IBM Security Identity Governance and Intelligence, Version 5.2.3.1

Managing OpenID connect configuration

You can use OpenID connect to access the Service Center. The OpenID connect provider must be able to authenticate the user and provide claims to a relying party about the authentication event and the user.

Before you begin

IBM® Security Identity Governance and Intelligence support OpenID connect providers that meet the following requirements:
  • The provider is fully OIDC-compliant.
  • The user registry is managed by IBM Security Identity Governance and Intelligence.
  • The relying party, IBM Security Identity Governance and Intelligence, is reachable from the provider.
Ensure that you configured an OpenID connect provider such as IBM Security Access Manager. You need the following information to perform OpenID operations.
Table 1. Necessary information for configuration
Configuration type Types and definitions
All configurations
Provider name
The service that provides your OpenID.
Certificate Alias
The label of the certificate that was uploaded to the trust store. This field is required when the signature algorithm is RS256 and the JWK URL is not provided. Otherwise, it is an optional field.
Signature algorithm
The algorithm that is used to sign the ID token that is issued by a provider. The default value is HS256.
User ID to create subject
Sets the attribute to a claim name that is used by the vendor’s ID token that represents a user's unique identifier.
Client ID
A publicly exposed string that is used by the service API to identify the application. It is also used to build authorization.
Client secret
Secret is used to authenticate the identity of the application to the service API when the application requests to access a user account. It must be kept private between the application and the API.
Domains
The domain that uses the OpenID connect as the authentication mechanism.
Manual configuration
Authorization URL
The initial endpoint that is contacted by the relying party to begin a flow.
Token URL
The endpoint that is used to exchange an authorization code for a token.
JWK URL
The JSON web key endpoint that is used for signature verification.
Scope
The scopes that are associated with access tokens determine what resources are available when they are used to access OpenID connect protected endpoints. The following example is a non-normative example of scope. scope=openid profile email phone
Issuer identifier
The verifiable identifier for an issuer. An issuer identifier is a case-sensitive URL that uses the HTTP scheme. It contains scheme, host, and optionally, port number and path components. It cannot contain query or fragment components.
Discovery configuration Discovery URL: Perform discovery to locate the endpoints, scope, and signature algorithm.

About this task

You can configure one or more than one OpenID providers. However, only one provider can be used to access the Service Center at any one time.

Procedure

  1. From the top-level menu of the Appliance Dashboard, click Configure > Manage External Entities > OpenID connect Configuration. The OpenID connect Configuration page is displayed.
  2. Click the tab for the operation that you want to perform.
    Table 2. OpenID connect operations
    Operation Steps
    Use New to configure an OpenId provider.
    1. Click New.
    2. Provide the information based on the type of configuration that you want to perform, either Discovery configuration or Manual configuration.
    3. Click the Service Center check box.
    4. Click Save Configuration.
    Use Edit to change the provider information.
    1. Select the provider for which you want to change the information.
    2. Click Edit.
    3. Change the information in the available fields.
    4. Click Save Configuration.
    Use Delete to remove an OpenID provider configuration.
    1. Select the provider configuration that you want to remove.
    2. Click Delete.
    3. Click Yes on the confirmation message.
    Refresh Updates the values in the grid.
    Note: You must register a redirect URI at the OpenID provider. After a successful authentication at the OpenID provider, the client is redirected to this URL. It has a specific format.
    https://hostname:9343/oidcclient/redirect/{Provider-Name}
    Where
    • hostname is either the application interface IP or the application interface host name where IBM Identity Governance and Intelligence product is running.
    • Provider-Name is the attribute value provider name that you are going to add at the time of registering OpenID connect configuration in the virtual appliance.
    The OpenID provider certificate must be added to the virtual appliance truststore. You can do this task from the virtual appliance certificate page and adding the certificate to the signers. See Managing certificates.

    The following example is for setting up OpenID Connect Federation between IBM Security Access Manager Version 9 and the Identity Governance and Intelligence virtual appliance.

    1. Set up a federation in IBM Security Access Manager.

      Follow the directions at https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/config/task/tsk_config_op_federation.html

    2. Create and register the client.
      Follow the instructions at https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/config/task/tsk_config_op_partner.html. The redirect URI is the Identity Governance and Intelligence application. The format is 
      https://igiapplication:9343/oidcclient/redirect/provider-name
      Make sure that the provider name is the name of the OpenID Connect provider that you register in OpenID Connect Provider Configuration Panel in Identity Governance and Intelligence virtual appliance.
    3. Configure IBM Security Access Manager as an OpenID Connect provider. See https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/config/concept/con_oidc_auto_config_script.html.
    4. Go to https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/config/task/ConfiguringSAML2POC.html and perform steps 3, 5, and 6.
    5. Form the OpenID Connect endpoints. See https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.0/com.ibm.isam.doc/config/concept/con_oidc_endpoints.html.
    6. Ensure that the IBM Security Identity Governance and Intelligence user registry is synchronized with IBM Security Access Manager.
    7. Register the OpenID Connect provider in the IBM Security Identity Governance and Intelligence virtual appliance. Use the client ID, secret, and endpoints that were formed at IBM Security Access Manager. Make sure that the provider name is they same as the provider name in your redirect URL.
    8. Add the IBM Security Access Manager reverse proxy certificate in the application truststore. See Managing certificates.
    9. Restart the IBM Security Identity Governance and Intelligence server from the dashboard
Parent topic: Virtual appliance administration