IBM Security Verify

 View Only

Next Generation Authentication with Verify Governance

By Shirish Agale posted Tue February 20, 2024 12:28 PM

  

Next Generation Authentication with Verify Governance

IBM® Security Verify Governance  (ISVG) Identity Manager (IM) and Identity Governance (IG) uses OpenID connect authentication server. OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol, which allows clients to verify the identity of an end user based on the authentication performed by an authorization server or identity provider.

This document details the steps to configure IBM Security Verify Governance - Identity Manager (aka ISIM) 10.x (and the underlying WebSphere) for OpenID Connect Single Sign-On with IBM Security Verify SaaS also with IBM Security Verify Governance - Identity Manager Virtual appliance (aka ISIM VA) and IBM Security Verify Governance - Identity Governance Virtual appliance (aka IGI VA). 

User experience:

Login to IBM Security Verify SaaS by end user.



By clicking ISVG-IM-OPENID applications, you will login to Identity Manager Service Center using OpenID connect SSO. 

NOTE: The steps below assume the username in IBM Security Verify SaaS are identical to the associated ISVG-IM or ISVG-IG username.

Prerequisites: 

  • IBM Security Verify SaaS tenant should be active.

  • IBM Security Verify Governance - Identity Manager (ISVG-IM) environment should be ready.

  • IBM Security Verify Governance - Identity Governance (ISVG-IG) environment should be ready.

Steps to create application in IBM Security Verify SaaS:

  1. Login using admin access on IBM Security Verify SaaS.

  2. Click on Applications on the left side and then click on Applications.

  3. Click on Add application and Select Custom Application then click Add application.

  4. Add information as per your requirement on the next screen

  1. Add the owner of this application if you want to provide access to this application after requesting by end user.

  2. Now go to the next tab “Sign-on” and feel required data.

    1. Sign-on Method - Open ID Connect 1.0

    2. Application URL -

      1. ISVG-IM (ISIM) -

        1. itim console: https://<ISVG-IM-Application-hostname>:9082/itim/console/ 

        2. service center: https://<ISVG-IM-Application-hostname>:9082/itim/ui/

      2. ISVG-IG (IGI) -

        1. Admin console: https://<ISVG-IG_application_hostname>:9343/ideas/?realm=ADMIN

        2. Service center: https://<ISVG-IG_application_hostname>:9343/ideas/?realm= IDEAS

    1. Grant Types – Select this as per your business requirement.

    2. User Consent – Select this as per your business requirement.

    3. Redirect URIs -

      1. ISVG-IM (ISIM) -
        https://<ISVG-IM-Application-hostname>:9082/oidcclient/<provider-name>

      2. ISVG-IG (IGI) -
        https://<ISVG-IG_application_hostname>:9343/oidcclient/redirect/<provider-name>

Below screen shot shows details for ISVG-IM Service center:



    1. Signature Algorithm – HS256

    2. Attribute Mappings - Select this as per your business requirement.

    3. Access Policies – Select Identity Source which you wanted to allow to use for SSO.



Go back to Sing-on tab and copy Client ID and Client Secret to use the same with ISVG-IM.

After Completing Steps on IBM Security Verify SaaS, we need to add details in IBM Security Verify Governance product.

NOTE:  Provider name should be the same as the name you have used in redirect URI in Verify SaaS.

Redirect URIs:   https://<ISVG-IM-Application-hostname>:9082/oidcclient/isimsso

We can use manual method to fill the OpenID details like Authorization URL, Token URL etc. Also, we can use discovery URL from IBM Security Verify SaaS to fill the details automatically.

Discovery URL : We can get it from OpenID connect Single Sign-on Configuration help section (right side panel). Discovery URL is useful in the case of Virtual Appliance.

https://<Verify-SaaS-Tenant>/oidc/endpoint/default/.well-known/openid-configuration



Configuration on IBM Security Verify Governance – Identity Manager (S/W Stack):

Steps:

  1. Install the OpenID Connect ACS application by using the installOIDCRP.py script (included with WebSphere).

    Navigate to $WAS_HOME/bin and execute either:
    Single Sever:
    wsadmin.sh -user <wasadminid> -password <wasadminpwd> -f installOIDCRP.py install <nodeName> <serverName>

    OR

    Cluster:
    wsadmin.sh -user <wasadminid> -password <wasadminpwd> -f installOIDCRP.py install <clusterName>

    Where:
    <wasadminid> = WebSphere Admin ID
    <wasadminpwd> = WebSphere Admin Password
    <nodeName> = WebSphere Node name
    <serverName> = Name of the Application Server instance
    <clusterName> = Name of the Application Cluster in WebSphere


  2. Enable OpenID Connect TAI using the WebSphere Administration Console:

    1. Login to the WAS Admin Console

    2. Navigate to Security > Security Domains

    3. Click on “ISIMSecurityDomain”

    4. Expand the “Trust Association” section under “Security Attributes”

    5. Customize for this domain” should already be selected (select this option if it is not already)

    6. Click the “Enable trust association” box.

    7. Click the “Interceptors” link

    8. Click the New button

    9. For the Interceptor class name, enter:
      com.ibm.ws.security.oidc.client.RelyingParty

    10. Click New to create the following properties:



Name

Description

provider_1.identifier

The unique name that is assigned to the Provider.

