IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Configuring the ISVG Azure AD/Office365 Adapter Service in ISIM: A Step-by-Step Guide

By Darshanaben Patel posted 23 hours ago

  

This comprehensive blog post will guide you through the process of configuring the IBM Verify Identity Governance (IVIG) Azure AD Adapter service within IBM Security Identity Manager (ISIM) or IBM Verify Identity Governance (IVIG), covering everything from prerequisites to connection testing.

Prerequisites

Before we begin, make sure you have the following prerequisites:

Overview of the Flow

The configuration process involves the following steps:

  1. Create an app in the Azure Portal and grant basic permissions

  2. Download and configure certificates in IBM Security Directory Integrator

  3. Add external jars to the patch folder

  4. Add the connector jar to the connector folder

  5. Restart the Dispatcher service

  6. Import the service profile in ISIM/IVIG

  7. Create a service and perform Test Connection

Step-by-Step Instructions

Let’s dive into each step in more detail.

Create an App in Azure Portal and Grant Basic Permissions

Obtaining Domain Name

  1. Sign in to the Microsoft Entra ID (formerly Azure Active Directory) Portal.

  2. Select Microsoft Entra ID from the menu.

  3. The Microsoft Entra ID Overview page appears. To find the Microsoft Entra primary domain name, look for Primary Domain in the Basic information section.

Create an App in Azure Portal

To create an app in Azure Portal, follow these steps:

  1. Login: Go to the Microsoft Entra ID (formerly Azure Active Directory) Portal 

  2. Search for App Registration: Find "App Registration" in the Azure Portal

  3. Create a New Registration: Click "New registration" in the App Application tab

  4. Register the App: Provide an application name, account type, and register

App Creation Result:
Your app will be created with an Application (Client) Id.

Add Permissions to the App

To add permissions:

  1. Go to Overview > API Permissions tab and click Add Permissions.

  2. Select Microsoft APIs > Microsoft Graph.

  3. Add Delegate or Application Permissions as required.

  4. Grant Admin consent for added permissions if necessary

 Least Permissions required to perform Basic Operations on the adapter are below:

Delegated permission - Microsoft Graph
  • Directory.AccessAsUser.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • GroupMember.Read.All
  • Group.Read.All
  • Group.ReadWrite.All
  • User.Read
  • User.Read.All
  • User.ReadBasic.All
  • User.ReadWrite.
All Application permission - Microsoft Graph
  • Directory.Read.All
  • Directory.ReadWrite.All
  • User.Read.All
  • User.ReadWrite.All

Permissions Note:
Permissions are bound to the attribute of the user you want to read/add/update. Refer to the  Azure Active Directory Adapter Release Notes  and Azure Graph API documentation for detailed information.

Add Certificates & Secrets

To add certificates and secrets:

  1. Go to Overview > Certificates & Secrets.

  2. Select New Client Secret.

  3. Insert Description and Expiry Duration and click Add.

  4. Copy the Secret Value for use in configuring Application Key the Azure Adapter service.

Download and Configure Certificates in IBM Security Directory Integrator

Step 1: Download Certificates

Step 2: Import Certificates

You can import certificates using either iKeyMan (for Windows) or a command in Linux.

Using iKeyMan (Windows)

  1. Navigate to <SDI_HOME>/jvm/jre/bin.

  2. Start ikeyman.exe.

  3. Open the key database file: testadmin.jks (located in <SDI_HOME>/timsol/serverapi).

  4. Enter the password (default is administrator).

  5. Click Signer Certificates and then Add.

  6. Browse to select the downloaded certificates and click OK.

Using Command (Linux)

  1. Run the following commands:
$SDI_HOME/jvm/jre/bin/keytool -importcert -alias DigiCertGlobalRootG2 -file <PATH_TO_DOWNLOADED_CERT>/DigiCertGlobalRootG2.crt -keystore SDI_HOME/timsol/serverapi/testadmin.jks
$SDI_HOME/jvm/jre/bin/keytool -importcert -alias DigiCertGlobalRootCA -file <PATH_TO_DOWNLOADED_CERT>/DigiCertGlobalRootCA.crt -keystore SDI_HOME/timsol/serverapi/testadmin.jks
  1. Enter the password when prompted (default is administrator)

Enabling TLS 1.2 in IBM Security Directory Integrator

To enforce the use of TLS 1.1 and TLS 1.2 protocols in the SDI Server, modify the <SOLUTION_DIRECTORY>/solution.properties file by adding the following lines at the bottom:

com.ibm.di.SSLProtocols=TLSv1.1,TLSv1.2
com.ibm.di.SSLServerProtocols=TLSv1.1,TLSv1.2
com.ibm.jsse2.overrideDefaultProtocol=TLSv12
com.ibm.jsse2.overrideDefaultTLS=true

Add External Jars to Patch Folder

To add the required JAR files:

  1. Locate the JAR files: Refer to the Azure Active Directory Adapter Release Notes for the download link and supported version for the following JAR files:

    • commons-logging-1.x.jar

    • httpclient-4.x.x.jar

    • httpcore-4.x.x.jar

  2. Copy to patch folder: Copy these files to the <SDI_HOME>\jars\patches directory.

  3. Verify version consistency: Ensure that no other JAR files with different versions exist in any other JAR folder.

Add Connector Jars to Connector Folder

 Extract Downloaded Adapter Package zip and copy the Microsoft365Connector.jar file from to the <SDI_HOME>/jars/connectors directory.

Restart the Dispatcher service

Windows

  1. Open the Control Panel and click on Administrative Tools.

  2. In the Administrative Tools window, select Services.

  3. In the Services window, locate the Dispatcher service.

  4. You can start or stop the Dispatcher service as needed.

    The service name will either be IBM Security Directory Integrator or the name provided during the installation of the Dispatcher.

Linux

  1. Navigate to the timsol directory.

  2. Run below command.

./ITIMAd restart

 Import Service Profile in ISIM/IVIG

  1. Log on to the Identity server by using an account that has the authority to perform administrative tasks.

  2. Select Configure System > Manage Service Types

  3. Click Import.

  4. On the Import Service Type page, perform these steps:

    • In the Service Definition File field, click Browse to locate the AzureProfile.jar file.
    • Click OK to import the file.

Create Service and Perform Test Connection

Create a service and provide the required details.

  1. From the Identity server, click Manage Services.

  2. On the Select a Service page, click Create.

  3. On the Select the Type of Service page.

    • Business Unit : Click Search to locate a business unit and select Business Unit.

    • Service type:  Select a Azure Profile Service type and then click Next.

  4. Adapter Details page, contains multiple tabs, you can do the following tasks (Below information is only for required fields, you can provide information based on your requirements):

    • Azure Details : Provide Service Name, Security Directory Integrator Location.

    • Azure Tenant Domain Details: Provide Azure Tenant Domain name, Application Id and Application Key.

  5. Optional: On the Service Information or General Information page, click Test Connection to validate that the data in the fields is correct.

  6. Click Next and Finish.

By following these steps, you can successfully configure the IVIG Azure AD/Office365 Adapter service in ISIM and test the connection with on-premises SDI and ISIM.

Troubleshooting Errors

If you encounter any errors, refer to the Error and Resolution section for troubleshooting steps.

We hope this step-by-step guide has helped you configure the ISVG Azure AD/Office365 Adapter service in ISIM successfully. If you have any further questions or concerns, feel free to ask in the comments below!

0 comments
7 views

Permalink

https://community.ibm.com/community/user/blogs/darshanaben-patel/2025/06/30/configuring-the-isvg-azure-ad-adapter-ser