IBM® Security Verify provides a way to
manage endpoints by uploading an identity adapter profile JAR file for supported Identity Adapters. It automatically creates a
custom application template, which can be used to create an application. You can configure account
lifecycle and account synchronization for the endpoints that are managed by identity adapters in Verify.
Before you begin
- Ensure that Security Directory Integrator (SDI) is installed for your operating system. See
https://www.ibm.com/docs/en/sdi/7.2.0.
- Install and configure the SDI dispatcher for Security Directory Integrator v7.2. See https://www.ibm.com/docs/en/sia?topic=adapters-dispatcher.
- Supported Identity adapters for target endpoints:
- IBM Security Verify Adapter for Windows AD 64-bit with optional Exchange and Lync Support- v10.0.1
- IBM Security Verify Adapter for LDAP-
v10.0.6
- IBM Security Verify Adapter for Oracle Database- v10.0.3
- IBM Security Verify Adapter for Linux- v10.0.4
- IBM Security Verify Adapter for SAP Netweaver- v10.0.5
- IBM Security Verify Adapter for IBM Security Verify
Access- v10.0.6.
- IBM Security Verify Adapter for MySQL Server - v8.0.19
- IBM Security Verify Adapter for PostgreSQL Server - v12.0
- Ensure that you have the identity adapter target profile JAR files, connectors,
and third-party libraries according to the endpoint requirement. Copy them to the appropriate
location. For more information, see https://www.ibm.com/support/pages/ibm-security-verify-governance-adapters-v10x and https://www.ibm.com/docs/en/sia.
- Ensure that you have a docker server to deploy the on-premises component containers that
interface your target endpoint with Verify.
About this task
The adapter profile defines the attributes or the schema for the target endpoint. It must be
uploaded to Verify. It is
deployed to the on-premises components that are created with the identity agent.
The file that is uploaded on Verify must be a Java™ archive (JAR) file. The <Adapter>Profile.jar file includes all the files that are
used to define the adapter schema. If necessary, you can extract the files from the
<Adapter>Profile.jar file, modify the files, and repackage the JAR file with
the updated files and upload it again on Verify.
Procedure
-
Create an agent configuration for the purpose of provisioning.
- Deploy on-Premises components.
- Use the docker compose yml file that was generated in Step 1 to
deploy the on-premises components.
Issue the following
command.
docker-compose -f <Docker compose YML file> up -d
- Deploy the identity adapter profile to the Identity Brokerage component that was deployed
in the preceding step, Step 3.
- Download the profile JAR file from https://www.ibm.com/support/pages/ibm-security-verify-governance-adapters-v10x.
- Log in as administrator in Verify.
- Navigate to .
- In the Application profiles page, click
.
- Specify the Profile name.
- Optional: Provide a description.
- Select the Provisioning identity agent.
- Upload the identity adapter target profile JAR file.
- Click Create Profile.
- To make profile available for use, verify the details, then click Publish
draft. Select the Yes, Publish option from the pop-up
window.
After the profile is successfully published, the endpoint template is
generated with same name as the profile name. The template can be used to create other
applications.
Note: No templates are generated for LDAP and Oracle applications. Use the existing
LDAP and Oracle templates.
- Edit the adapter profile.
To update the adapter profile; or to add, modify, or
delete schema attributes; or to update the profile with a new JAR file on Verify, perform the following
steps.
- Log in as administrator in Verify.
- Navigate to .
- Select the existing application profile that you want to update and click
Edit profile.
- Optional: Update the profile name and description.
- Upload the updated identity adapter profile JAR file and click Save
changes.
- If profile is not yet available for use, verify the details, then click
Publish draft and select the Yes, Publish option from
the pop-up window.
After the profile is successfully published, the endpoint
template is updated with the changes.
- Onboard the endpoint identity adapter application.
- Log in as administrator in Verify.
- Navigate to .
- In the pop-up window, search for the application type profile name
that you previously created and click Add application.
- In the Add applications page, select the
General tab, and specify the required details.
- Select the Account lifecycle tab.
- Specify the provisioning and deprovisioning policies.
Parameters |
Description |
Provision accounts |
The Provision accounts option is Disabled by
default, which means that the account creation is performed outside of Verify.
Select the Enabled option to automatically provision an account when the
entitlement is assigned to a user. Password generation and email notification features are available
for accounts that are created by using Verify.
|
Deprovision accounts |
Deprovision accounts is Disabled by default, which means that account
removal is performed outside of Verify.
Select the Enabled option to automatically deprovision an account, when
the entitlement is removed from a user.
|
Account password |
- Sync user's Cloud Directory password
- This option is available if password sync is enabled on the Cloud Directory and is supported by
the identity adapter. It uses the Cloud Directory password when a regular user is provisioned to the
application. Federated users receive a generated password when provisioned to the application.
- Generate password
- This option generates a random password for the provisioned account. The password is based on
the Cloud Directory password policy.
- None
- This option provisions the account without a password.
|
Send email notification |
This option is available when you select the Generate password option.
When you select the Send email notification option, an email notification
with the auto-generated password is sent to your email address after the account is provisioned
successfully. |
Grace period (days) |
Set the grace period in days for which a deprovisioned account is kept as suspended before it
is permanently deleted. |
Deprovision action |
This option is configurable for enabled deprovisioning action to either suspend or delete the
account. If deprovisioning is disabled, the deprovisioning action is deactivated. |
- Specify the API authentication details.
- Click Test connection to test the connection of the endpoint. The
connection needs to be successful to provision or reconcile accounts on the endpoint
application.
- Map the attribute names of the target attributes to verify attributes of the Cloud
Directory. Select the Keep updated checkbox for the attributes that need to
be updated on the target.
- Select the Account sync tab.
- In the Adoption policy section, add one or more attribute pairs
that need to match for the account sync process to assign targets accounts to their respective
account owners on Verify.
- In the Remediation policies section, choose a remediation policy
to remediate noncompliant accounts automatically.
- Click Save.
What to do next
After the application is saved, specify the authorization policy on the
Entitlements tab.