IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

How to Configure IGI Open ID SingleSignOn with ISAM(WebSEAL)

By Nishant Singhai posted Wed January 08, 2020 11:58 AM

  

Pre-requisite – ISAM 9 should be configured and a WebSeal instance should be configured and running.

References:

https://www.ibm.com/support/knowledgecenter/en/SSGHJR_5.2.3.1/com.ibm.igi.doc/installing/tsk/t_managing_openid.html

Set up a federation in IBM Security Access Manager.

Follow the directions at https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/config/task/tsk_config_op_federation.html

 

Procedure

  1. Log in to the local management console.
  2. Select Secure Federation > Manage > Federations.
  3. Click Add.
  4. Enter a federation name.
  5. Select the OpenID Connect as the protocol.
  6. Click Next.
  7. Select the OpenID Connect Provider option.
  8. Enter the provider ID. This ID must uniquely identify this federation, and must not contain URL-unsafe characters as this value will be present in runtime URLs.
  9. Select a signature algorithm. If RS256 signing is selected, select a certificate from the list.
  10. Click Next.
  11. Select the grants this OP issues. Optionally, adjust any of the timeouts or lengths.
  12. Click Next.
  13. Select the method for identity mapping.
  14. Review the Summary page.
  15. Click OK to create the federation.

 

 

 

 

 

 

Create and register the client.

Follow the instructions at https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/config/task/tsk_config_op_partner.html. The redirect URI is the Identity Governance and Intelligence application. The format is

 

 

 

Here the Redirect url is - <igi_hostname>:<port>/oidcclient/redirect/<name of Federation (created in earlier step)>

 

 

You may use the ip address for testing purpose, if using the hostname then it should be resolved from ISAM.

 

 

 

 

 Note: Hostname is the localhost, port is 443, username : easuser and password is Passw0rd by default.

This is default setting, easuser password might be different.

 

 

 

 

 



Now create junction

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/config/task/ConfiguringSAML2POC.html

Export the certification from IGI:

 


You may use import or load.

 

 

 

 

Verify the /isam is there:

 

pdadmin sec_master> s l

    IGI-webseald-nsisam.in.ibm.com

    authz1-ivacld-nsisam.in.ibm.com

    default-webseald-nsisam.in.ibm.com

    ivmgrd-master

    mobile-webseald-nsisam.in.ibm.com

pdadmin sec_master> s t IGI-webseald-nsisam.in.ibm.com list

/

/isam

pdadmin sec_master>

 

If not present then use below command to create:

 

server task IGI-webseald-nsisam.in.ibm.com create -t ssl -c all -s -b ignore -j -e utf8_uri -J inhead -r -q /sps/cgi-bin/query_contents -f  -h  localhost -p 443 /isam

 

as documented in step #2 here:

 

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/config/task/ConfiguringSAML2POC.html

 



Verify all ACL’s are in place:

pdadmin sec_master> acl list

isam_IGISSO_isam_unauth

default-webseal

default-management-proxy

isam_mobile_rest

isam_mobile_nobody

default-management

isam_mobile_rest_unauth

isam_mobile_unauth

default-root

isam_IGISSO_isam_anyauth

isam_mobile_anyauth

default-gso

default-policy

favicon

default-config

default-domain

isam_IGISSO_isam_nobody

default-replica

 

Then apply the acl’s as documented in step #5.

 

nsisam.in.ibm.com> isam admin

 

pdadmin> login

Enter User ID: sec_master

Enter Password:

pdadmin sec_master> acl attach /WebSEAL/nsisam.in.ibm.com-IGI/isam isam_IGISSO_isam_nobody

pdadmin sec_master> acl attach /WebSEAL/nsisam.in.ibm.com-IGI/isam/oidc/scripts isam_IGISSO_isam_unauth

pdadmin sec_master> acl attach /WebSEAL/nsisam.in.ibm.com-IGI/isam/oidc/endpoint/amapp-runtime-IGISSO/token isam_IGISSO_isam_unauth

pdadmin sec_master> acl attach /WebSEAL/nsisam.in.ibm.com-IGI/isam/oidc/endpoint/amapp-runtime-IGISSO/introspect isam_IGISSO_isam_unauth

pdadmin sec_master> acl attach /WebSEAL/nsisam.in.ibm.com-IGI/isam/oidc/endpoint/amapp-runtime-IGISSO/authorize isam_IGISSO_isam_unauth

pdadmin sec_master>

pdadmin sec_master> acl attach /WebSEAL/nsisam.in.ibm.com-IGI/isam/sps/auth isam_IGISSO_isam_anyauth

Verify all acl’s are attached as documented.

 

pdadmin sec_master> acl find isam_IGISSO_isam_nobody

/WebSEAL/nsisam.in.ibm.com-IGI/isam

pdadmin sec_master> acl find isam_IGISSO_isam_unauth

pdadmin sec_master> acl find isam_IGISSO_isam_anyauth

/WebSEAL/nsisam.in.ibm.com-IGI/isam/sps/auth

 

 

Now as per step#6,

 

 

pdadmin sec_master> object modify /WebSEAL/nsisam.in.ibm.com-IGI/isam/ set attribute HTTP-Tag-Value user_session_id=USER-SESSION-ID

 

 

Now form the end point as per document:

https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.0/com.ibm.isam.doc/config/concept/con_oidc_endpoints.html

 

 

 

 

 

https://9.199.138.116/isam/oidc/endpoint/amapp-runtime-IGISSO/authorize

https://9.199.138.116/isam/oidc/endpoint/amapp-runtime-IGISSO/token

 

 

 

  

Export certification from ISAM application interface:

 

Import to IGI.

 

 

 

Restart IGI


Restart isam proxy instance:

 

 

 

Testing the configuration

 

  1. Create a user in ISAM

 

 

  1. Create the same user in IGI:

 

Login to service center:

 

 

 

 

 

 

0 comments
24 views

Permalink

https://community.ibm.com/community/user/blogs/nishant-singhai1/2020/01/08/how-to-configure-igi-open-id-singlesignon-with-isa