Introduction:
IBM Security Verify now supports “Persistent” name id format. Previously different name id formats supported by IBM Security Verify are Unspecified, Transient, and Email. These identifier formats are present under SAML subject in SAML SSO.
Persistent Name ID Format - A privacy-preserving name identifier assigned by an identity provider or service provider to identify a Principal to a given relying party for an extended period that spans multiple sessions; can be used to represent an identity federation. It is used to permanently link identities. IBM Security Verify lets you configure the service provider to persistently link identities, based on an attribute value from the identity provider. When you know the user accounts on both the identity provider and the service provider share a common attribute value, such as an email address or another unique user identifier, you can use this method to link accounts without user interaction.
When the Name identifier is selected as Not Specified, the subject Name ID is a randomly generated unique identifier that retains the same value for that application federation.
Configuration:
To configure in IBM Security verify, Admin should follow the below steps:
- In Custom Application Select Sign-on method as SAML 2.0.
- Provide Provider ID and Assertion consumer service URL (HTTP-POST).
- In SAML subject select NameID format as Persistent, Name identifier as (Not Specified).
- In User consent select Ask for consent or Don’t Ask for consent.
IBM Security Verify also supports the user consent feature. User consent requires that the Identity Provider asks the user to grant permission before it sends an assertion to a service provider. This feature is supported only when the Name ID format is Persistent and Name identifier is Not Specified. If you enable user consent at the Identity Provider, IBM Security Verify Sign-On page prompts the user for consent. The Identity Provider passes the consent value in an assertion.
- Name Identifier Management URL(Optional) – This endpoint receives and processes the SAML Manage Name ID Request and SAML Manage Name ID Response. To have this option available NameID format must be Persistent and Name identifier as (Not Specified). Provide this value from Service Provider.
Manage Name ID provides a way to initiate name identifier changes or terminations. For example, after establishing a name identifier for use when referring to a principal, the identity provider may want to change its value and/or format. Additionally, an identity provider might want to indicate that a name identifier will no longer be used to refer to the principal. The identity provider will notify service providers of the change by sending them a Manage Name ID Request. A service provider also uses this message type to register or change the SP Provided ID value (included when the underlying name identifier is used to communicate with it) or to terminate the use of a name identifier between itself and the identity provider.
Validation :
Test this as per your configuration by using the URL from the instruction given in the Custom Application.
- User consent testing
You will see a consent page that will appear where it asks from a user to give consent.
And a unique id will be generated for the user, which can be seen in the Profile & settings -> SAML aliases from IBM Security Verify Page.
- Manage Name ID testing
Authors:
Rahul Kumar
Rahul is an Enthusiastic Engineer and has lots of interests in understanding Access and identity use cases.
Rajeev Kumar
Rajeev is an Engineer who is passionate about exploring the solution based on integrating the product's capabilities.