Most enterprises have become diligent about who is accessing their applications/systems. Do they really need access? Is it temporary or permanent access? What about privileged accounts like root users/admins? It would be a risk to share those credentials with a user or group for an activity with a limited time period. To cater to all of these aspects is where identity and access management (IAM) comes in.
How do you authenticate to access the console? Instead of authenticating using local credentials, why not centralize the authentication mechanism using Verify or any IAM platform. This ensures that the users don’t have to remember another set of credentials and are able to use their corporate credentials to access the vault.
What is IBM Guardium Key Lifecycle Manager?
IBM Guardium Key Lifecycle Manager is an encryption key management tool that centralizes, simplifies and automates the key management process. It offers robust and security-rich key storage, key serving, and key lifecycle management for self-encrypting applications and solutions by using interoperability protocols, including KMIP, IPP, and REST APIs.
What is IBM Security Verify SaaS?
The IBM Security Verify SaaS platform is a completely cloud-based IAM solution that offers hybrid cloud deployment options. It provides automated, cloud-based and on-premises capabilities for administering identity governance, managing workforce and consumer identity and access, and controlling privileged accounts.
Verify SaaS offers:
* Core identity base capabilities for both your workforce and consumers, including adaptive access and advanced authentication capabilities that are powered by IBM Security Trusteer's AI-enabled engine
* Single sign-on for centralized access control to cloud and on-premises resources
* Adaptive access for risk-based authentication
* Advanced authentication for frictionless access
* Embedded privacy and consent management capabilities that are prebuilt into easy-to-adopt workflows
* Full lifecycle management to connect application access with business governance workflows
There are new features being added regularly to the product. To keep up to date with the latest capabilities, bookmark What’s new.
Learning objectives
In this tutorial, you will set up the IBM Verify as a OIDC Identity Provider (IdP), providing single sign-on authentication to GKLM.
This use case has a mix of technologies including IBM Guardium Key Lifecycle Manager and IBM Verify, however, it can be extended to any IAM solution that supports OIDC for authentication.
OIDC
OpenID Connect is a simple identity protocol and open standard that is built on the OAuth 2.0 protocol that enables client applications to rely on authentication that is performed by an OpenID Connect Provider to verify the identity of a user.
OpenID Connect uses OAuth 2.0 for authentication and authorization and then builds identities that uniquely identify users. Client applications can also obtain basic profile information about a user in an interoperable and REST-like manner from OpenID Connect Providers.
We have used the Authorization Code Flow grant type registered as a public client with PKCE enabled.
Architecture
The following figure shows the high-level architecture of the developed solution. In this scenario, you access the application (GKLM) protected with Verify policies through a trusted device. The policy ensures that untrusted devices cannot access the application despite successful authentication. Verify supports SAML, OIDC, and legacy authentication protocols.
Prerequisites
To follow this tutorial, you need:
· A Verify SaaS instance. Sign up for a 90 day trial instance here
· IBM GKLM with Admin access (Note : This tutorial is based on GKLM v5.0)
Estimated time
It should take you approximately 20 minutes to complete the tutorial.
Steps
Step 1: Configuring IBM Security Verify SaaS
- Log in to IBM Security Verify SaaS as administrator and navigate to ‘Applications’.
- Click ‘Add application’.
- Select ‘Custom application’ when prompted for ‘Type’.
- Provide the application name and company name.
- Navigate to the Sign-on tab and select Open ID Connect 1.0
- Application URL and Redirect URIs would be shared by the GKLM team
- In token settings, specify the Audiences as ‘ALL_AUDIENCES’
- Click Save.
Step 2. Set up IBM GKLM
- On the GKLM admin console, navigate to User management>Authentication providers
- Click on the edit button corresponding to OIDC authentication
- Select the radio button corresponding to OIDC
- Select the checkbox to Enable OIDC-based authentication
- Edit Client credentials and enter the Client ID obtained from Verify and provide a dummy Client secret
- Click Save
- Edit Authorization server details
- Enter the Discovery URL in the format - https:// YOUR_VERIFY_TENANT_FQDN/oidc/endpoint/default/.well-known/openid-configuration
- Select Method as introspect
- Endpoint URL can be found by accessing the Discovery URL on your browser corresponding to introspect which will be in the format - https://<YOUR_VERIFY_TENANT_FQDN>/v1.0/endpoint/default/introspect
- Enter sub under the User identifier field
- Click Save
- Under Provider certificate section import the certificate file. You can download certificates as .cer files (Root and any interim) from your browser by accessing your IBM Security Verify tenant.
- Click Test connection
- Once test connection is successful click Save and the configuration will be saved
- You will get a notification that the GKLM server will be restarted
- Once the GKLM server restarts, you fill find an option to Log in with SSO on the login page
- Selecting Log in with SSO will redirect to Verify for authentication and will land on the GKLM homepage after successful authentication
Ensure that the user who is trying to access the console through the Verify Access already exists in GKLM. If the user does not exist, create the user identity by providing a dummy password.
Summary
In this tutorial, you learned how to integrate an IAM solution (Verify SaaS) with IBM Guardium Key Lifecycle Manager. If you’d like to learn about more security applications, see the Security hub on IBM Developer.
Authors: Sushmita Das, Monali Behera, Suraj Kanth