Configuring an identity agent for authentication by using LDAP

About this task

A social identity provider can be set up one time and it is used as a sign-in option for applications only. It cannot be used to sign in to the IBM® Security Verify Admin Console or My home page.

Procedure

  1. Select Integrations > Identity agents.
  2. Select Create agent configuration.
  3. Select Authentication as the purpose.
  4. Select the LDAP tile.
  5. Select Next.
  6. Configure the connection settings.
    Provide the following information to define the LDAP connection properties.
    External LDAP host URI
    This attribute is the on-premises LDAP server connection information. For a cluster LDAP fail-over setup, you can add multiple LDAP server URIs by selecting ADD URI.
    Base
    This attribute is the LDAP container search base for users.
    LDAP bind DN
    This attribute is the LDAP server connection user.
    LDAP bind password
    This attribute is the ldap server connection password.
    LDAP certificate authority certificate
    This optional attribute is the SSL certificate that is used if the on-premises agent requires a TLS connection to the LDAP server.
    View additional settings
    You can define the following settings.
    • Enable whether LDAP requires TLS.
    • The maximum number of simultaneous LDAP connections for the LDAP server.
    • How long a successful password authentication is cached.
    • How long the connection is maintained.
    • The idle time before the LDAP server closes a connection.
    • The maximum time to process a request.
  7. Click Next.
  8. Provide the user properties.
    Attributes
    This attribute is a list of comma-separated LDAP user attributes that are returned from a successful password verify operation.
    Binary attributes
    This attribute is a list of comma-separated binary LDAP user attributes that are returned from a successful password verify operation.
    Username attribute
    This attribute is the naming attribute such as user id that is used to look up a user for password verification.
    Note: Username identifier attributes are case sensitive. The default attribute sAMAccountName applies to earlier versions of Windows Active Directory. For Active Directory 2016 and later, the attribute is sAMAccountName.
    Object class
    This attribute is a list of comma-separated object classes that the LDAP user can have. The object classes are used with the username attribute to look up a user for password verification.
  9. Select Next.
  10. Map the identity provider attributes from the identity provider to the Verify Cloud Directory attributes.
    After you create the identity agent, you can change or update the mappings by using the edit function pencil icon on the agent's tile.
  11. Select Next.
  12. In Finalize configuration, provide the following information.
    • A unique and recognizable name for the agent
    • A description
    • A display name for the identity provider
    • A realm for the identity provider
  13. Optional: Select View advanced settings to add configuration attributes or to select a certificate for encryption.
  14. Click Save and continue.
  15. In Next steps , do the following steps.
    1. Select View API credentials and use the copy to clipboard icon to copy and store the Client ID and Client secret.
    2. If not already downloaded, download the agent from IBM X-Force App Exchange.
    3. Add your API credentials to the agent configuration.
  16. Click Finish.
    The configuration is added to Identity agents and the identity provider is listed in Authentication > Identity providers.