Most enterprises have become diligent about who is accessing their applications/systems. Do they really need access? Is it temporary or permanent access? What about privileged accounts like root users/admins? It would be a risk to share those credentials with a user or group for an activity with a limited time period.  To cater to all of these aspects is where identity and access management (IAM) comes in. 

How do you authenticate to access the console? Instead of authenticating using local credentials, why not centralize the authentication mechanism using IBM Verify or any IAM platform. This ensures that the users don’t have to remember another set of credentials and are able to use their corporate credentials to access application.

What is IBM Vault (Hashicorp Vault)?

Vault provides machine identity management by encrypting sensitive data and gating access based on identity. With Vault, you can centrally define trusted identities, enforce policy and secure to secrets, certificates, keys and data.

What is IBM Verify?

The IBM Security Verify SaaS platform is a completely cloud-based IAM solution that offers hybrid cloud deployment options. It provides automated, cloud-based and on-premises capabilities for administering identity governance, managing workforce and consumer identity and access, and controlling privileged accounts.

Learning objectives

In this tutorial, you will set up the IBM Verify SaaS as a Identity Provider using OIDC for IBM Vault.

You will create two groups in Vault to segregate access between Admin and Reader roles, which will be mapped to the department attribute in IBM Verify. Same can be achieved by adding users to groups in verify and mapping the group names in Vault.

This use case uses IBM Verify but can work with any IAM solution that supports OIDC authentication.

Prerequisites

To follow this tutorial, you need:

• • A Verify SaaS instance. Sign up for a 90 day trial instance here
  • IBM Vault 1.1 or later

Estimated time

It should take you approximately 30 minutes to complete the tutorial.

Steps

Step 1: Adding Hashicorp Vault as an application in IBM Verify

1. 1. On the Verify admin console, navigate to Application and select Add application
   2. Search for Hashicorp Vault and add application
      
   3. On the application page, select Sign-on tab
   4. Provide the URL of your Vault instance under Application URL
   5. Update Redirect URIs with below entries
      1. VAULT_ADDR/ui/vault/auth/oidc/oidc/callback  - where VAULT_ADDR is the URL of your Vault instance.
      2. http://localhost:8250/oidc/callback  - for Vault CLI
   6. Scroll down and under Attribute mappings section, update Attribute name as group and Attribute source as department
      
      
   7. Click Save and on the entitlement tab select Automatic access for all users and groups
   8. Click Save
   9. Note down the value for Client ID and Client secret from Sign-on tab to be used while configuring Vault 

Step 2: Vault OIDC integration

1. 1. Connect to Vault CLI
   2. Enable OIDC auth method

      vault auth enable oidc
      ## You can also use “vault auth enable -path=oidctest oidc” to define the path value, if you want to enable multiple OIDC providers

   3. Add IBM Verify connection details and set the default role

      vault write auth/oidc/config \
      oidc_discovery_url="<Verify_Tenant>/oidc/endpoint/default" \
      oidc_client_id="Verify _Client_ID" \
      oidc_client_secret="Verify _Client_Secret" \
      default_role="verify"
      
      ## Discover URL is the OIDC issuer's discovery endpoint base URL from which .well-known/openid-configuration can be retrieved

   4. Create the default role verify

      vault write auth/oidc/role/verify \
       bound_audiences="Verify_Client_ID" \
       allowed_redirect_uris="<VaultAddress>/ui/vault/auth/oidc/oidc/callback" \
       allowed_redirect_uris="http://localhost:8250/oidc/callback" \
       user_claim="sub" \
       groups_claim="group" \
       token_policies="default"

   5. Create admin and reader policies

      # Admin policy gives unlimited Vault permissions
      cat > admin.hcl <<EOF
      path "*" {
          capabilities = ["sudo","read","create","update","delete","list","patch"]
      }
      EOF
      vault policy write admin admin.hcl
      
      # Reader role allows to list and read secrets under "kv/" path
      cat > reader.hcl <<EOF
      path "kv/*" {
          capabilities = ["read", "list"]
      }
      EOF
      vault policy write reader reader.hcl

   6. Create external identity groups Verify-Admins and Verify-Readers. (These names technically should not match with attribute value or group name in Verify)

      vault write -format=json identity/group name="Verify-Admins" \
           policies="admin" \
           type="external" | jq -r ".data.id" > admin_group_id.txt
      
      vault write -format=json identity/group name="Verify-Readers" \
           policies="reader" \
           type="external" | jq -r ".data.id" > reader_group_id.txt

   7. Create group aliases that must match the department attribute value in Verify or the group names

      vault auth list -format=json | jq -r '.["oidc/"].accessor' > accessor.txt
      
      vault write identity/group-alias name="Admin" \
           mount_accessor=$(cat accessor.txt) \
           canonical_id="$(cat admin_group_id.txt)"
      
      vault write identity/group-alias name="Reader" \
           mount_accessor=$(cat accessor.txt) \
           canonical_id="$(cat reader_group_id.txt)"

   8. Add OIDC auth method to the UI login screen

      vault auth tune -listing-visibility=unauth oidc

Step 3: Test the connection

1. 1. Connect to the Vault Console via browser and select the OIDC login method, or
   2. On the Vault CLI execute below command

      vault login -method=oidc

Summary

In this tutorial, you learned how to integrate IBM Verify SaaS as an OIDC Identity Provider with IBM Vault.

If you’d like to learn about more security applications, see the Security hub on IBM Developer.

Authors: Sushmita Das, Mahesh Desai, Suraj Kanth