provider_1.clientId

The client ID is registered at the OpenID Connect provider.

provider_1.clientSecret

The secret that is registered at the OpenID Connect provider.

provider_1.authorizeEndpointUrl

The authorization URL of the OpenID Connect provider.

provider_1.tokenEndpointUrl

The token URL of the OpenID Connect provider.

provider_1.signatureAlgorithm

The signature algorithm that is supported by the OpenID Connect provider.

provider_1.issuerIdentifier

The unique identifier of the OpenID Connect provider, its value is provided by the OpenID Connect Provider.

provider_1.scope

The scope that is supported by the OpenID Connect provider and it has space separated values.

provider_1.audiences

Provide audience type as ALL_AUDIENCES

provider_1.interceptedPathFilter

Specifies a comma-separated list of regular expression patterns that are compared against the request URI to see whether the TAI will intercept the request. Example /itim/console.*,/itim/ui.*,/itim/rest.*,/itim/restlogin.*

provider_1.useRealm

Specifies the realm name to be used for each request to this provider, Example itimCustomRealm.

provider_1.userIdentifier

This property is set to a claim name used by the vendor's ID Token that represents a user's unique security name.


    1. Click OK and Save

  1. Add custom properties using the WebSphere Administration Console:

    1. Click on Security Domains > ISIMSecurityDomain

    2. Click on the Custom Properties link (in the Security Attributes section)

    3. Click the New button to add the following custom properties:

Name

Value

com.ibm.websphere.security.InvokeTAIbeforeSSO

com.ibm.ws.security.oidc.client.RelyingParty



    1. Click OK then Save.

  1. Import the OpenID connect provider's SSL signer certificate to the WebSphere Application Server's truststore.

    1. In the administrative console, click Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates.

    2. Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a deployment manager.

    3. Click Add.

    4. Complete the certificate information, then click Apply.

  2. Add the Identity Provider Realms to the list of Inbound Trusted Realms:

    1. Navigate to Security > Security Domains > ISIMSecurityDomain.

    2. Expand User Realm (in the “Security Attributes” section).

    3. Customize for this domain” should be selected.

    4. Click the “Configure” button.

    5. Click “Trusted authentication realms – inbound” link (in the “Related Items” section)

    6. Click “Add External Realm”

    7. Enter “cloudIdentityRealm” and click Ok

    8. Confirm cloudIdentityRealm shows “Trusted” in the Inbound Trust column

    9. Click Apply and Save

  3. Update property files

    1. Update properties in ui.properties

      1. enrole.ui.disableLoginPage = true

      2. enrole.ui.logoffURL = /itim/console/jsp/logon/openidLogout.jsp

    1. Update properties in UIconfig.properties

      1. ui.disableLoginPage = true

      2. logouturl = /itim/ui/openidLogout.jsp

Note: Update enrole.ui.ssoEnabled=true in ui.properties for change password

  1. Restart WebSphere



Configuration on IBM Security Verify Governance – Identity Manager Virtual Appliance:

Steps:

  1. Add IBM Security Verify certificate from Virtual Appliance Local Management Interface (LMI) navigate to Configure -> Manage External Entities -> SSL Certificate Management.

  2. From Virtual Appliance Local Management Interface (LMI) navigate to Configure -> Manage External Entities -> OpenID connect Configuration and fill the details




    Certificate Alias: The label of the certificate that was uploaded to the trust store. Select an appropriate label which is added.

    User Realm / Domain: Specifies the realm name or domain name of the identity provider where the user is created. In the case of Verify SaaS realm is cloudIdentityRealm.

    Logoff URL: The OpenID Connection provider logout URL. By providing a logout URL after logging out from the selected Interface, IBM Security Verify Governance cleans all OpenID Connect provider tokens. If you do not provide an OpenID Connect provider logout url, logout only cleans IBM Security Verify Governance application tokens.
    https://<Verify-Tenent>/idaas/mtfim/sps/idaas/logout

Configuration on IBM Security Verify Governance – Identity Governance Virtual Appliance:

Steps:

  1. Add IBM Security Verify Governance certificate into IBM Security Verify Governance KeyStore signer from VA LMI > Configure > Certificate panel.

  2. Admin console:




  3. Service center:

  4. After saving the configuration, take a restart of IBM Security Verify Governance server from VA LMI Dashboard.

Troubleshooting:

  1. For ISVG-IM we can use following log level to enable extra logs:
    com.ibm.ws.security.openid20.*
    com.ibm.ws.security.web.*

  2. For ISVG-IG we can use following log level to enable extra logs:
    com.ibm.ws.security.*=all
    com.ibm.ws.webcontainer.security.*=all
    com.ibm.oauth.*=all
    com.ibm.wsspi.security.oauth20.*=all
    org.apache.http.client.*=all

  3. Time difference issue. We must keep our ISVG product time and timezone same as the Verify SaaS tenant time and timezone.

Conclusion:

With the above end-to-end steps, the IBM Security Verify Governance customers can use the Next Generation Authentication technique with Verify Governance using OpenID.

0 comments
24 views

Permalink