IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Securing Access to IBM Vault (HashiCorp Vault) Using SAML Authentication via IBM Verify

By Suraj Kanth posted 7 days ago

  

Most enterprises have become diligent about who is accessing their applications/systems. Do they really need access? Is it temporary or permanent access? What about privileged accounts like root users/admins? It would be a risk to share those credentials with a user or group for an activity with a limited time period.  To cater to all of these aspects is where identity and access management (IAM) comes in. 

How do you authenticate to access the console? Instead of authenticating using local credentials, why not centralize the authentication mechanism using IBM Verify or any IAM platform. This ensures that the users don’t have to remember another set of credentials and are able to use their corporate credentials to access application.

What is IBM Vault (Hashicorp Vault)?

Vault provides machine identity management by encrypting sensitive data and gating access based on identity. With Vault, you can centrally define trusted identities, enforce policy and secure to secrets, certificates, keys and data.

What is IBM Verify?

The IBM Security Verify SaaS platform is a completely cloud-based IAM solution that offers hybrid cloud deployment options. It provides automated, cloud-based and on-premises capabilities for administering identity governance, managing workforce and consumer identity and access, and controlling privileged accounts.

Learning objectives

In this tutorial, you will set up the IBM Verify SaaS as a Identity Provider using SAML for IBM Vault.

This use case uses IBM Verify but can work with any IAM solution that supports SAML authentication.

Prerequisites

To follow this tutorial, you need:

    • A Verify SaaS instance. Sign up for a 90 day trial instance here
    • IBM Vault 1.1 or later

Estimated time

It should take you approximately 30 minutes to complete the tutorial.

Step 1: Adding Hashicorp Vault as an application in IBM Verify

  1. On the Verify admin console, navigate to Application and click on Add application
  2. Select Custom Application and click Add application
  3. Provide basic details to identity the application on the General tab
  4. Switch to Sign-on tab, and select Sign-on method as SAML2.0
  5. Uncheck the box labeled Use metadata
  6. Update Provide ID as "https://<vault_address>/v1/auth/saml"
  7. Update Assertion consumer service URL (HTTP-POST) and Service provider SSO URL as "https://<vault_address>/v1/auth/saml/callback"
  8. Update Target URL  as "https://<vault_address>/ui"
  9. Keep the rest of the configuration as default and scroll down to Attribute mapping
  10. Check the box labeled "Send all known user attributes in the SAML assertion"
  11. Click Save
  12. Navigate to Entitlements and select Automatic access for all users and groups
  13. Click Save
  14. On the right pane you will find details such as Metadata URL which will be required during Vault SAML setup

Step 2: Vault SAML Setup

  1. Connect to Vault CLI
  2. Enable SAML auth method
    vault auth enable saml
  3. Configure the SAML auth method by specifying the IDP metadata URL from Verify
    vault write auth/saml/config \
        idp_metadata_url="https://<verify_tenant>/v1.0/saml/federations/saml20ip/metadata" \
        acs_urls="http://<vault_tenant>/v1/auth/saml/callback" \
        entity_id="http://<vault_tenant>/v1/auth/saml" \
        default_role="verify"
  4. Create a role named "verify"
    vault write auth/saml/role/verify \
        groups_attribute="groups" \
        token_policies="verifyadmin" \
        token_ttl="1h"
  5. Create the policy "verifyadmin"       Note: You can modify the policy to provide access as per your requirement
    vault policy write verifyadmin - << EOF
    path "kv/*" {
      capabilities = ["read", "list"]
    }
    EOF
    
  6. Add SAML auth method to the UI login screen
    vault auth tune -listing-visibility=unauth saml

Step 3: Test the connection

  1. Connect to the Vault Console via browser and select the SAML login method, or
  2. On the Vault CLI execute below command
    vault login -method=saml role="verify"

Summary

In this tutorial, you learned how to integrate IBM Verify SaaS as a SAML Identity Provider with IBM Vault.

If you’d like to learn about more security applications, see the Security hub on IBM Developer.

0 comments
8 views

Permalink