IBM Security Verify

 View Only

Integrating Hybrid Identities with IBM Verify SaaS

By Tushar Prasad posted Thu January 18, 2024 11:50 PM

  

Co-Authored By Sameer Kapadia

Integrating hybrid identities with IBM Security Verify and onboarding onPrem LDAP into IBM Security Verify SaaS with the power of OpenShift 

Challenges

In today’s dynamic landscape, where organizations leverage a multi-cloud hybrid deployment model, the management of digital identities and their security becomes paramount. The hybrid nature, with identities dispersed across various sources such as private clouds, legacy systems, or anywhere in the multi-cloud environment, accentuates the need for a comprehensive approach. 

 In the ongoing journey of cloud modernisation, the movement of identities is inevitable. Throughout this process, critical considerations must be given to user experience, the security of digital identities, and ensuring minimal disruption or threats to businesses. 

 IBM Security Verify empowers organisations to embark on Identity Fabric Journey, offering solutions to the challenges outlined above. 

 This article delves into how IBM Security Verify facilitates the seamless integration of on-prem LDAP eg:OPENDJ and, gradually, the migration of identities into a modern Identity and Access Management solution IBM Security Verify SaaS which offers 

• Modern security methods

• Threat intelligence 

• Auditing and tracking capabilities 

Use Case 

Consider the fictional company JKE, which currently maintains a user store in an on-premises OPENDJ LDAP. OpenDJ operates on the SSL port, storing user attributes, groups, and password information. The organization recognizes the necessity to transition to a modern Identity and Access Management (IAM) solution, represented by IBM Security Verify. The objective is to enable users to authenticate into Verify SaaS while seamlessly utilizing identities stored in on-premises OPENDJ. 

Throughout this transition, the customer anticipates a Just-In-Time provisioning of identities from OPENDJ into IBM Security Verify, along with a gradual password migration from OpenDJ into Verify SaaS. This phased approach ensures a smooth and secure evolution over time. 

Components and Flow 

IBM Security Verify SaaS is a modern IAM solution with components; 

  • IBM Verify SaaS - Modern Identity and Access Management 

  • IBM Verify Bridge – An agent which acts as a mediatory and helps users to perform authentication into Verify SaaS using OnPrem OpenDJ 

  • In this approach, the Verify Bridge agent is deployed in an OpenShift environment with which it brings all the features of OpenShift. 

  • Verify Bridge agent is deployed in a container environment (There are also different deployment pattern around different containers orchestration platform and other operation systems.) Here OpenShift is used. 

  • In this article, We are considering OpenDJ as ldap source. It can als also be used in similar manner against a web service or Database. 

  • All communications are over TLS/SSL 

Components

 

     A component Diagram which highlights, LDAP, Verify Bridge, Verify SaaS. 

Pre-Requisites 

  1. OpenDJ already running in an environment 

  1. A Verify SaaS tenant is available 

  1. An OpenShift environment 

Work Flow of the Deployment 

A screenshot of a diagram Description automatically generated

Deployment Steps 

Here we will go through the steps in Details which are described in the Deployment workflow in detail. 

Pre-Requisites 

  • OpenDJ is deployed in intranet 

  • OpenShift environment is available (either Intranet or in public cloud) 

  • IBM Security Verify SaaS is available 

Create Identity Agent Configuration in Verify SaaS 

The Verify Bridge when started connects with Verify SaaS and fetches the configuration. 

Verify Bridge needs ClientID and Secret in process to connect with Verify SaaS. 

Verify Bridge gets following information and the following steps will demonstrate how to configure those 

 

  • LDAP Connection Information 

  • API Credentials 

  • Attributes 

  • Mapping 

  • Optional Configuration 

  • Let’s Start with the Steps 

 

  1. Login to Verify SaaS tenant admin. 

  1. https://<tenant FQDN>/ui/admin 

  1. Goto Integrations -> Identity Agents 

  1. A screenshot of a computer Description automatically generated 

  1. Click on Create Agent Configuration 

  1. Make sure Authentication is selected and Type is LDAP A screenshot of a computer Description automatically generated 

  1. Click Next 

  1. Fill in Connection Details related to OnPrem LDAP OPENDJ which has Orginationzation Users Identity Details 

  1. Bind dn for OpenDJ is cn=Directory Manager 

  1. Certificate is the signer certificate of OpenDJ which is listening on ssl port 636 

  1. Here openssl is used to fetch the certificate information 

  1. Example: openssl s_client -showcerts -host "opendj" -port "636" < /dev/null |  sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' >> openDJSigner.pem 

