IBM Security Identity Governance and Intelligence, Version 5.2.4

Managing OpenID connect configuration

You can use OpenID connect to access the Service Center. The OpenID connect provider must be able to authenticate the user and provide claims to a relying party about the authentication event and the user.

Before you begin

IBM® Security Identity Governance and Intelligence supports OpenID connect providers that meet the following requirements:
  • The provider is fully OIDC-compliant.
  • The user registry is managed by IBM Security Identity Governance and Intelligence.
  • The relying party, IBM Security Identity Governance and Intelligence, is reachable from the provider.
Ensure that you configured an OpenID connect provider such as IBM Security Access Manager. You need the following information to perform OpenID operations.
Table 1. External OpenID Provider configuration parameters
Parameter Description
Provider name The service that provides your OpenID connection. It is optional.
Configuration Select one of these two options:
Manual configuration
You are asked to enter all the required data
Discovery configuration
The endpoints, scope, and signature algorithm are located automatically and you must enter only part of the required data.
Discovery URL The URL from where the discovery OpenID configuration can be read. It is required if you selected Discovery configuration.
Authorization URL The initial endpoint that is contacted by the relying party to begin a flow.

This parameter is entered automatically if you selected Discovery configuration.
Token URL The endpoint that is used to exchange an authorization code for a token.

This parameter is entered automatically if you selected Discovery configuration.
JWK URL The JSON web key endpoint that is used for signature verification. It is optional.

This parameter is entered automatically if you selected Discovery configuration.
Certificate Alias The label of the certificate that was uploaded to the trust store. This field is required when the signature algorithm is RS256 and the JWK URL is not provided. Otherwise, it is an optional field.
Scope The scopes that are associated with access tokens determine what resources are available when they are used to access OpenID connect protected endpoints. The following example is a non-normative example of scope: scope=openid profile email phone.

This parameter is entered automatically if you selected Discovery configuration.
Issuer identifier The verifiable identifier for an issuer. An issuer identifier is a case-sensitive URL that uses the HTTP scheme. It contains scheme, host, and optionally, port number and path components. It cannot contain query or fragment components.

This parameter is entered automatically if you selected Discovery configuration.
RedirectToRPHostandPort Specifies a redirect OpenID relying party host and port number.

If there is a proxy in front of the relying party, you can override the host name and port with this URL. The format is https://reverseproxyhost:reverseproxyport/.

This parameter must be entered manually and is required only if the relying party is behind reverse proxy and reverse proxy is not capable of filtering redirect URL.
Signature algorithm The algorithm that is used to sign the ID token that is issued by a provider. The default value is HS256.
User ID to create subject Sets the attribute to a claim name that is used by the vendor’s ID token that represents a user's unique identifier.
Client ID A publicly exposed string that is used by the service API to identify the application. It is also used to build authorization.
Client secret Secret is used to authenticate the identity of the application to the service API when the application requests to access a user account. It must be kept private between the application and the API.
Domains The domain that uses the OpenID connect as the authentication mechanism. Select Service Center.

About this task

You can configure one or more than one OpenID providers. However, only one provider can be used to access the Service Center at any one time.

Attention: This feature is not compatible with the OpenID Connect Provider feature that uses an internal provider for authenticating users. Only one of the two features can be enabled at any time.

The OpenID Connect Provider feature is enabled by default on new installations of the current version. If you would rather use this feature, you must first disable OpenID Connect Provider.

If you upgraded from a previous version where you had this feature enabled, OpenID Connect Provider was automatically disabled. You can later decide whether you want to use an internal or an external provider.

Remember that while this feature is for authenticating users to the Service Center only, OpenID Connect Provider can authenticate users also to the virtual appliance local management interface and to the Administration Console.

Procedure

  1. From the top-level menu of the Appliance Dashboard, click Configure > Manage External Entities > OpenID connect Configuration. The OpenID connect Configuration page is displayed.
  2. Click the tab for the operation that you want to perform.
    Table 2. OpenID connect operations
    Operation Steps
    Use New to configure an OpenId provider.
    1. Click New.
    2. Provide the information based on the type of configuration that you want to perform, either Discovery configuration or Manual configuration.
    3. Click the Service Center check box.
    4. Click Save Configuration.
    Use Edit to change the provider information.
    1. Select the provider for which you want to change the information.
    2. Click Edit.
    3. Change the information in the available fields.
    4. Click Save Configuration.
    Use Delete to remove an OpenID provider configuration.
    1. Select the provider configuration that you want to remove.
    2. Click Delete.
    3. Click Yes on the confirmation message.
    Refresh Updates the values in the grid.
    Note: You must register a redirect URI at the OpenID provider. After a successful authentication at the OpenID provider, the client is redirected to this URL. It has a specific format.
    https://hostname:9343/oidcclient/redirect/{Provider-Name}
    Where
    • hostname is either the application interface IP or the application interface host name where IBM Identity Governance and Intelligence product is running.
    • Provider-Name is the attribute value provider name that you are going to add at the time of registering OpenID connect configuration in the virtual appliance.
    The OpenID provider certificate must be added to the virtual appliance truststore. You can do this task from the virtual appliance certificate page and adding the certificate to the signers. See Managing certificates.

    The following example is for setting up OpenID Connect Federation between IBM Security Access Manager Version 9 and the Identity Governance and Intelligence virtual appliance.

    1. Set up a federation in IBM Security Access Manager.

      Follow the directions at https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/config/task/tsk_config_op_federation.html

    2. Create and register the client.
      Follow the instructions at https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/config/task/tsk_config_op_partner.html. The redirect URI is the Identity Governance and Intelligence application. The format is 
      https://igiapplication:9343/oidcclient/redirect/provider-name
      Make sure that the provider name is the name of the OpenID Connect provider that you register in OpenID Connect Provider Configuration Panel in Identity Governance and Intelligence virtual appliance.
    3. Configure IBM Security Access Manager as an OpenID Connect provider. See https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/config/concept/con_oidc_auto_config_script.html.
    4. Go to https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/config/task/ConfiguringSAML2POC.html and perform steps 3, 5, and 6.
    5. Form the OpenID Connect endpoints. See https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.0/com.ibm.isam.doc/config/concept/con_oidc_endpoints.html.
    6. Ensure that the IBM Security Identity Governance and Intelligence user registry is synchronized with IBM Security Access Manager.
    7. Register the OpenID Connect provider in the IBM Security Identity Governance and Intelligence virtual appliance. Use the client ID, secret, and endpoints that were formed at IBM Security Access Manager. Make sure that the provider name is they same as the provider name in your redirect URL.
    8. Add the IBM Security Access Manager reverse proxy certificate in the application truststore. See Managing certificates.
    9. Restart the IBM Security Identity Governance and Intelligence server from the dashboard
Parent topic: Virtual appliance administration