Most enterprises have become diligent about who is accessing their applications/systems. Do they really need access? Is it temporary or permanent access? What about privileged accounts like root users/admins? It would be a risk to share those credentials with a user or group for an activity with a limited time period. To cater to all of these aspects is where identity and access management (IAM) comes in.
How do you authenticate to access the console? Instead of authenticating using local credentials, why not centralize the authentication mechanism using IBM Verify or any IAM platform. This ensures that the users don’t have to remember another set of credentials and are able to use their corporate credentials to access application.
What is IBM Vault (Hashicorp Vault)?
Vault provides machine identity management by encrypting sensitive data and gating access based on identity. With Vault, you can centrally define trusted identities, enforce policy and secure to secrets, certificates, keys and data.
What is IBM Verify?
The IBM Security Verify SaaS platform is a completely cloud-based IAM solution that offers hybrid cloud deployment options. It provides automated, cloud-based and on-premises capabilities for administering identity governance, managing workforce and consumer identity and access, and controlling privileged accounts.
Learning objectives
In this tutorial, you will set up the IBM Verify SaaS as a Identity Provider using SAML for IBM Vault.
This use case uses IBM Verify but can work with any IAM solution that supports SAML authentication.
Prerequisites
To follow this tutorial, you need:
-
- A Verify SaaS instance. Sign up for a 90 day trial instance here
- IBM Vault 1.1 or later
Estimated time
It should take you approximately 30 minutes to complete the tutorial.
Step 1: Adding Hashicorp Vault as an application in IBM Verify
- On the Verify admin console, navigate to Application and click on Add application
- Select Custom Application and click Add application
- Provide basic details to identity the application on the General tab
- Switch to Sign-on tab, and select Sign-on method as SAML2.0
- Uncheck the box labeled Use metadata
- Update Provide ID as "https://<vault_address>/v1/auth/saml"
- Update Assertion consumer service URL (HTTP-POST) and Service provider SSO URL as "https://<vault_address>/v1/auth/saml/callback"
- Update Target URL as "https://<vault_address>/ui"
- Keep the rest of the configuration as default and scroll down to Attribute mapping
- Check the box labeled "Send all known user attributes in the SAML assertion"
- Click Save
- Navigate to Entitlements and select Automatic access for all users and groups
- Click Save
- On the right pane you will find details such as Metadata URL which will be required during Vault SAML setup
Step 2: Vault SAML Setup
- Connect to Vault CLI
- Enable SAML auth method
vault auth enable saml
- Configure the SAML auth method by specifying the IDP metadata URL from Verify
vault write auth/saml/config \
idp_metadata_url="https://<verify_tenant>/v1.0/saml/federations/saml20ip/metadata" \
acs_urls="http://<vault_tenant>/v1/auth/saml/callback" \
entity_id="http://<vault_tenant>/v1/auth/saml" \
default_role="verify"
- Create a role named "verify"
vault write auth/saml/role/verify \
groups_attribute="groups" \
token_policies="verifyadmin" \
token_ttl="1h"
- Create the policy "verifyadmin" Note: You can modify the policy to provide access as per your requirement
vault policy write verifyadmin - << EOF
path "kv/*" {
capabilities = ["read", "list"]
}
EOF
- Add SAML auth method to the UI login screen
vault auth tune -listing-visibility=unauth saml
Step 3: Test the connection
- Connect to the Vault Console via browser and select the SAML login method, or
- On the Vault CLI execute below command
vault login -method=saml role="verify"
Summary
In this tutorial, you learned how to integrate IBM Verify SaaS as a SAML Identity Provider with IBM Vault.
If you’d like to learn about more security applications, see the Security hub on IBM Developer.