 

  1.  Screens screenshot of a computer Description automatically generated 

  1. Adjust Additional Settings 

  1. These Settings are the connection level setting between Verify Bridge -> LDAP 

  1. Examples: Simultaneous LDAP connection Limit from Verify Agent to LDAP 

  1. Considerations need to be put to adjust connection time limit which should be less than firewall timeout limit(if any) between Verify Bridge -> LDAP A screenshot of a computer Description automatically generated 

  1. Click Next 

  1. User Properties settings are the values that Agent uses to look attributes /users in LDAP 

  1. For example: Usesrname attribute is the attribute it uses to search LDAP 

  1. Comma Separated attributes(during writing of this article space is required , later  releases a space will not be required) for example: businessCategory, uid  

  1. Click Next 

  1. This page shows Attribute Mapping, which is what attribute of onPrem LDAP is mapped to Verify SaaS Cloud Directory, do note the example, on how businessCategory is mapped to customattribute in Cloud Directory.  

  1. Click Next 

  1. Fill in the details about the configurations 

  1.  

  1. Notice Identity Provider displayName is what we will see when we configure Identity Agent Later 

  1. Realm is help to distinguish that these are the identities from these set of onPrem LDAP 

  1. Expand View Advanced Settings 

  1. Here you can add option Agent related configuration which agents reads and perform some action 

  1. Two of the example configurations(https://www.ibm.com/docs/en/security-verify?topic=installation-optional-configuration) 

  1. InsecureSkipVerify -> related to TLS connection verification 

  1. noGroups -> related to onPrem LDAP group population when set to true then ldap groups will not form credentials 

  1.  Certificate for encryption controls cert between Bridge Agent -> Verify SaaS 

  1. A screenshot of a computer Description automatically generated 

  1. Click on same and continue 

  1. Click on Finish step and note down the Api Credentials which is Client ID and Client Secret 

  1. Identity Agent Configuration in Verify SaaS is complete at this point 

  1.  A screenshot of a computer Description automatically generated

Create Identity Provider in Verify Saas  

This configuration is what controls how users Authenticate into Verify SaaS using OnPrem Identities present in OpenDJ. This also controls password policy, Just In Time Provisioning and Password Migration. 

 

  1. Go again to Verify SaaS tenant and then Authentication -> Identity Providers 

  1. You will notice there is an entry already created by the name AuthenticateOnPrem as a result of Identity Agent configuration in previous set of steps A screenshot of a computer Description automatically generated 

  1. Review other settings which got created  

  1. When its enabled , it will be shown as an option to users during login,refer SignIn Options 

  1. https://www.ibm.com/docs/en/security-verify?topic=security-managing-sign-in-options 

  1. There is also an example towards the end of the section on how to incoming only this Identity Source. 

  1. Below is an example of Identity Provider Screenshot  

  1. A screenshot of a computer Description automatically generated 

  1. A custom password policy can be created and attached to this(optional) 

  1. A screenshot of a computer Description automatically generated 

  1. Whether admin can do password reset  

  1. Username recovery attribute is specified here A screenshot of a recovery form Description automatically generated 

  1. Below picture shows, Identity Linking As part of the configuration you have access to  

  1. Identity Linking on how the external identity mapped to users in cloud directory , attribute of givenName in openDJ is uniquely identified. 

  1. Just In Time Provisioning which helps users to be created into Cloud Director y upon authentication and is the basis how user identities are migrated from onPrem Identity Source(openDJ) to Verify SaaS Cloud Directory which is a central User repository of Verify SaaS 

  1. Password Migration is what provides a seamless experience to the User wherein they can continue to use same password they were using on onPrem Identities without a need to change it and over a period of time passwords are in cloud directory  

  1.  

  1. Attribute mapping is populated from Identity Agent configuration  

  1. Click on Save Changes 

  1. This completes the Identity Provider Configuration 

Deploy Verify Bridge on OpenShift 

OpenShift is an orchestration Platform. There are other options like windows Host , Linux host, docker etc. Here, the example taken is Openshift and with it, it brings all benefits of OpenShift Orchestration Platform. 

The approach of Verify Agent Deploment is via OpenShift Template. 

