IBM Verify Identity Access (IVIA) Single Sign On with Google Social Identity Provider

Single Sign-On (SSO) simplifies authentication by allowing users to log in once and access multiple applications without repeatedly entering credentials. IBM Verify Identity Access (IVIA) supports various authentication methods, including federated authentication with social identity providers like Google

In this blog, we will walk through the steps to integrate IVIA with Google as a social identity provider using OpenID Connect (OIDC). This integration enables users to log in to IVIA-protected applications using their Google credentials

Prerequisites

Before you begin, ensure you have the following:

• An active Google Cloud account with an sample project
• IVIA activated with base & federation module
• Add below mapping rule in your IVIA environment

i) Go to Federation → Mapping Rules

ii) Click on +Add button , paste given code and select type as OIDC, you could name it as per your requirements, if you are following along name it as “GoogleIdentityMapping”

iii) Mapping Rule Code

importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importClass(Packages.com.ibm.security.access.httpclient.HttpClientV2);
importClass(Packages.com.ibm.security.access.httpclient.HttpResponse);
importClass(Packages.com.ibm.security.access.httpclient.Headers);

var accessTokenAttr = stsuu.getContextAttributes().getAttributeByName("access_token");
if (accessTokenAttr == null || accessTokenAttr.getValues().length === 0) {
    throw "No access token received from Google.";
}
var accessToken = accessTokenAttr.getValues()[0];

var headers = new Headers();
headers.addHeader("Authorization", "Bearer " + accessToken);

var userInfoUrl = "https://www.googleapis.com/oauth2/v3/userinfo";
var response = HttpClientV2.httpGet(userInfoUrl, headers, null, null, null, null, null);

if (response == null) {
    throw "No response from Google user info endpoint.";
}

var statusCode = response.getCode();
if (statusCode !== 200) {
    throw "Failed to retrieve Google user info. HTTP Code: " + statusCode;
}

var responseBody = response.getBody();
var userInfo = JSON.parse(responseBody);

if (!userInfo || !userInfo.sub) {
    throw "Google user information is incomplete.";
}

if (!userInfo.email_verified) {
    throw "User's email is not verified.";
}

stsuu.setPrincipalName(userInfo.email);

Steps to Integrate Google as an Identity Provider

1.Configure Federation OIDC Relying Party in IVIA

i) Go to Federation → Federations

Add federation name, select protocol for federation as “OpenID Connect Relying Party” and click on next , if you are following along name it as “OIDCRPGoogle”

iii) Enter point of contact as “https://<reverse-proxy-dns-name>/<federation-junction-name>”, select response types as “code” and click on next

iv) Leave attribute mapping page as default and click next

v) For Identity Mapping section select “Use JavaScript transformation for identity mapping” and click next

vi) A window will open, filter mapping rule by name of mapping rule created in perquisites steps, if following along filter using “Google”

vii) Select mapping rule added in prerequisite steps and click on next

viii) For Advanced Configuration page, click next with default selection

ix) Create new federation by clicking on “OK”

x) You could see a new Federation created as below

 

2.Configuring Google Cloud Project (Assuming you already have google cloud account)

i) Go to https://console.cloud.google.com and Navigate to “API's and Services”

ii) Navigate to "Credentials" and click on "Create credentials” → "OAuth client ID"

iii) Create OAuth ClientID

Application type : “Web Application”
Name : As per your requirements
Authorised JavaScript : “https://<reverse-proxy-dns-name>”

Authorised redirect URIs : https://<reverse-proxy-dns-name>/<federation-junction>/sps/oidc/rp/<Federation-Name>/redirect/<Partner-Name>

iv) Its corresponding client_id and client_secret will be generate, you could copy it or download json

v) Navigate to Branding and add details as below

App Name: Appropriate name as per your requirements
User support email: any working email
Authorized Domain: domain of your reverse proxy
Developer contact information: any working email

3. Google Partner configuration at IVIA end

i) Navigate back to IVIA federation page

Federation → Federations, select newly created federation and click on Partners
Fill up General Information by entering name and marking “Enabled”

ii) Enter Client ID and Client Secret copied from Google Cloud Console

iii) In metadata endpoint page, click next with default configuration

iv) Fill Basic Partner Configuration as below

Issuer Identifier: https://accounts.google.com
Response Types: code

Authorization Endpoint: https://accounts.google.com/o/oauth2/v2/auth

Token Endpoint: https://oauth2.googleapis.com/token

Userinfo Endpoint: https://openidconnect.googleapis.com/v1/userinfo

 

v) In JWT Signer Verification page set below

Signature Algorithm: RS256

Select “Use JWK endpoint”
JWK Endpoint: https://www.googleapis.com/oauth2/v3/certs

vi) Keep configuration in JWT Decryption page as default

vii) In Scope settings add details as below

viii) In Attribute Mapping page keep default configurations

ix) In Identity Mapping page select "Use the identity mapping that is configured for this partner's federation”

x) In Advance Configuration page, keep default settings

xi) Check the summary and click on “OK” to save partner information

4.Now next step is to configure reverse proxy to use this federation, and add an test user in policy administration with uid same as your email

i) In IVIA, navigate to Web → Reverse Proxy
Select the reverse proxy instance which is being used
Click on Mange → AAC and Federation Configuration → Federation Management 

Click on +Add button which will open a new window to enter few details , enter basic details and select newly created federation and finish

ii) Create an user in IVIA whose user id is same as your gmail

iii) Add ssl certificate for google accounts api

Navigate to System → SSL Certificate
Select rt_profile_keys → Mange → Edit SSL Certificate Database

Click on Manage → Load

This will open a window to load certificate by entering server ip/uri

Fill details as below and click on Load

This will add a new Google certificate in the certificate database

 

5. Testing out the flow

i) Use below url to kickoff Google OIDC SSO flow
https://<webseal-uri>/<federation-junction>/sps/oidc/rp/<federation-name>/kickoff/<partner-name>
If you are following along, it will be https://reverseproxy.revprox.com/isam/sps/oidc/rp/OIDCRPGoogle/kickoff/Google

This should redirect you to google SSO page

ii) Enter the gmail of the user which you added in IVIA policy administration

iii) New window will appear to enter respective user's password, enter the password and click next

iv) If the credentials are correct, you will be successfully authenticated and redirected to the IVIA login success page

Authors:  

• Nilesh Amrutkar - nilesh_amrutkar@in.ibm.com
• Siddhesh Suryawanshi - SiddheshSuryawanshi@ibm.com

References:

• https://www.ibm.com/docs/en/sva/11.0.0?topic=configuration-openid-connect-federations