Configuring OIDC-based user authentication

You can configure IBM® Security Guardium® Key Lifecycle Manager to use a supported OpenID Connect (OIDC) provider for user authentication.

About this task

You can use the graphical user interface or the REST interface to configure OIDC.
Note: On a multi-master or replication setup, if you update the certificate that is used to trust the OIDC server in IBM Security Guardium Key Lifecycle Manager, restart the clone server manually for the change to take effect. For instructions, see Restarting the Guardium Key Lifecycle Manager server.

Procedure

  • Using graphical user interface
    1. Log in to the graphical user interface by using your credentials.
    2. Click User Management.
      The Users page opens that displays a list of the users and their assigned roles and groups.
    3. Click the Authentication Providers tab.
      The current user authentication properties are displayed.
    4. To configure or modify the existing user authentication settings, click Update.
    5. To configure or update the OIDC-based authentication, click the LDAP/OIDC tab, and select OIDC.
    6. To enable OIDC as the authentication method, select Enable OIDC-based Authentication.
    7. Specify the Client ID and Client secret value that you used to register this application on the OpenID Connect provider, and click Next.
    8. Specify values for the following parameters:
      Authentication server details
      Property name Description
      Authentication Server Details
      Discovery URL Specify the discovery URL. The discovery URL includes the base URL (https://host_name:port_number/oidc/endpoint/provider_name) suffixed with /.well-known/openid-configuration.

      The following is the discovery URL format:

      https://host_name:port_number/oidc/endpoint/provider_name/.well-known/openid-configuration
      Where,
      host_name
      The hostname of the OpenID Connect provider.
      port_number
      The secure port number that is configured on the OpenID Connect server.
      provider_name
      The OpenID Connect provider name.
      Method Select the validation method, introspect or userinfo.
      Endpoint URL Specify the endpoint URL in the following format.
      For the method introspect
      https://host_name:port_number/oidc/endpoint/provider_name/introspect
      For the method userinfo
      https://host_name:port_number/oidc/endpoint/provider_name/userinfo
      User Identifier Specify a unique identifier for the user. You can specify one of the following identifiers: sub (default); profile; email.

      For more information, see https://openid.net/specs/openid-connect-core-1_0.html.
    9. Click Next.
    10. To import the OIDC provider certificate into the truststore, click Add. Specify a certificate name and click Browse to select a new provider certificate and upload it, or select an existing certificate.
      The selected provider certificate is listed in the table.
    11. Click Next.
    12. Review the summary of the parameter values and click Test Connection to ensure connection to the OIDC provider is successful.
    13. Click Submit.
    14. In the dialog box that opens, click Close.
      The values of the OIDC configuration parameters are displayed on the Authentication Providers page.
  • Using REST interface

    See the Update OIDC-Based Authentication Configuration REST Service section. Update OIDC-Based Authentication Configuration REST Service

    1. Access the Swagger UI. For more information, see Using Swagger UI.
    2. Authenticate and authorize the IBM Security Guardium Key Lifecycle Manager REST API operations.
    3. To configure OIDC-based authentication, see Update OIDC-Based Authentication Configuration REST Service.
    4. To test connection to the OIDC provider, see Test Connection to OIDC Provider REST Service.
    5. To view the authentication configuration values, see Get Authentication Configuration Details REST Service..