Configuring single sign-on in the target application

Edit online

Configure single sign-on support in the target application. Provide the application with information about Verify so it knows where to send its authentication request and to establish a trusted communication between Verify and the application.

About this task

Each application template includes a Single Sign-on Configuration section in the Sign-on tab. Follow the instructions to set up single-sign on in the target application.

This topic describes the general information that is typically required in the administration console of the target application.

Procedure

If you are configuring SAML single sign-on, you need to provide following information from Verify:

Table 1. Identity provider information
Information	Descriptions
Provider ID	This is the unique URL identifier of the identity provider. This information is commonly referred to by service providers as the Issuer, Identifier, Identity Provider, or IdP Entity ID.
Login URL	The URL that the identity provider uses for sign-in requests. It is the end point where the service provider sends its SAML authentication request and where the user is authenticated. This information is commonly referred to by service providers as the Identity Provider Target URL, SSO Login URL,Redirect URL, or Identity Provider Endpoint.
Logout URL	The URL that the identity provider uses to redirect the user to sign out.
Change Password URL	The URL that the identity provider uses to redirect the user to change password.
Signing certificate	The personal certificate or public key of the IBM® Verify personal certificate that you uploaded in the Security > Certificates > Personal Certificates page.
Signing Certificate Fingerprint	It is the fingerprint of the IBM Verify personal certificate that you uploaded in the Security > Certificates > Personal Certificates page.
Identity Provider Metadata	An XML file that contains information about the identity provider. Its `entityID` attribute uniquely identifies it. It contains configuration data that establishes the connection between an identity provider and a service provider.

If you are configuring OpenID Connect single sign-on, you need to provide following information from Verify:

Table 2. Identity provider information
Information	Descriptions
Client ID	This information is generated when you save the OpenID Connect custom application. Copy and paste this information in the relevant field at the application's admin console.
Client Secret	This information is generated when you save the OpenID Connect custom application. Copy and paste this information in the relevant field at the application's admin console.
Scope	Set the Scope value to openid. You can include additional scope as required by your application. Verify supports the following scopes: `profile` This scope value requests access to the `name`, `family_name`, `given_name` and `preferred_username` claims. `email` This scope value requests access to the `email` and `email_verified` claims. `phone` This scope value requests access to the `phone` claim.
OpenID Connect Provider endpoints	Specify the required endpoint, which can be any of these formats depending on the application: The Provider ID or Issuer: `https://[tenant]/oidc/endpoint/default` Authorize Endpoint URL: `https://[tenant]/oidc/endpoint/default/authorize` Token Endpoint URL: `https://[tenant]/oidc/endpoint/default/token` User Information Endpoint URL: `https://[tenant]/oidc/endpoint/default/userinfo` All of this information can be derived from the OpenID configuration information URL, which is `https://[tenant]/oidc/endpoint/default/.well-known/openid-configuration` . `[tenant]` is the fully qualified domain name that is assigned to your Verify subscription. It consists of `<hostname>.`verify.ibm.com.