Adding remote users to IBM Security Verify
Add IBM Spectrum® Control users (remote users) to the Cloud Directory in IBM Security® Verify. This task is done by your system, network, or IBM Spectrum Control administrator.
For remote users that authenticate with LDAP servers, install and configure IBM Security Verify for Directory Sync on your LDAP server, such as Windows™ Active Directory. IBM Security Verify Bridge for Directory Sync duplicates any users and groups that are defined on the source LDAP server into the Cloud Directory in IBM Security Verify. Any subsequent changes that are made to the source LDAP server are copied automatically to the Cloud Directory in IBM Security Verify.
Important: You must add users to IBM
Security Verify before you enable multifactor in
IBM
Spectrum Control. Any IBM
Spectrum Control users that are not added will be unable to
log in after multifactor authentication is enabled.
To add remote users to the Cloud Directory in IBM
Security Verify, complete the following
steps:
-
Download and install IBM
Security Verify
Bridge for Directory Sync on your supported LDAP server. For more information, see IBM Security Verify Bridge for Directory Sync in the IBM Security Verify documentation.
- After the installation completes, you must update the sample JSON file and add properties
that define connection settings and the LDAP server.On your supported LDAP server, open the /DirectorySync/ directory, create a copy of the file IcbLdapSync.json.ad-sample and rename it IcbLdapSync.json.
- Open the file in a text editor.
- Under the
ibm-auth-apiJSON object, complete the following steps:- client-id
- Enter the client ID that was automatically generated when you created the system as an application in IBM Security Verify.
- obf-client-secret
-
- Change the name of this JSON object to: client-secret.
- Enter the client secret that was automatically generated when you created the system as an application in IBM Security Verify.
- host
- Enter the hostname for the IBM
Security Verify
tenant. For example,
tenant.verify.ibm.com. Where tenant is the name that you specified when you created your subscription. Usually this name is associated with your company or organization, such asbankxyz. For example,bankxyz.verify.ibm.com. - port (optional)
- Enter the port for your IBM Security Verify tenant.
- proxy (optional)
- Enter the hostname for the proxy server.
For more information, see ibm-auth-api JSON object in the IBM Security Verify documentation.
- Under the
cloud-bridgeJSON object, add the following information:- lap-poll-time
- Enter a value in seconds to determine how frequently the LDAP directory and the Cloud Directory are synchronized. The default setting is 4 seconds. However, the example JSON file uses the value of 60 seconds. You can change this value based on your needs. For more information, see the cloud-bridge JSON object in the IBM Security Verify documentation.
- Under the
ldapJSON object, add the following information:- host
- Enter the hostname of the LDAP server.
- port
- Enter the port number for the LDAP server.
- user
- Enter the Administrator account distinguished name (DN) format for the LDAP server. Typically
the Administrator account has these permissions, for example:
"user":"CN=Administrator,CN=Users,DC=mydomain,DC=com" - obf-password
-
- Change the name of this JSON object to: password.
- Enter the password for the Administrator for the LDAP server.
For more information, see the ldap JSON object in the IBM Security Verify documentation.
- Under the
userJSON object, add the following information:- realm
- Change the realm to
"cloudIdentityRealm". - userCategory
- Change
userCategoryto"regular" - Notification
- Ensure that you include the following values:
"notifyType": "EMAIL", "notifyPassword": true, "notifyManager": false - These values specify that an email notification is sent when users are added to the Cloud Directory in IBM Security Verify. In the email notification, users are instructed to access IBM Security Verify and select second factors to authenticate to IBM Spectrum Control.
For more information, see the user JSON object in the IBM Security Verify documentation.
- Under the
ldap-to-scimJSON object, remove or comment out the following string:"append":"@cloudIdentityRealm"For more information, see the ldap-to-scim JSON object in the IBM Security Verify documentation.
