to authenticate users when they log in.
    Typically, the primary identity provider for the tenant is the IBM® Security Verify Cloud Directory.
  3. Optional: Under SAML 2.0 Service provider configuration, update the SAML 2.0 service provider federation configurations.
    1. Provide a message valid time in seconds.
      It’s the tolerance in seconds when the received SAML message IssueInstant is validated.
    2. Select the checkbox for CRL enabled.
      When CRL is enabled, it checks the certificate revocation list. Checking is done for all functions that use an external certificate. If your configuration does not require CRL checking, you can disable it.
      For example, if you use an internal certificate authority (CA), you might want to disable CRL checking. It defaults to true.
    3. Select a Key selection criteria.
      It specifies which key or certificate to use for signing, validating, encrypting, or decrypting various messages. If multiple keys or certificates exist with the same SubjectDN as the key or certificate with the specified alias, this setting determines which one to use. It has the following three selection methods.
      Only alias
      Select the key or certificate with the specified alias. This method is the default.
      Shortest Lifetime
      For signing, a valid key with the shortest available lifetime is used. For validation, keys that have the same SubjectDN are sorted based on lifetime availability. The keys are tried sequentially starting with the key that has the shortest lifetime availability until validation is successful.
      Longest lifetime
      For signing, a valid key with the longest available lifetime is used. For validation, keys that have the same SubjectDN are sorted based on lifetime availability. The keys are tried sequentially starting with the key that has the longest lifetime availability until validation is successful.
    4. Select the checkbox for Skip target URL validation.
      It indicates whether to skip a targetURL validation in SAML. The default value is false.
    5. Click Add allowed target URL to add allowed target URLs.
      You can add multiple URLs.
    6. Select the Default Name ID format.
      • Email
      • Unspecified.
    7. Select the Signature algorithm.
      For signing, an algorithm digitally signs the SAML AuthnRequest message. The supported values are RSA-SHA1, RSA-SHA256, RSA-SHA512, ECDSA-SHA256, ECDSA-SHA384, and ECDSA-SHA512. When it's empty, it takes default RSA-SHA256.
    8. Select the Signing certificate.
      For signing, this certificate is used to sign the SAML AuthnRequest during single sign-on. The default selection refers to the default personal certificate that you configured in Security>Certificates>Personal Certificates.
    9. Select the Decryption certificate.
      Use this certificate to decrypt the received SAML Response message if it contains encrypted elements during single sign-on. The default selection refers to the default personal certificate that you configured in Security>Certificates>Personal Certificates.
    10. Select the checkbox for Exclude SPNameQualifier in AuthnRequest.

      It indicates whether to exclude SPNameQualifier in AuthnRequest when an unspecified nameid format is used. The default value is false, which is to include the SPNameQualifier..

  4. Optional: Under Attribute mapping, map attributes from the identity provider to IBM Security Verify Cloud Directory.
    1. Select Add attribute mapping.
    2. Specify an identity provider attribute by using one of the following options:
      1. Select from the following list of available options:
        Attribute Name Description
        company Company of the user.
        country Country of the user.
        displayName Display name of the user.
        email Email address of the user where notification is sent.
        family_name Surname of the user.
        given_name Given name of the user.
        mobile_number Mobile number of the user where notification is sent.
        userID Unique identifier of the user.
        Custom rule Custom identity provider attribute. If you select Custom rule, enter a custom rule in the rule editor, and click OK to save.
      2. Enter an attribute name in the Select an attribute field. This name is an attribute name that is not available in the list of options.
    3. Select a transformation value to transform the identity provider attribute or leave the default value as None.
      Attribute Name Description
      Uppercase Transforms attribute to uppercase.
      Lowercase Transforms attribute to lowercase.
      Base64 Encode Transforms attribute by using a base64 encoding algorithm.
      Base64 Decode Transforms attribute by using a base64 decoding algorithm.
      Encode URI Transforms attribute by using an encode URI method.
      Encode URI Component Transforms attribute by using an encode URI component method.
      Decode URI Transforms attribute by using a decode URI method.
      Decode URI Component Transforms attribute by using a decode URI component method.
      Generate UUID if no value is evaluated Transforms attribute to generate universally unique identifiers.
      Current Time (seconds) Transforms attribute to time in seconds.
      Current Time (milliseconds) Transforms attribute to time in milliseconds.
      SHA-256 Hash Transforms attribute by using an SHA-256 algorithm.
      SHA-512 Hash Transforms attribute by using an SHA-512 algorithm.
    4. Specify an IBM Security Verify attribute. For more information about attributes, see Managing attributes.
      Note: Avoid selecting from the following reserved built-in attributes as they are not mapped with the identity provider attributes.
      • groupIds
      • preferred_username
      • realmName
      • tenantId
      • uid
    5. Specify how the attribute is stored in the user profile:
      • Always - Store or update the attribute at each login.
      • On user creation only - Store the attribute once at account creation.
      • Disable - Never store or update the attribute.
    6. Repeat the process for each attribute that you map.
  5. Optional: Select the Group membership source from the following menu to specify the source of the user access permissions groups:
    • Cloud Directory - User access permissions are derived from the user groups in the Cloud Directory.
    • Cloud Directory and Identity Source - User access permissions are derived from the user groups in the Cloud Directory and the identity source token, which includes the groupIds claim.
    • Identity Source - User access permissions are derived from the identity source token, which includes the groupIds claim.
      Note: If the identity source token does not contain the groupIds claim, you do not get any group membership permissions.
    • Custom rule - If you select Custom rule, enter a custom rule in the rule editor, and click OK to save. User access permissions are derived based on the custom rule.
  6. Under Session exchange, you can select the redirect URLs that are allowed to be passed to the Token Exchange API.
    The Token Exchange API accepts a redirect_url parameter that causes the API to return a browser redirect with a login session. The redirect_url must match one of the regular expressions in this list.

    Typically the URL is to a specific URL that the user needs to access or a URL that is customized for your business. This feature limits the redirection to the URLs that you specify.

    The redirect_url parameter is automatically allowed if,
    • It starts with the tenant name: https://<tenantname>
    • It starts with “/”, which means it’s a relative URL to the tenant.
    Otherwise, the URL must be added here as a regular expression.
    For example, to use common URL characters with the proper escapes:
    https://www\.example\.com\?key1=value1&key2=value2
    To match everything that starts with a certain domain, use the * wildcard.
    https://www\.example\.com.*
  7. Select the default identity provider from the menu that is used to authenticate from mobile devices.
  8. Select a unique identifier from the menu to use for user identification.
  9. Setup automated account cleanup.
    1. Select the checkbox to enable automated cleanup.
    2. Select the number of days that the account can be inactive.
    3. Select the population.
      • Entire user population
      • Specify a SCIM filter.
  10. Click Save changes.