Configuring IBM Security Verify Access authentication

You must configure the IBM® Security Verify Access settings to use this authentication method.

Before you begin

If you have not already installed the IBM Security AppX Installer, navigate to https://exchange.xforce.ibmcloud.com/hub/extension/ad8f86525d3a9c1186c1bce524edc9c3 in a browser and download and install it. Log in with an IBM ID if you have not already done so.
The IBM Security AppX Installer enables configuration of your IBM Security Verify Access appliance for use with partner applications published on the IBM Security App Exchange.
Navigate to IBM Security Verify Access Extension for Multi-factor Authentication API in a browser. Log in with an IBM ID if you have not already done so.
Follow the provided links on the page to download the software and review the documentation.

Pay close attention to the documented Oauth configuration parameters for running the installer script. These parameters begin with the prefix --oauth (for example --oauthproxy) and they define the back channel interface that is used by IBM MFA to perform OTP authentication.
Ensure that backchannelcomplete.json complies with the following syntax:
```
{"username":"@USERNAME@","status":"success"}
```
The following syntax is also valid. (The example is wrapped for format requirements.)
```
{"username":"@USERNAME@","authenticationMechanismTypes":"@AUTHNMECHTYPES@",
"status":"success"}
```
Obtain the root CA public certificate of the IBM Security Verify Access server in .pem format.

To configure the IBM Security Verify Access authentication method, complete the following steps:

Log in to the IBM Security Verify Access local management interface (LMI).
Navigate to Secure Access Control > Global Settings > Template Files > C > authsvc > authenticator > apimfa > browser.html.
Configure the authentication context in the browser.html file:
```
<td>
	  <select name="authnctx">
	  <option value="server-auth-ctx">Arbitrary text that describes your server</option>
	  </select>
	</td>
```
where server-auth-ctx must match that of the Authentication Context on the IBM MFA server.
A pending change message is displayed at the top of the main pane. Click Click here to review the changes or apply them to the system.
In the Deploy Pending Changes page:
1. To view the details of changes that are made to a particular module, click the link to that module.
2. To deploy the changes, click Deploy.
3. To abandon the changes, click Roll Back.
4. To close the pop-up page without any actions against the changes, click Cancel.
In the IBM MFA GUI, click the Authentication Methods tab.
Select the IBM Security Verify Access authentication method.

Use the following table to specify the IBM Security Verify Access authentication method:

Table 1. IBM Security Verify Access Authentication Method Attributes
Setting	Allowed Values	Description
Trace Level	0 through 3	Choose the initial trace level. Valid values are 0 through 3, where the higher value indicates a higher level of verbosity. The default value is 0.
PKCS#11 Key Label	Actual PKCS#11 key label	The name of the Key Label that is used to encrypt the client secret. The PKCS#11 key label has a limit of 32 characters.
Trusted CA Path	Valid file specification	The file specification of the root CA public certificate of the IBM Security Verify Access server in .pem format.
Client ID	Actual client ID	User ID that is used to obtain an access or bearer token.
Client Secret	Actual value	Password for Client ID.
Authentication Context	Default application context	Enables specific OTP generations for an authentication context. Must match that of the IBM Security Verify Access server unless the application context is included as a user tag.
Access Token URL	URL	The URL to which to send the client ID and secret to obtain the access or bearer token.
One-Time Passcode Validation URL	URL	URL to which to send user authentication requests.
Timeout	Number of seconds, from 1 through 30	The amount of time the connection can remain inactive before the session is timed out.