Using IBM Security Verify as an OIDC provider

Before RQA version 3.1.0, RQA primary administrators and administrators used Jazz® Authorization Server (JAS) Single Sign-on (SSO) authentication to log in to the RQA administrator dashboard. From RQA version 3.1.0 onward, apart from the JAS authentication, other OIDC providers, such as Liberty, IBM® Security verify can also be used as an SSO to log in to IBM RQA Administrator dashboard.

Procedure

From RQA version 3.1.0 onward, existing users that use DOORS® Next and use JAS authentication to log in to the RQA administrator dashboard can continue as is. For users that will use RQA for DOORS, the administrator configuration will be done either through JAS or by an IBM Security Verify OIDC provider.

Note: You can also use OpenID Connect Provider as an identity provider. For more information, see Configuring WebSphere liberty from the existing JTS with OIDC.

The administrator needs to complete the following steps to use IBM Security Verify as an OIDC provider for IBM RQA customer-managed:

Open the IBM Security Verify link in the browser to start a free trial.
Click Try Verify Now.
Fill up the new account information to create an account, and click Get the free edition. If you already have an IBM account, click the Log in link.

After you are successfully logged in, you can set up the IBM Security verify client registration.
Enter the suitable domain name, for example, ibmrqa in the Hostname field on the Set up your tenant page, and click Create Tenant.

A tenant is created for you.
Click View IBM's Terms and Conditions link to view the terms and conditions, select I agree to IBM's Terms and Conditions checkbox, and click Continue.
Select the role that best aligns you. If you don't want to select the role, click Other, and Maybe later.
On the IBM Security Verify dashboard, click the Add application link.
On the Applications page, click Add application.
In the Select Application Type window, click Custom Application, and click Add application.
Enter the following details in the Custom Application page:
1. Enter the custom application name in the Custom Application field. Example: IBM RQA Client.
2. Enter the name of your company in the Company name field.
3. Click Add owner only if you want to add more IBM Security Verify application owners.
  Important: By default, creator of this application is the application owner and can be assigned as a RQA primary administrator.
Click the Sign-on tab, and enter the following details:
1. Select Open ID Connect 1.0 from the Sign-on method field.
2. Enter the IBM RQA administrator dashboard route url in the Application URL field.
3. Select Authorization code and Implicit Grant types.
4. Clear the Require proof key for code exchange (PKCE) checkbox.
5. Select Do not ask for consent from the User consent field.
6. Enter your <IBM RQA Admin dashboard route>/auth/sso/callback URI in the Redirect URIs field.
7. Click the Generate refresh token checkbox.
8. Select server from the Signing certificate list.
9. Click Allow all identity sources that are enabled for end users (2 sources) from the Access policies section.
  Note: You can also change it to cloud Identity. To do so, you need to create users by using Users and groups menu.
10. Clear the Restrict custom scopes checkbox, and click Save.
The Entitlements tab is shown.
Click Automatic Access to all users and groups that enables IBMId and cloud directory users to access the RQA administrator dashboard.
Click the Sign-on tab to get the Client ID and the Client secret that is generated.

Important: As shown in the screen capture, The OpenID Connect single sign-on (SSO) configuration steps are shown in the right side of the page. Copy the OpenID configuration URL from step 5. You need the URL when you create an IBM RQA instance.

What to do next

Create users and add them as RQA administrators from the RQA administrator dashboard.