OIDC with IBM Verify

Edit online

IBM® Verify provides identity-as-a-service for employees, including SSO, multifactor authentication, and user lifecycle management. It can be used as an Identity Provider by the IBM Application Gateway (IAG) using the Open ID Connect authentication protocol (as depicted below).


Authorization Code Flow

Prerequisites

Before attempting to configure IBM Verify as an identity provider for IAG:

  1. You need a IBM Verify tenant. If you do not already have a IBM Verify tenant a free tenant can be obtained from https://www.ibm.com/account/reg/au-en/signup?formid=urx-36648.
  2. You need to create an IAG application in your IBM Verify tenant. Information on how to do this can be obtained from the Protecting Web Applications with IBM Verify page. When creating the application you need to take special note of the created client ID and secret and the discovery endpoint URL.

Configuration

The IBM Verify configuration is contained within the 'identity/oidc' node of the IAG configuration YAML:

  • A description of the configuration options is available from the oidc page within the YAML reference. A minimal configuration requires the following configuration data:
    • Discovery Endpoint (also known as the Client Identity endpoint)
    • Client Identity
    • Client Secret
  • An example configuration file is also available in the OIDC with IBM Verify example page.