IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Migrating TFIM-Salesforce integration to IBM Cloud Identity

By Sumana Narasipur posted Tue October 22, 2019 11:56 AM

  

Last year, Tivoli Federated Identity Manager (TFIM), announced end of support effective September 2019. The recommended replacement offering is IBM Security Access Manager (ISAM) or IBM Cloud Identity, depending on your organization's desired deployment model (cloud vs. on-prem vs. hybrid). 

 

The biggest advantage of moving to IBM Cloud identity is its ease of use, connector templates available for most of the popular providers, use of attribute sources to retrieve attributes. 

 

The blog will migrate a TFIM SAML2.0 Identity Provider federation which integrates with Salesforce SAML2.0 Service Provider and also showcases how it can be integrated with second factor authentication 

 

Let us gather TFIM SAML2.0 identity provider federation configuration information. 

 

  • Login to the WebSphere Integrated Solutions Console. 
  • Navigate to Tivoli Federation Identity Manager. 
  • Click on Federations. 

 

 

  • Select the identity provider federation, gather signing information. Retrieve the Signing Key in p12 format. 
  • Gather the partner information such as Salesforce Domain Name,Provider ID and the Assertion Consumer Service URL. 

 

 

Steps to be configured on IBM Cloud Identity 

  • Login to an IBM Cloud Identity tenant using admin privileged credentials. 
    https://tenantname.ice.ibmcloud.com/ui/admin/ 
     
  • Navigate to application and Add Application. 
     
  • Search for Salesforce application type, and click on Add Application. 
     
  • Update the application name to “TFIM to CI Salesforce Integration”. 
  • Provide the Host Name of the Salesforce domain, retrieved from TFIM. 
     
  • Navigate to the Sign-on tab, the Provider ID is auto populated based on the host name information provided, Assertion consumer service URL can be provided based on TFIM partner information. 
     
  • To enable second factor authentication, navigate to the Access Policies and uncheck “Use default policy”. 
  • From the list of Access Policies, select “always require 2FA in all devices”. Click on Save. 
     
  • Entitlements need to be assigned for the application. 
     
  • Salesforce Configuration instruction are provided. 
     
  • Uploading the Signing Key – Navigate to Configuration 
  • Certificates – Click on Add personal certificate 
     
  • Point to the file location and provide the password, also set it as Default Certificate. 
     
0 comments
7 views

Permalink

https://community.ibm.com/community/user/blogs/sumana-narasipur1/2019/10/22/migrating-tfim-salesforce-integration-to-ibm-cloud