OAuth with IBM Verify

Edit online

IBM® Verify provides identity-as-a-service for employees, including SSO, multifactor authentication, and user lifecycle management. It can be used as an Identity Provider by the IBM Application Gateway (IAG) using OAuth Introspection (as depicted below).


OAuth Introspection Flow

Prerequisites

Before attempting to configure IBM Verify as an identity provider for IAG:

  1. You need a IBM Verify tenant. If you do not already have a IBM Verify tenant a free tenant can be obtained from https://www.ibm.com/account/reg/au-en/signup?formid=urx-36648.
  2. You need to create an API client in your IBM Verify tenant. Information on how to do this can be obtained from the Protecting Web Applications with IBM Verify page. When creating the API client you need to take special note of the created client ID and secret.

Configuration

The IBM Verify configuration is contained within the identity/oauth node of the IAG configuration YAML:

  • A description of the configuration options is available from the oauth page within the YAML reference. A minimal configuration requires the following configuration data:
    • Name
    • Introspection Endpoint
    • Client Identity
    • Client Secret
    • Attributes
  • An example configuration file is also available in the OAuth Configuration example page.