IBM Security Verify

 View Only

  • 1.  Oauth SSO for Springboot app on Azure

    Posted Fri February 12, 2021 08:53 AM
    Hello,
    We have a custom application running on Azure environment , I was wondering if there are any documentation / steps to set up Oauth / OIDC SSO . I saw IBM learning academy has steps to setup SSO using SAML with salesforce but I don't see any thing for Oauth.
    Please let me know best practice as well as any documentation is available.

    ------------------------------
    Bhumi Acharya
    ------------------------------


  • 2.  RE: Oauth SSO for Springboot app on Azure

    Posted Fri February 12, 2021 01:09 PM
    Hi Bhumi,

    I was able to get a Spring Boot application working with IBM Security Verify using the spring-boot-starter-oauth2-client package (and security package).

    I'm going to assume you know Spring (I do not) and so I'm not detailing the UserController and OAuth2SecurityConfig classes I used to trigger the OIDC login and extract data from claims - I think they would be the same for any OIDC provider.

    The configuration for OIDC on the Spring side looked like this:

    spring:
  security:
    oauth2:
      client:
        registration:
          idsvr:
            client-name: Login with IBM Security Verify
            client-id: d9047136-1234-1234-97bf-a3f9355d7fc9
            client-secret: t1234LZmM0
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
            scope: openid, profile
        provider:
          idsvr:
            issuer-uri: https://yourtenant.verify.ibm.com/oidc/endpoint/default​

    (I was only able to complete client_id and client_secret after I created application definition in Verify)

    The Spring Server was running on my local machine at https://localhost:9443.

    In IBM Security Verify, I created a custom application and selected OIDC 1.0 as the SSO type.
    I enabled (only) Authorization Code grant flow.
    I disabled PKCE.
    The redirect URI was set to: https://localhost:9443/login/oauth2/code/idsvr

    I hope this helps.  Is it enough information?

    Jon.



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Oauth SSO for Springboot app on Azure

    Posted Wed March 03, 2021 11:47 AM

    Thanks Jon for you quick response. I have one more question regarding SAML , I see Amazon Web Services SAML2.0 single sign-on (SSO) configuration templates for SAML partners, however I don't see one for Azure. Is there any help on that what is supported there ? We are still trying to find out what would be the better way to integrate Azure app with ISAM SAML or OAuth.

    ------------------------------
    Bhumi Acharya
    ------------------------------

    Original Message


  • 4.  RE: Oauth SSO for Springboot app on Azure

    Posted Wed March 03, 2021 12:47 PM
    Hi Bhumi,

    When I responded to your first message, I thought you were using our IBM Security Verify (SaaS) service.  Now I think you are actually using our Verify Access software (previously known as Access Manager).  Both of these support SAML 2.0 and OIDC so not a big deal in terms of capability but the configuration for Verify Access is usually more involved (but also provides more flexibility and customization capability).

    You're asking about SAML vs OAuth which is a bit confusing.  SAML is a web SSO protocol but OAuth is (really) an API Authorization protocol.  Perhaps you really mean "OpenID Connect"?  This is a web SSO protocol which is built on top of OAuth.

    If you need help configuring OpenID Connect in Verify Access, check out this lab on the Security Learning Academy:
    https://www.securitylearningacademy.com/course/view.php?id=4555

    Verify Access can certainly support SSO to Azure using SAML 2.0.  I'm not sure we have a template for it specifically but we do have a template for Office365 (which is secured by Azure).

    I don't have any specific opinion on whether SAML 2.0 or OAuth/OIDC are best for integration of a generic Azure app; they would both likely give you similar capabilities from a single sign-on point-of-view.  I suppose you could argue that OIDC is newer and more aligned with modern architectures (where you have SSO and then downstream REST API calls) so perhaps that is the best bet if it's supported.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message