Configuring an OIDC Enterprise identity provider
You can use any identity provider that supports the OIDC protocol as an OIDC Enterprise identity provider. The identity provider authenticates the user identity against data in this identity provider before it grants access to IBM® Security Verify.
Procedure
- Select Authentication > Identity providers.
- Select OIDC Enterprise.
- On the General page, provide the following information.
- Name
- Provide a recognizable name for your identity provider.
- Realm and issuer
- Provide the URL to the identity provider. Example,
It is the realm that is used for cloud directory and if a well-known endpoint is not provided, it also serves as the issuer for the OIDC flow.https://accounts.OIDC-IDP.com
- ID
- The ID is created after you save the configuration.
- Enabled
- Select this checkbox to use this identity provider for signing in.
- Select Next.
- On the To identity provider page, copy the redirect
url. You provide this url to the identity provider when you register your application for single sign-on.
- Select Next.
- On the From identity provider page, provide the following
information.
- Optional: Provide a friendly name that is used in place of the identity provider ID that is displayed in the Verify login URL.
- Provide the Client ID and Client secret that you received when you registered your application with the identity provider.
- Optional: Add or Remove
scopes to control how the application is used. Note: Select
Enter
for Windows orReturn
for Mac-OS after each added scope to your Administration console. - Provide information about the
endpoints
that you received when you registered your application.- Well-known endpoint
- Use this attribute to configure your OIDC client with the discovery document. As an example, https://myco.com.
If you do not use the well-know
endpoint
, you must supply the following information.- Authorization endpoint
- Token endpoint
- User information endpoint
- Optional: If your identity provider supports it, you can enable
PKCE support and provide the JWKS URI. Add a JWKS URI if one is not provided with the identity providers well-known configuration.
- Optional: If they are available, you can forward the parameters for login hint, prompt, and max age to the identity provider during a single sign-on flow.
- Select Next.
- Optional: Select Just-in-time
provisioning. This option creates and updates the user account in the primary Identity provider realm that is associated with the SAML identity.
- Optional: Specify an attribute that identifies users from
the Identity provider
user registry from the Unique user identifier
menu. If you select Enable identity linking for this identity provider, you must provide the UUID.
- Optional: Select a transformation value to transform the Unique user identifier value or leave the default value as None.
- Optional: Select Enable identity linking for this
identity provider.
- Select the unique identifier that you want to use for the accounts from the Unique User Identifier link. Note: The UUID can be anything in the OIDC claims object that uniquely identifies the user.
- Set the UUID by typing the value in the
External ID attribute field. The default value is sub.
- Select a transformation value to transform the External ID attribute value or leave the default value as None.
- Select the unique identifier that you want to use for the accounts from the Unique User Identifier link.
- Select Next.
- Optional: On the Attribute-mapping page, map more
attributes from the OIDC provider to Verify attributes.
- Select Add attribute mapping.
- Select an OIDC attribute from the menu. If the OIDC provider has other, nonstandard OIDC supported attributes, you can type the value in the Select an attribute field.
- Select a Verify attribute from the menu.
- Select how the attribute is used.
- Repeat the process for each attribute that you want to map.
- Select Next.
- Optional: If you enabled public preview CI-108233, select
whether to enable user invitations. Invitations are created and sent by using
POST /v1.0/usc/user/invitation
APIs. See Inviting users. Select the Enable user invitations check box to invite others to register as new users. You can also select a user profile for the user to enter more data as part of accepting the invitation. See Managing user profiles. - Click Done.
- Optional: Edit the OIDC identity provider.
- Select Authentication > Identity providers.
- Select the identity provider from the list of Sources.
- Make your changes. You cannot change the ID or the Redirect URL.
- Select Save changes.
- Optional: Delete the OIDC identity provider.
- Select Authentication > Identity providers.
- Select the identity provider from the list of Sources.
- Select the Delete icon.
- Select Delete to confirm that you want to delete the identity provider.