Next Generation Authentication with Verify Governance
IBM® Security Verify Governance (ISVG) Identity Manager (IM) and Identity Governance (IG) uses OpenID connect authentication server. OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol, which allows clients to verify the identity of an end user based on the authentication performed by an authorization server or identity provider.
This document details the steps to configure IBM Security Verify Governance - Identity Manager (aka ISIM) 10.x (and the underlying WebSphere) for OpenID Connect Single Sign-On with IBM Security Verify SaaS also with IBM Security Verify Governance - Identity Manager Virtual appliance (aka ISIM VA) and IBM Security Verify Governance - Identity Governance Virtual appliance (aka IGI VA).
User experience:
Login to IBM Security Verify SaaS by end user.
By clicking ISVG-IM-OPENID applications, you will login to Identity Manager Service Center using OpenID connect SSO.
NOTE: The steps below assume the username in IBM Security Verify SaaS are identical to the associated ISVG-IM or ISVG-IG username.
Prerequisites:
-
IBM Security Verify SaaS tenant should be active.
-
IBM Security Verify Governance - Identity Manager (ISVG-IM) environment should be ready.
-
IBM Security Verify Governance - Identity Governance (ISVG-IG) environment should be ready.
Steps to create application in IBM Security Verify SaaS:
-
Login using admin access on IBM Security Verify SaaS.
-
Click on Applications on the left side and then click on Applications.
-
Click on Add application and Select Custom Application then click Add application.
-
Add information as per your requirement on the next screen
-
Add the owner of this application if you want to provide access to this application after requesting by end user.
-
Now go to the next tab “Sign-on” and feel required data.
-
Sign-on Method - Open ID Connect 1.0
-
Application URL -
-
ISVG-IM (ISIM) -
-
itim console: https://<ISVG-IM-Application-hostname>:9082/itim/console/
-
service center: https://<ISVG-IM-Application-hostname>:9082/itim/ui/
-
ISVG-IG (IGI) -
-
Admin console: https://<ISVG-IG_application_hostname>:9343/ideas/?realm=ADMIN
-
Service center: https://<ISVG-IG_application_hostname>:9343/ideas/?realm= IDEAS
-
Grant Types – Select this as per your business requirement.
-
User Consent – Select this as per your business requirement.
-
Redirect URIs -
-
ISVG-IM (ISIM) -
https://<ISVG-IM-Application-hostname>:9082/oidcclient/<provider-name>
-
ISVG-IG (IGI) -
https://<ISVG-IG_application_hostname>:9343/oidcclient/redirect/<provider-name>
Below screen shot shows details for ISVG-IM Service center:
-
Signature Algorithm – HS256
-
Attribute Mappings - Select this as per your business requirement.
-
Access Policies – Select Identity Source which you wanted to allow to use for SSO.
Go back to Sing-on tab and copy Client ID and Client Secret to use the same with ISVG-IM.
After Completing Steps on IBM Security Verify SaaS, we need to add details in IBM Security Verify Governance product.
NOTE: Provider name should be the same as the name you have used in redirect URI in Verify SaaS.
Redirect URIs: https://<ISVG-IM-Application-hostname>:9082/oidcclient/isimsso
We can use manual method to fill the OpenID details like Authorization URL, Token URL etc. Also, we can use discovery URL from IBM Security Verify SaaS to fill the details automatically.
Discovery URL : We can get it from OpenID connect Single Sign-on Configuration help section (right side panel). Discovery URL is useful in the case of Virtual Appliance.
https://<Verify-SaaS-Tenant>/oidc/endpoint/default/.well-known/openid-configuration
Configuration on IBM Security Verify Governance – Identity Manager (S/W Stack):
Steps:
-
Install the OpenID Connect ACS application by using the installOIDCRP.py script (included with WebSphere).
Navigate to $WAS_HOME/bin and execute either:
Single Sever:
wsadmin.sh -user <wasadminid> -password <wasadminpwd> -f installOIDCRP.py install <nodeName> <serverName>
OR
Cluster:
wsadmin.sh -user <wasadminid> -password <wasadminpwd> -f installOIDCRP.py install <clusterName>
Where:
<wasadminid> = WebSphere Admin ID
<wasadminpwd> = WebSphere Admin Password
<nodeName> = WebSphere Node name
<serverName> = Name of the Application Server instance
<clusterName> = Name of the Application Cluster in WebSphere
-
Enable OpenID Connect TAI using the WebSphere Administration Console:
-
Login to the WAS Admin Console
-
Navigate to Security > Security Domains
-
Click on “ISIMSecurityDomain”
-
Expand the “Trust Association” section under “Security Attributes”
-
“Customize for this domain” should already be selected (select this option if it is not already)
-
Click the “Enable trust association” box.
-
Click the “Interceptors” link
-
Click the New button
-
For the Interceptor class name, enter:
com.ibm.ws.security.oidc.client.RelyingParty
-
Click New to create the following properties:
Name
|
Description
|
provider_1.identifier
|
The unique name that is assigned to the Provider.
|
provider_1.clientId
|
The client ID is registered at the OpenID Connect provider.
|
provider_1.clientSecret
|
The secret that is registered at the OpenID Connect provider.
|
provider_1.authorizeEndpointUrl
|
The authorization URL of the OpenID Connect provider.
|
provider_1.tokenEndpointUrl
|
The token URL of the OpenID Connect provider.
|
provider_1.signatureAlgorithm
|
The signature algorithm that is supported by the OpenID Connect provider.
|
provider_1.issuerIdentifier
|
The unique identifier of the OpenID Connect provider, its value is provided by the OpenID Connect Provider.
|
provider_1.scope
|
The scope that is supported by the OpenID Connect provider and it has space separated values.
|
provider_1.audiences
|
Provide audience type as ALL_AUDIENCES
|
provider_1.interceptedPathFilter
|
Specifies a comma-separated list of regular expression patterns that are compared against the request URI to see whether the TAI will intercept the request. Example /itim/console.*,/itim/ui.*,/itim/rest.*,/itim/restlogin.*
|
provider_1.useRealm
|
Specifies the realm name to be used for each request to this provider, Example itimCustomRealm.
|
provider_1.userIdentifier
|
This property is set to a claim name used by the vendor's ID Token that represents a user's unique security name.
|
-
Click OK and Save
-
Add custom properties using the WebSphere Administration Console:
-
Click on Security Domains > ISIMSecurityDomain
-
Click on the Custom Properties link (in the Security Attributes section)
-
Click the New button to add the following custom properties:
Name
|
Value
|
com.ibm.websphere.security.InvokeTAIbeforeSSO
|
com.ibm.ws.security.oidc.client.RelyingParty
|
-
Click OK then Save.
-
Import the OpenID connect provider's SSL signer certificate to the WebSphere Application Server's truststore.
-
In the administrative console, click Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates.
-
Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a deployment manager.
-
Click Add.
-
Complete the certificate information, then click Apply.
-
Add the Identity Provider Realms to the list of Inbound Trusted Realms:
-
Navigate to Security > Security Domains > ISIMSecurityDomain.
-
Expand User Realm (in the “Security Attributes” section).
-
“Customize for this domain” should be selected.
-
Click the “Configure” button.
-
Click “Trusted authentication realms – inbound” link (in the “Related Items” section)
-
Click “Add External Realm”
-
Enter “cloudIdentityRealm” and click Ok
-
Confirm cloudIdentityRealm shows “Trusted” in the Inbound Trust column
-
Click Apply and Save
-
Update property files
-
Update properties in ui.properties
-
enrole.ui.disableLoginPage = true
-
enrole.ui.logoffURL = /itim/console/jsp/logon/openidLogout.jsp
-
Update properties in UIconfig.properties
-
ui.disableLoginPage = true
-
logouturl = /itim/ui/openidLogout.jsp
Note: Update enrole.ui.ssoEnabled=true in ui.properties for change password
-
Restart WebSphere
Configuration on IBM Security Verify Governance – Identity Manager Virtual Appliance:
Steps:
-
Add IBM Security Verify certificate from Virtual Appliance Local Management Interface (LMI) navigate to Configure -> Manage External Entities -> SSL Certificate Management.
-
From Virtual Appliance Local Management Interface (LMI) navigate to Configure -> Manage External Entities -> OpenID connect Configuration and fill the details
Certificate Alias: The label of the certificate that was uploaded to the trust store. Select an appropriate label which is added.
User Realm / Domain: Specifies the realm name or domain name of the identity provider where the user is created. In the case of Verify SaaS realm is cloudIdentityRealm.
Logoff URL: The OpenID Connection provider logout URL. By providing a logout URL after logging out from the selected Interface, IBM Security Verify Governance cleans all OpenID Connect provider tokens. If you do not provide an OpenID Connect provider logout url, logout only cleans IBM Security Verify Governance application tokens.
https://<Verify-Tenent>/idaas/mtfim/sps/idaas/logout
Configuration on IBM Security Verify Governance – Identity Governance Virtual Appliance:
Steps:
-
Add IBM Security Verify Governance certificate into IBM Security Verify Governance KeyStore signer from VA LMI > Configure > Certificate panel.
-
Admin console:
-
Service center:
-
After saving the configuration, take a restart of IBM Security Verify Governance server from VA LMI Dashboard.
Troubleshooting:
-
For ISVG-IM we can use following log level to enable extra logs:
com.ibm.ws.security.openid20.*
com.ibm.ws.security.web.*
-
For ISVG-IG we can use following log level to enable extra logs:
com.ibm.ws.security.*=all
com.ibm.ws.webcontainer.security.*=all
com.ibm.oauth.*=all
com.ibm.wsspi.security.oauth20.*=all
org.apache.http.client.*=all
-
Time difference issue. We must keep our ISVG product time and timezone same as the Verify SaaS tenant time and timezone.
Conclusion:
With the above end-to-end steps, the IBM Security Verify Governance customers can use the Next Generation Authentication technique with Verify Governance using OpenID.