IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Configuring IGI VA as OIDC Provider

By Sachin Patil posted Wed October 30, 2019 10:18 AM

  

Authors: Sachin A. Patil, Rahul Relan 

OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol, which allows clients to verify the identity of an end user based on the authentication performed by an authorization server or identity provider. Here the IGI VA acts as OIDC provider. IGI VA supports this feature from 5.2.4.1 release, 5.2.5 and future releases. 

  1. Server-side configuration: 
  1. VA Deployment: 

Deploy OIDC supported version of IGI VA. Refer the below doc to deploy, 

https://www-03preprod.ibm.com/support/knowledgecenter/en/SSGHJR_5.2.5/com.ibm.igi.doc/installing/cpt/cpt_ic_va_installation.html 

  1. Enabling the internal OIDC Provider: 

By default VA is enabled with internal OIDC provider. To verify the internal OIDC provider is enabled, Login to VA and navigate to Configure -> Manage Server Settings -> OpenID Connect Provider Configuration.  

 

If not enabled, then Enable the internal OIDC provider. 

  1. Registering the OIDC Client: 

On the OpenID Connect Provider Configuration page, go to Mange -> External client configuration. Here you can either user the default client’s configurations or create a new external client configuration.  

If you choose provider as Admin console, then it will user admin consoles user registry and if you choose service center then it will user service centers user registry.  

 

Name: OIDC provider configuration name 

Provider: Admin console and Service center (whichever choose it user the respective users registry for authentication) 

Client ID: Either provider manually or Generate  

Client Secret: Either provider manually or Generate 

Redirect URL: https://<endpoint_host:port>/oidcclient/redirect/<provider_name> 

Note: that 

  1. The  <provider_name> will be an OIDC provider name while configure the client/endpoint 
  2. If you want to register multiple clients the use comma seperated redirect url’s  

e.g. https://va8111.in.ibm.com:9343/oidcclient/redirect/endpoint1; https://va8112.in.ibm.com:9343/oidcclient/redirect/endpoint2 

Save the configuration and go to VA home page. Observe the notifications, it says to restart 

  • Restart the IBM Security Identity Governance and Intelligence server 

From the VA Dashboard under server control widget, restart the “IBM Security Identity Governance and Intelligence server 

  • Restart the local Management Server 

Go to Manage -> System Settings -> Restart or Shut down -> click on “Restart LMI” button 

Now the VA is ready to authenticate the registered clients using internal OIDC provider. 

  1. Endpoint configuration information: 

To configure the endpoint’s, it requires the OIDC provider information like Issuer identifier, authorization URL, token URL, scope, JWK URL, scope, etc. This is available on IGI VA’s OpenID Connect Provider Configuration Page, 

Go to Configure -> Manage Server Settings -> OpenID Connect Provider Configuration 

 

 

 Note that the clients can be configured with JWK URL and Signature Algorithm RS256 

Also note that the endpoint requires the provider certificate to communicate, this can be downloaded from, 

Go to Configure -> Manage server setting -> certificates -> select “IBM Security Identity Governance and Intelligence” and click on edit -> select “Signer” tab -> Export the “rootca” certificate 

 

  1. Configuring the Endpoint: 

Using the above OIDC provider’s configuration any OIDC endpoint can be configured. If user want to add any new client, then register these endpoints by modifying the redirect URL. Here for example use case, using another VA as endpoint, below is the configuration, 

Go to Configure -> Manage External Entities -> OpenID Connect Configuration -> Select New configure, sample configuration looks like below, 

 

 

Provider name: extract the provider name from redirect URL 

Configuration: Manual 

Authorization URL: refer “Endpoint configuration Information” section 

Token URL: refer “Endpoint configuration Information” section 

JWK URL: refer “Endpoint configuration Information” section 

Scope: openid 

Issuer Identifier: refer “Endpoint configuration Information” section 

Signature Algorithm: RS256 

Client ID: refer the “Registering the OIDC Client” section and use the client ID 

Client Secret: refer the “Registering the OIDC Client” section and use the client secret 

Domains: select the server center checkbox 
Verification: 
  1. Login to OIDC Provider VA, launch the admin console, create new user as “user1” 
  2. Now login to OIDC endpoint VA, launch admin console, create new user as “user1” 
  3. From the endpoint launch service center and login using user “user1” 
  4. Observe that the user gets authenticated through OIDC provider 

 

1 comment
25 views

Permalink

https://community.ibm.com/community/user/blogs/sachin-patil1/2019/10/30/configuring-igi-va-as-oidc-provider

Comments

Shirish Agale
Tue September 15, 2020 01:20 AM

Correction:
If you want to register multiple clients the use comma separated redirect url’s  

e.g. https://va8111.in.ibm.com:9343/oidcclient/redirect/endpoint1, https://va8112.in.ibm.com:9343/oidcclient/redirect/endpoint2