Configuring Global settings
Use these settings to determine how the tenant authenticates users.
Procedure
- Select Authentication > Identity providers > Global settings.
-
Select the primary identity provider from the menu that your tenant uses to authenticate users
when they log in. Typically, the primary identity provider for the tenant is the IBM® Security Verify Cloud Directory.
- Optional: Under SAML 2.0 Service provider
configuration, update the SAML 2.0 service provider federation configurations.
- Provide a message valid time in seconds. It’s the tolerance in seconds when the received SAML message
IssueInstant
is validated. - Select the checkbox for CRL enabled. When CRL is enabled, it checks the certificate revocation list. Checking is done for all functions that use an external certificate. If your configuration does not require CRL checking, you can disable it.For example, if you use an internal certificate authority (CA), you might want to disable CRL checking. It defaults to
true
. - Select a Key selection criteria. It specifies which key or certificate to use for signing, validating, encrypting, or decrypting various messages. If multiple keys or certificates exist with the same
SubjectDN
as the key or certificate with the specified alias, this setting determines which one to use. It has the following three selection methods.- Only alias
- Select the key or certificate with the specified alias. This method is the default.
- Shortest Lifetime
- For signing, a valid key with the shortest available lifetime is used. For validation, keys that
have the same
SubjectDN
are sorted based on lifetime availability. The keys are tried sequentially starting with the key that has the shortest lifetime availability until validation is successful. - Longest lifetime
- For signing, a valid key with the longest available lifetime is used. For validation, keys that
have the same
SubjectDN
are sorted based on lifetime availability. The keys are tried sequentially starting with the key that has the longest lifetime availability until validation is successful.
- Select the checkbox for Skip target URL
validation. It indicates whether to skip a
targetURL
validation in SAML. The default value isfalse
. - Click Add allowed target URL to add allowed target
URLs. You can add multiple URLs.
- Select the Default Name ID format.
- Unspecified.
- Select the Signature algorithm. For signing, an algorithm digitally signs the SAML
AuthnRequest
message. The supported values are RSA-SHA1, RSA-SHA256, RSA-SHA512, ECDSA-SHA256, ECDSA-SHA384, and ECDSA-SHA512. When it's empty, it takes default RSA-SHA256. - Select the Signing certificate. For signing, this certificate is used to sign the SAML
AuthnRequest
during single sign-on. The default selection refers to the default personal certificate that you configured in Security>Certificates>Personal Certificates. - Select the Decryption certificate. Use this certificate to decrypt the received SAML Response message if it contains encrypted elements during single sign-on. The default selection refers to the default personal certificate that you configured in Security>Certificates>Personal Certificates.
- Select the checkbox for Exclude SPNameQualifier in
AuthnRequest.
It indicates whether to exclude SPNameQualifier in AuthnRequest when an unspecified nameid format is used. The default value is
false
, which is to include the SPNameQualifier..
- Provide a message valid time in seconds.
- Optional: Under Attribute mapping, map
attributes from the identity provider to IBM Security Verify Cloud Directory.
- Select Add attribute mapping.
- Specify an identity provider attribute by using one of the following options:
- Select from the following list of available options:
Attribute Name Description company
Company of the user. country
Country of the user. displayName
Display name of the user. email
Email address of the user where notification is sent. family_name
Surname of the user. given_name
Given name of the user. mobile_number
Mobile number of the user where notification is sent. userID
Unique identifier of the user. Custom rule
Custom identity provider attribute. If you select Custom rule, enter a custom rule in the rule editor, and click OK to save. - Enter an attribute name in the Select an attribute field. This name is an attribute name that is not available in the list of options.
- Select from the following list of available options:
- Select a transformation value to transform the identity provider attribute or leave
the default value as None.
Attribute Name Description Uppercase
Transforms attribute to uppercase. Lowercase
Transforms attribute to lowercase. Base64 Encode
Transforms attribute by using a base64 encoding algorithm. Base64 Decode
Transforms attribute by using a base64 decoding algorithm. Encode URI
Transforms attribute by using an encode URI method. Encode URI Component
Transforms attribute by using an encode URI component method. Decode URI
Transforms attribute by using a decode URI method. Decode URI Component
Transforms attribute by using a decode URI component method. Generate UUID if no value is evaluated
Transforms attribute to generate universally unique identifiers. Current Time (seconds)
Transforms attribute to time in seconds. Current Time (milliseconds)
Transforms attribute to time in milliseconds. SHA-256 Hash
Transforms attribute by using an SHA-256 algorithm. SHA-512 Hash
Transforms attribute by using an SHA-512 algorithm. - Specify an IBM Security Verify
attribute. For more information about attributes, see Managing attributes. Note: Avoid selecting from the following reserved built-in attributes as they are not mapped with the identity provider attributes.
groupIds
preferred_username
realmName
tenantId
uid
- Specify how the attribute is stored in the user profile:
- Always - Store or update the attribute at each login.
- On user creation only - Store the attribute once at account creation.
- Disable - Never store or update the attribute.
- Repeat the process for each attribute that you map.
- Optional: Select the Group membership
source from the following menu to specify the source of the user access permissions
groups:
- Cloud Directory - User access permissions are derived from the user groups in the Cloud Directory.
- Cloud Directory and Identity Source - User access permissions are derived
from the user groups in the Cloud Directory and the identity source token, which includes the
groupIds
claim. - Identity Source - User access permissions are derived from the identity
source token, which includes the
groupIds
claim.Note: If the identity source token does not contain thegroupIds
claim, you do not get any group membership permissions. - Custom rule - If you select Custom rule, enter a custom rule in the rule editor, and click OK to save. User access permissions are derived based on the custom rule.
- Under Session exchange, you can select the redirect URLs that are allowed
to be passed to the Token Exchange API. The Token Exchange API accepts a redirect_url parameter that causes the API to return a browser redirect with a login session. The redirect_url must match one of the regular expressions in this list.
Typically the URL is to a specific URL that the user needs to access or a URL that is customized for your business. This feature limits the redirection to the URLs that you specify.
The redirect_url parameter is automatically allowed if,- It starts with the tenant name: https://<tenantname>
- It starts with “
/
”, which means it’s a relative URL to the tenant.
For example, to use common URL characters with the proper escapes:
To match everything that starts with a certain domain, use thehttps://www\.example\.com\?key1=value1&key2=value2
*
wildcard.https://www\.example\.com.*
- Select the default identity provider from the menu that is used to authenticate from mobile devices.
- Select a unique identifier from the menu to use for user identification.
- Setup automated account cleanup.
- Select the checkbox to enable automated cleanup.
- Select the number of days that the account can be inactive.
- Select the population.
- Entire user population
- Specify a SCIM filter.
- Click Save changes.