- Save the JSON file. The updated JSON file looks like the following example:
{ "ibm-auth-api":{ "timeout":100, "client-id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "client-secret":"xxxxxxxxx", "protocol":"https", "host":"tenant.verify.ibm.com", "port":xxx, "proxy":"x.xx.xx.x:xxxx", "max-handles":16 }, "cloud-bridge":{ "max-ops": 512, /* "trace-file":"c:/tmp/cloudbridge.log", */ "enable-op-log":true, "op-log-rollover": 2097152, "do-not-sync-delete": false, "ldap-search-filter":"(&(|(objectClass=user)(objectClass=group))(!(isCriticalSystemObject=*)))", "ldap-is-deleted-attr":"isDeleted", "ldap-poll-time":60, /* "log-stats-interval": 30, */ /* "ldap-base-dn": "DC=mycompany,DC=com", */ "ldap":{ "host":"ldapserver.example.com", "port":xxx, "user":"CN=Administrator,CN=Users,DC=mycompany,DC=com", "password":"password", "use-tls":false, "start-tls":false }, "user":{ "ldap-object-classes": [ "user" ], "scim-external-id-attr":"externalId", "scim-outline":{ "urn:ietf:params:scim:schemas:extension:ibm:2.0:User":{ "realm":"cloudIdentityRealm", "userCategory":"regular" }, "urn:ietf:params:scim:schemas:extension:ibm:2.0:Notification": { "notifyType": "EMAIL", "notifyPassword": true, "notifyManager": false }, "schemas":[ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:ibm:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "urn:ietf:params:scim:schemas:extension:ibm:2.0:Notification" ] }, "ldap-to-scim":[ { "ldap":"sAMAccountName", "tweaks":{ /* "append":"@cloudIdentityRealm" */ }, "new-attr":{ "scim":{"userName":"{{value}}"} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"userName","value":"{{value}}"}, "remove":{"op":"remove","path":"userName"}, "replace":{"op":"replace","path":"userName","value":"{{value}}"} } } }, /* Example of using a custom attribute: */ /* { "ldap":"carLicense", "is-multi-value":true, "new-attr": { "scim":{ "urn:ietf:params:scim:schemas:extension:ibm:2.0:User":{"customAttributes":[{"values":["{{value}}"],"name":"myattrscim"}]} } }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes", "value":[{"name":"myattrscim","values":["{{value}}"]}]}, "remove-all":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes[name eq \"myattrscim\"]"}, "remove":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes[name eq \"myattrscim\"].values", "value":["{{value}}"]}, "replace":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes", "value":[{"name":"myattrscim","values":["{{value}}"]}]} } } }, */ { "ldap":"cn", "new-attr":{ "scim":{"displayName":"{{value}}"} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"displayName","value":"{{value}}"}, "remove":{"op":"remove","path":"displayName"}, "replace":{"op":"replace","path":"displayName","value":"{{value}}"} } } }, { "ldap":"telephoneNumber", "new-attr":{ "scim":{"phoneNumbers":[{"type":"work","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"phoneNumbers","value":[{"type":"work","value":"{{value}}"}]}, "remove":{"op":"remove","path":"phoneNumbers[type eq \"work\"]"}, "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"work","value":"{{value}}"}]} } } }, { "ldap":"mobile", "new-attr":{ "scim":{"phoneNumbers":[{"type":"mobile","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"phoneNumbers","value":[{"type":"mobile","value":"{{value}}"}]}, "remove":{"op":"remove","path":"phoneNumbers[type eq \"mobile\"]"}, "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"mobile","value":"{{value}}"}]} } } }, { "ldap":"homePhone", "new-attr":{ "scim":{"phoneNumbers":[{"type":"home","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"phoneNumbers","value":[{"type":"home","value":"{{value}}"}]}, "remove":{"op":"remove","path":"phoneNumbers[type eq \"home\"]"}, "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"home","value":"{{value}}"}]} } } }, { "ldap":"ipPhone", "new-attr":{ "scim":{"phoneNumbers":[{"type":"pager","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"phoneNumbers","value":[{"type":"pager","value":"{{value}}"}]}, "remove":{"op":"remove","path":"phoneNumbers[type eq \"pager\"]"}, "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"pager","value":"{{value}}"}]} } } }, { "ldap":"facsimileTelephoneNumber", "new-attr":{ "scim":{"phoneNumbers":[{"type":"fax","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"phoneNumbers","value":[{"type":"fax","value":"{{value}}"}]}, "remove":{"op":"remove","path":"phoneNumbers[type eq \"fax\"]"}, "replace":{"op":"add","path":"phoneNumbers","value":[{"type":"fax","value":"{{value}}"}]} } } }, { "ldap":"givenName", "new-attr":{ "scim":{"name":{"givenName":"{{value}}"}} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"name.givenName","value":"{{value}}"}, "remove":{"op":"remove","path":"name.givenName"}, "replace":{"op":"replace","path":"name.givenName","value":"{{value}}"} } } }, { "ldap":"sn", "new-attr":{ "scim":{"name":{"familyName":"{{value}}"}} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"name.familyName","value":"{{value}}"}, "remove":{"op":"remove","path":"name.familyName"}, "replace":{"op":"replace","path":"name.familyName","value":"{{value}}"} } } }, { "ldap":"displayName", "new-attr":{ "scim":{"name":{"formatted":"{{value}}"}} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"name.formatted","value":"{{value}}"}, "remove":{"op":"remove","path":"name.formatted"}, "replace":{"op":"replace","path":"name.formatted","value":"{{value}}"} } } }, { "ldap":"streetAddress", "new-attr":{ "scim":{"addresses":[{"type":"work","streetAddress":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"addresses","value":[{"type":"work","streetAddress":"{{value}}"}]}, "remove":{"op":"remove","path":"addresses[type eq \"work\"]"}, "replace":{"op":"add","path":"addresses","value":[{"type":"work","streetAddress":"{{value}}"}]} } } }, { "ldap":"manager", "is-dn":true, "new-attr":{ "scim":{"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"manager":{"value":"{{value}}"}}} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value","value":"{{value}}"}, "remove":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value"}, "replace":{"op":"replace","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value","value":"{{value}}"} } } }, { "ldap":"mail", "new-attr":{ "scim":{"emails":[{"type":"work","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"emails","value":[{"type":"work","value":"{{value}}"}]}, "remove":{"op":"remove","path":"emails[type eq \"work\"]"}, "replace":{"op":"add","path":"emails","value":[{"type":"work","value":"{{value}}"}]} } } }, { "ldap":"department", "new-attr":{ "scim":{"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"department":"{{value}}"}} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department","value":"{{value}}"}, "remove":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department"}, "replace":{"op":"replace","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department","value":"{{value}}"} } } }, { "ldap":"objectGUID", "is-binary":true, "new-attr":{ "scim":{"externalId":"{{value}}"} } }, { "ldap":"userAccountControl", "new-attr":{ "cond-scim":{ "if":{"&":["{{value}}", "2"]}, "then":{"active":false}, "else":{"active":true} } }, "mod-attr":{ "cond-scim":{ "if":{"&":["{{value}}","2"]}, "then":{ "add":{"op":"add","path":"active","value":false}, "remove":{"op":"remove","path":"active"}, "replace":{"op":"replace","path":"active","value":false} }, "else":{ "add":{"op":"add","path":"active","value":true}, "remove":{"op":"remove","path":"active"}, "replace":{"op":"replace","path":"active","value":true} } } } } ] }, "group":{ "ldap-object-classes": [ "group" ], "scim-external-id-attr":"externalId", "scim-outline":{ "schemas":[ "urn:ietf:params:scim:schemas:core:2.0:Group", "urn:ietf:params:scim:schemas:extension:ibm:2.0:Group" ] }, "ldap-to-scim":[ { "ldap":"sAMAccountName", "new-attr":{ "scim":{"displayName":"{{value}}"} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"displayName","value":"{{value}}"}, "remove":{"op":"remove","path":"displayName"}, "replace":{"op":"replace","path":"displayName","value":"{{value}}"} } } }, { "ldap":"objectGUID", "is-binary":true, "new-attr":{ "scim":{"externalId":"{{value}}"} } }, { "ldap":"description", "new-attr":{ "scim":{"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group":{"description":"{{value}}"}} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group:description","value":"{{value}}"}, "remove":{"op":"remove","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group:description"}, "replace":{"op":"replace","path":"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group:description","value":"{{value}}"} } } }, { "ldap":"member", "is-dn":true, "is-multi-value":true, "new-attr":{ "scim":{"members":[{"type":"{{type}}","value":"{{value}}"}]} }, "mod-attr":{ "scim":{ "add":{"op":"add","path":"members","value":[{"type":"{{type}}","value":"{{value}}"}]}, "remove":{"op":"remove","path":"members[value eq {{jq_value}}]"}, "remove-all":{"op":"remove","path":"members"}, "replace":{"op":"replace","path":"members","value":[{"type":"{{type}}","value":"{{value}}"}]} } } } ] } } } - To synchronize the LDAP server and the Cloud Directory for the first time, run
IcbLdapSync.exe.
Depending on your security requirements, you can either require only a certain type of second factor or let users select from the supported list of available factors when they log in for the first time. If you want to control which factors and their settings users can specify, select Security from the IBM Security Verify administrator dashboard.
After you have added all users to IBM Security Verify, each user receives an email notification with instructions on setting up the second factors for their account. When these users log in to IBM Spectrum Control, they are directed to IBM Security Verify to present the second factor.