 

Create Verify Bridge Openshift Template -> Instantiate Verify Bridge Openshift Template Instance 

 

Openshift template is template which when instantiated can help to create the following in one click 

  1. Required secrets 

  1. Persistent Volume claim (IF Any) 

  1. StatefulSet 

  1. Pass in all parameters required by verify Bridge container 

Create OpenShift Template 

  1. Make sure openshift environment access is provided 

  1. In an OpenShift Project, create a template 

  1. Template yaml file is provided at the following github 

  1. https://github.com/IBM-Security/isam-support/tree/master/config-example 

  1. Create template from the yaml file copied 

  1. Sudo oc create -f Verify-Bridge-Tempalte.yaml 

  1.  

  1. Sudo oc get template (this will show that template is created). Picture shows name verify-bridge-stateful 

  1.  

  1.  

  1. Test the template by passing in parameters 

sudo oc process verify-bridge-stateful \  

-p APP_NAME="verifybridgeuat" -p CLIENT_ID="7c9a36ca-f4ce-47d9-9748-1e5516fbb2f7" \  

-p CLIENT_SECRET="YJL4hV9Ar1" -p TENANT_URI="https://xx-us.verify.ibm.com"   

 

  1. Instantiate the template (create a template which creates secret, containers etc) 

sudo oc process verify-bridge-stateful \  

-p APP_NAME="verifybridgeuat" -p CLIENT_ID="7c9a36ca-f4ce-47d9-9748-1e5516fbb2f7" \  

-p CLIENT_SECRET="YJL4hV9Ar1" -p TENANT_URI="https://xx-us.verify.ibm.com" \  

|sudo oc create -f -   

 

  1. It will create a secret and a statefulset(example is show in below picture) 

A screen shot of a computer code Description automatically generated 

  1. The template Instantiation creates two things 

  1. A secrete which holds client-id,client secret , tenant id 

A computer screen with white text Description automatically generated 

  1. A statefulset 

 

  1. There is a need to update secret with obfuscated client secret instead of  

  1. This is an option step which can be achieved once you have the pod running 

  1. RSH into the POD 

  1. Rsh into POD to obfuscate the secret 

sudo oc rsh  verifybridgeuat-config-0 /go/src/onprem -obf  "YJL4hV9Ar1" 

 

  1. fSOzeJVhoBQ06j4jx1ywTtyAACn1xxxVbbw4kyOFiT4= 

  1. the output will be obfuscated password 

  1. this password can be passed into the existing running deployment by change parameter CLIENT_SECRET to OBF_CLIENT_SECRET 

  1. Example: 

  1. This will be a two step process 

  1. Update secrete created with obf password 

 

  1. Convert obfuscated client secret into base64 

  1. echo "fSOzeJVhoBQ06j4jx1ywTtyAACn1xxxVbbw4kyOFiT4="|base64 

  1. ZlNPemVKVmhvQlEwNmo0angxeXdUdHlBQUNuMXh4eFZiYnc0a3lPRmlUND0K 

  1. Sudo oc edit secret verifybridgeuat 

A screenshot of a computer program Description automatically generated 

  1.  

  1. At this point the verify Bridge is able to successfully run and connect 

  1. Sudo oc rsh  

  1. Cd go/src will have onPrem.log 

 

Completion of All Configurations steps 

 

At this point following configuration has been completed 

  • Identity Agent Configuration (via Verify SaaS admin UI) 

  • Identity Provider creation ( via Verify SaaS admin UI 

  • Verify Bridge Agent deployment into OpenShift 

 

Verification by logging into Verify SaaS using OnPrem OpenDJ 

 

Start the Flow 

https://xx.verify.ibm.com/authsvc/mtfim/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:onpremldap&identity_source_id=8e870223-bc71-46f7-9870-fbd1e5a28195&Target=https%3A%2F%2Fixx.ibm.com%2F 

 

 

 

 start the request by putt the above URL way that  

 

 

 

 

 

 

This also does a Just In Time Provisioning into Verify Cloud Directory 

 

 

 

Summary 

 OnPrem ldap is successfully Integrated with Verify SaaS. Which achives the purpose of migrating onPrem Identity into a modern IAM.Over a period of time all Identities will moved into Verify SaaS along with password. The integration will be seamless without affecting Customers, Employees, Business. 

The same integration is effective for OpenDS based on prem repository as well. 

 

PFA: 

OpenShift Template Used ISV_Verify_Bridge_OpenShift_Template_StateFulSet.yaml

1 comment
38 views

Permalink

Comments

Nilesh Amrutkar
Fri January 19, 2024 12:07 AM

Excellent blog. Thorough steps from configuration to verification of flow.