Introduction:
In this blog, we will explore configuration steps to achieve SSO while accessing the IBM Security Verify Access (ISVA) Local Management Interface (LMI) console. We have used Salesforce as OIDC Provider, however you are free to use any other OIDC provider of your choice.
Roles:
ISVA LMI as the Relying Party and Salesforce as the OpenID Provider.
Prerequisites:
- ISVA Appliance with version 10.0.8 or higher
- A Salesforce Developer or Enterprise account with identity provider features enabled.
Configuration steps on Salesforce OIDC provider:
1. Login to Salesforce portal. Sign Up if you do not have the account.
Visit https://login.Salesforce.com and login
2. Create the ISVA application under App Manager
Navigate to Apps App Manager Click on New Connected App top right side select Create Connected App option and Click on continue
Fill Basic Information:
- Connected App Name ISVA_LMI (chose any appropriate name)
- API Name Gets auto update
- Contact Email Add the email of administrator
Fill details into API (Enable OAuth Settings):
- Check the Enable OAuth Setting box
- Provide the callback URL of LMI given format.
https://{ISVA_LMI_Hostname}/oidcclient/redirect/lmi
- Select the two OAuth Scopes
- Access the identity URL service (id, profile, email, address, phone)
- Access unique user identifiers (openid)
- Uncheck the Require Proof Key for Code Exchange (PKCE) Extension for the Supported Authorization Flows option, as we are not going to use PKCE in this lab
- Select / check the following options:
- Require Secret for Web Server Flow
- Require Secret for Refresh Token Flow
- Enable Authorization Code and Credentials Flow
- Click on save and then continue
3. Review the configurations to retrieve consume key and consumer secret
- Click on Manage Consumer Details
- Perform the second factor authentication, code will be send on Salesforce account email
- Copy the save consumer details somewhere ( Consumer key is client id and Consumer Secret is client secret.)
- This completes all the required configuration on Salesforce.
Configuration steps on IBM Security Verify Access Relying Party:
1. Login to Local Management Interface LMI console and enable SSO
- Navigate to System System Setting Management Authentication
- Select Federated SSO and click next
- Add the details client ID and Client Secret, and OIDC Discovery Endpoint got from the OIDC provider.
OIDC Discovery Endpoint:
https://{your_Salesforce_org_domain}.my.Salesforce.com/.well-known/openid-configuration
- Keep the default SSL certificate and Username Claim as it is
- Select All users are admin users
- Click on save.
2. Add Advance Tuning Parameter on LMI appliance
- Go to System --> Advance Tuning Parameters --> Add given tuning parameters
Key: lmi.liberty_option.httpEndpoint/SameSite.none
Value: WAS*
Key: lmi.liberty_option.httpEndpoint/SameSite.strict
Value: *
Key : lmi.liberty_option.webAppSecurity.sameSiteCookie
Value: Disabled
This completes all the required configuration on ISVA appliance.
Test the SSO between ISVA LMI & Salesforce:
- Now access the LMI console
- The browser redirects to the Salesforce IDP for the authentication
- After successful authentication on IDP, user browser is redirected back to LMI console
Authors:
References: