Configuring single sign-on (SSO) through SAML authentication
Use the Security Assertion Markup Language (SAML) protocol to configure the single sign-on (SSO) authentication method between IBM Security QRadar® Suite Software and your IBM® Security Verify enterprise identity provider.
About this task
For more information about how Verify uses
SAML for SSO, see Single Sign-on .
SAML authentication and Red Hat OpenShift authentication are not supported in installation. Non-admin users are unable to configure Red Hat OpenShift or SAML authentication.
Support for SSO is provided through the IBM Cloud Pak® foundational services component, which is installed with QRadar Suite Software. You must have administration permission in Verify and foundational services to complete the procedure.
Onboarding users to a Verify instance
The QRadar Suite Software initial user, and all other users that you are planning to add to QRadar Suite Software, must exist with an email address in your Verify identity provider instance. If you add a user with no email address, they might experience issues when they try to access QRadar Suite Software applications.
Before you begin
For more information on how to set up IBMid as a valid identity provider in your Verify instance, see Managing Identity Providers.
- Configure IBMid as a valid identity provider in your Verify instance.
- The email address of users should be added in lowercase and must have an associated IBMid account.
- While the Verify instance might show as an
optional parameter, you must specify the
name
attribute, as it is required by QRadar Suite Software.
- Do not add a user with the username admin to your identity provider, as that might cause issues with other services on your cluster.
- Any user ID value that is used in QRadar Suite Software must be uniquely defined in only one of the connected identity providers. This restriction applies to the initial administrator and to any other user ID that is added to accounts later. If a duplicate user ID is encountered, QRadar Suite Software does not start correctly, and no users can access the system.
- Ensure to add the user name and email address as recommended in lowercase so you can later
configure the
emaillowercase
attribute of the SAML login assertion.
Procedure
Configuring the SAML SSO connection in foundational services
Before you configure your connection, you need the credentials for IBM Cloud Pak foundational services, so that you can enable SAML as an identity provider in QRadar Suite Software and export its metadata.
Before you begin
Install Red Hat OpenShift CLI 4.12 or later
The Red Hat OpenShift CLI client helps you develop, build, deploy, and run your applications on any Red Hat OpenShift or Kubernetes cluster. It also includes the administrative commands for managing a cluster under the adm subcommand.
Procedure
Install Cloud Pak CLI 3.23.1 or later
Procedure
Retrieve login credentials for foundational services
Procedure
Enable your SAML SSO connection
Placeholder
Procedure
Providing Verify with data from foundational services
In this task you will create an application in Verify, provide this application with the certificates metadata retrieved directly from foundational services, and then obtain the Verify Use unique ID metadata that is required to further complete the SAML SSO configurations in foundational services.
Before you begin
- Ensure you have the authorization to log in to the Verify administration console.
- In Verify, you must use the Custom
Application template. For more information, see Custom application
.
Procedure
Providing foundational services with data from Verify
To complete the SAML SSO configuration in foundational services, register the Verify instance to connect with foundational services
Before you begin
- Switch back to your QRadar Suite Software cluster.
-
Make sure all
ibm-common-services
andcp4s namespace pods
are at 1/1 Running state withoc get pods -n <namespace>
.
Procedure
What to do next
Verify the SSO connection as the initial identity provider by Logging in to QRadar Suite Software as initial user.