Adding a SAML Enterprise identity provider

You can use any identity provider that supports the SAML protocol as a SAML Enterprise identity provider. The identity provider authenticates the user identity against data in this identity provider before it grants access to Verify.

Procedure

  1. Select Authentication > Identity providers.
  2. Select Add identity provider.
  3. Select SAML Enterprise.
  4. Select Next.
  5. On the General page, provide the following information.
    Name
    Provide a recognizable name for your identity provider.
    Realm

    It is an identity provider attribute that helps distinguish users from multiple identity providers that have the same username.

    It must be a unique name across all other configured identity sources in your subscription. The name can contain any alphanumeric characters. Special characters are not allowed except for dot (.) and hyphen (-).

    The maximum allowed string length is 253, similar to the maximum length of a domain name.
    Note: You cannot edit the name after you create it.
    ID
    The ID is created after you save the configuration.
    Enabled
    Select this checkbox to use this identity provider for signing in.

    Indicates whether the identity provider is active and available.

    When the identity provider is configured and enabled, users can single sign-on to Verify and into their entitled applications with the selected identity provider. If the identity provider is not enabled, it is not displayed as an option in the Sign In page.
    Note:
    • There must be at least one identity provider that is enabled to sign in to Verify.
    • If only one identity provider is enabled, it becomes the default sign-in option for the user.
  6. Select Next.
  7. Provide the identity provider with the following service provider metadata properties. You can either copy the information or download the metadata file.
    Entity ID
    Specifies the issuer in the SAML authentication request and the audience of any inbound SAML authentication response.
    Note: The Entity ID is based on the primary hostname. It does not change when a vanity hostname is used. Download the metadata file to obtain the appropriate values to use when you manually configure a partner with a vanity hostname.
    Assertion Consumer Service URL

    Specifies the endpoint at the service provider that receives the SAML authentication response.

    The identity provider redirects the SAML authentication response to this URL. This endpoint receives and processes the SAML assertion.

    Single Logout URL

    Specifies the endpoint at the service provider that receives the SAML logout request and response.

    The identity provider redirects the SAML logout request and response to this URL. This endpoint receives and processes the SAML logout request and response.

