Configuring an on-prem LDAP provider

After you create an LDAP identity agent, you can modify some of the settings for the provider.

About this task

You cannot change the ID or the Default password policy selection. To change the Default password policy, see Managing password policies.

Procedure

  1. Select Authentication > Identity providers
  2. From the left side menu select your LDAP agent.
  3. Optional: Change the name your LDAP identity provider
  4. Optional: Change the name of the provider realm.
  5. Optional: Select or clear the checkbox to use your LDAP agent for sign-in.
  6. Optional: Change the password policy.
    To change from the default password policy, clear the field. Select a different policy from the menu or create a new password policy.
    Note: You can change the default password policy settings. See Managing password policies.
  7. Optional: Select Enable password reset.
    Select this option so that users can reset their password. It also enables the forgotten password feature.
  8. Optional: Select Username recovery.
    Select this option so that users can recover their username by providing a different attribute. You can specify whether the users must provide one or two attributes to recover their username. If the user details are valid, an email with the username information is sent to the registered email address.
    Note: You need IBM Security Verify Bridge version 1.0.11 or later to support this feature. See IBM Security Verify Bridge on the App Exchange.
  9. Optional: Select Just-in-time provisioning.
    This option creates and updates the user account in the primary Identity provider realm that is associated with the SAML identity.
  10. Optional: Specify an attribute that identifies users from the Identity provider user registry from the Unique user identifier menu.
    If you select Enable identity linking for this identity provider, you must provide the UUID.
  11. Optional: Select a transformation value to transform the Unique user identifier value or leave the default value as None.
  12. Optional: Select Enable identity linking for this identity provider.
    1. Select the unique identifier that you want to use for the accounts from the Unique User Identifier link.
      Note: The UUID can be anything in the LDAP claims object that uniquely identifies the user.
    2. Set the UUID by typing the value in the External ID attribute field.
      The default value is sub.
    3. Select a transformation value to transform the External ID attribute value or leave the default value as None.
  13. Optional: On the Attribute mapping page, map more attributes from the OIDC provider to Verify attributes.
    1. Select Add attribute mapping.
    2. Select an LDAP attribute from the menu.
      If the LDAP provider has other, non-standard supported attributes, you can type the value in the Select an attribute field.
    3. Select a Verify attribute from the menu.
    4. Select how the attribute is used.
    5. Repeat the process for each attribute that you want to map.
  14. Optional: If you enabled public preview CI-108233, under User invitations, select whether to enable user invitations.
    Invitations are created and sent by using POST /v1.0/usc/user/invitation APIs. See Inviting users. Select the Enable user invitations check box to invite others to register as new users. You can also select a user profile for the user to enter more data as part of accepting the invitation. See Managing user profiles.
  15. Select Save changes.