  8. Select Next.
  9. Select the radio button to indicate whether the service provider or the identity provider initiates the SAML Single sign-on flow.
    • Service provider.
      Note: By choosing this option, you need Upload the identity provider metadata in a .xml format.
    • Identity provider
      In this scenario:
      1. The user has an account at the identity provider site.
      2. The user signs in to the identity provider site or uses the identity provider Single sign-on URL to access the protected resource from the service provider.
      3. The identity provider initiates a SAML authentication response that asserts that the user is authenticated.
      4. The service provider validates the SAML authentication response.
      5. The user's browser is redirected to the service provider target URL and the user is authorized to access the requested resource.
      If you selected Identity provider, you must provide the Single sign-on URL. It is the URL that initiates the single sign-on from the identity provider to the service provider.
  10. Select Next.
  11. Optional: On the Single Logout page, specify whether the incoming logout request and response messages require signature.
    • If the incoming logout request message requires a signature, select Validate logout request signature.
    • If the incoming logout response message requires a signature, select Validate logout response signature.
    Note:
    • If the identity provider metadata file that you uploaded include the SingleLogoutService element with an HTTP POST binding, the single logout is enabled for this identity provider.
    • The URL for service provider-initiated single logout looks like following request callback: https://<tenant-Host>/saml/sps/saml20sp/saml20/sloinitial?RequestBinding=HTTPPost.
    • If the SAML identity provider in the current session does not respond to a logout request that is sent from Verify, the single logout stops at that Identity provider. To resume the single logout, the user must accomplish the single logout again.
  12. Select Next.
  13. Optional: On the Just-in-time-provisioning and identity linking page, specify whether to enable just in-time provisioning and identity linking.
    1. Select whether to enable Just-in-time-provisioning.
      This option creates and updates the user account in the primary Identity provider realm that is associated with the SAML identity. If just-in-time provisioning is turned Off, users who attempt to log in with this identity provider are unable to authenticate if no matching user record exists in the directory.
    2. Specify an attribute that identifies users from the Identity provider user registry from the Unique user identifier menu.
      If you select Enable identity linking for this identity provider, you must provide the UUID.
    3. Select a transformation value to transform the Unique user identifier value or leave the default value as None.
    4. Select the Enable identity linking for this identity provider checkbox.
      Turns on identity linking for a specific identity provider. Shadow accounts are not created in Cloud Directory at the realm that was specified for this identity provider.
      Note:
      1. You cannot enable linking on the identity provider that is set as your default identity provider.
      2. You cannot disable or delete your default linking identity provider.
      If you enable identity linking, select the unique identifier that you want to use for the accounts. This unique identifier is compared against the Username attribute of the Cloud Directory account.
    5. Specify an attribute that identifies users from the Identity provider user registry from the External ID menu or a custom External ID.
      The default value is user ID.
    6. Select a transformation value to transform the External ID value or leave the default value as None.
    7. Select whether to enable Force authentication to achieve account linkage.
      This option is applicable only for flows that use persistent nameid format SAML tokens. If selected, the user is prompted to authenticate to the linked realm first to link the authenticated user account with the SAML token subject. If not selected, nameid management operation are not supported for the SAML Enterprise identity provider.
  14. Select Next.
  15. Optional: On the Attribute-mapping page, map attributes from the SAML Enterprise identity provider to IBM® Verify Cloud Directory.
    Note: If you do not make a selection, the Attribute mapping that is specified in the Global settings is applied. Otherwise, the Attribute mapping that is specified in the SAML Enterprise identity provider overrides the selection in the Global settings. For more information about the Global settings, see Configuring Global settings.
    1. Select Add attribute mapping.
    2. Specify a SAML Enterprise Identity provider attribute by using one of the following options.
      1. Select from the following list.
        Attribute Name Description
        company Company of the user.
        country Country of the user.
        displayName Display name of the user.
        email Email address of the user where notification is sent.
        family_name Surname of the user.
        given_name Given name of the user.
        mobile_number Mobile number of the user where notification is sent.
        userID Unique identifier of the user.
        Custom rule Custom SAML Enterprise identity provider attribute. If you select Custom rule, enter a custom rule in the rule editor, and click OK to save.
      2. Enter an attribute name in the Select an attribute field. This is an attribute name that is not available in the list of options.
    3. Select a transformation value to transform the SAML Enterprise Identity provider attribute or leave the default value as None.
      Attribute Name Description
      Uppercase Transforms attribute to uppercase.
      Lowercase Transforms attribute to lowercase.
      Base64 Encode Transforms attribute that uses base64 encoding algorithm.
      Base64 Decode Transforms attribute that uses base64 decoding algorithm.
      Encode URI Transforms attribute that uses encode URI method.
      Encode URI Component Transforms attribute that uses encode URI component method.
      Decode URI Transforms attribute that uses decode URI method.
      Decode URI Component Transforms attribute that use decode URI component method.
      Generate UUID if no value is evaluated Transforms attribute to generate universally unique identifiers.
      Current Time (seconds) Transforms attribute to time in seconds.
      Current Time (milliseconds) Transforms attribute to time in milliseconds.
      SHA-256 Hash Transforms attribute that uses an SHA-256 algorithm.
      SHA-512 Hash Transforms attribute that uses an SHA-512 algorithm.
    4. Specify an IBM Verify attribute. For more information on attributes, see Managing attributes.
      Note: Avoid selecting from the following reserved built-in attributes as they are not mapped with the Identity provider attributes.
      • groupIds
      • preferred_username
      • realmName
      • tenantId
      • uid
    5. Specify how the attribute is stored in the user profile.
      • Always - Store or update the attribute at each login.
      • On user creation only - Store the attribute since an account creation.
      • Disable - Never store or update the attribute.
    6. Required: You must repeat the process for each attribute that you add and map.
  16. Optional: Select one of the following Group membership source to specify the source for the user access permissions groups.
    Attention: Be careful when you configure a Group membership source. If it is configured to derive from the Identity Source, user access permissions are derived from the Identity provider token, which includes the groupIds claim. If the groupIds claim has the value of the reserved system groups of IBM Verify, the user is granted the reserved system groups permission after the user logs in to IBM Verify.
    • Cloud Directory - User access permissions are derived from the user groups in the Cloud Directory.
    • Cloud Directory and Identity Source - User access permissions are derived from the user groups in the Cloud Directory and the Identity provider token, which includes groupIds claim.
    • Identity Source - User access permissions are derived from the Identity provider token, which includes the groupIds claim.
      Note: If the Identity provider token does not contain the groupIds claim, then you do not get any group membership permissions.
    • Custom rule. If you select Custom rule, enter a custom rule in the rule editor, then click OK to save. User access permissions are derived based on the custom rule.
    Note: If you do not make a selection, the Group membership source that is selected in the Global settings is applied. Otherwise, the Group membership source that is selected in the SAML Enterprise Identity provider overrides the selection in the Global settings.
  17. Select Next.
  18. Optional: If you created privacy profiles, select a profile from the menu.
    Privacy profiles require users in this directory to review and consent to a set of data usage purposes, or user license agreements (EULAs), or both. See Managing privacy profiles.
  19. Select Next.
  20. Optional: If you enabled public preview CI-108233, select whether to enable user invitations.
    Invitations are created and sent by using POST /v1.0/usc/user/invitation APIs. See Inviting users. Select the Enable user invitations check box to invite others to register as new users. You can also select a user profile for the user to enter more data as part of accepting the invitation. See Managing user profiles.
  21. Select Done.
    The identity provider configuration opens in edit mode.