Configuring multifactor authentication with IBM Security Verify

Integrate IBM Security Verify with IBM Spectrum® Control to configure multifactor authentication. This task is done by your system, network, or IBM Spectrum Control administrator.

With IBM Security Verify, you can configure IBM Spectrum Control as an application that requires two factors for users and user groups to access it. You can use multifactor authentication to protect both local users and remote users. Remote users are users who are defined on a remote LDAP server. IBM Spectrum Control communicates with IBM Security Verify through the OpenID Connect (OIDC) protocol.

Restriction:
Keep in mind the following restrictions for multifactor authentication in IBM Spectrum Control:

Before you begin

If IBM Spectrum Control runs within a private network, you must set up an HTTP proxy server for communication with IBM Security Verify in the cloud. If a proxy server is not currently set up in your network, contact your network administrator for help. If a proxy server is already set up, gather information about its hostname and port. This information is required when you enable multifactor authentication in IBM Spectrum Control.

1. Creating an account with IBM Security Verify

You must subscribe to IBM Security Verify before you can enable multifactor authentication for IBM Spectrum Control. You need an IBMid to create a subscription. A 90-day free trial subscription is also available.

For more information, see Cloud identity and access management (IAM) solutions. During subscription creation, you specify a tenant that is used to create a URL to access the IBM Security Verify dashboard.

2. Configuring IBM Security Verify

To integrate IBM Security Verify with IBM Spectrum Control and configure multifactor authentication, complete the following steps:

  1. Access the IBM Security Verify administrator dashboard by entering the following URL in a web browser:
    https://tenant.verify.ibm.com/ui/admin

    Where tenant is the name that you specified when you created your subscription. Usually this name is associated with your company or organization, such as bankxyz. For example, https://bankxyz.verify.ibm.com/ui/admin.

  2. In IBM Security Verify, select Applications > Applications and click Add an application.
  3. In Search, type IBM Spectrum Control, select the entry that is displayed for IBM Spectrum Control, and click Add application.
    Tip: If IBM Spectrum Control is not displayed in the search results as a selectable entry, type IBM Spectrum Virtualize instead. Then, select the entry for IBM Spectrum Virtualize and click Add an application.

    The following table shows the required fields and actions for the General tab in IBM Security Verify:

    Table 1. Table 1. General tab
    Field Action
    Name Enter a name to identify IBM Spectrum Control on IBM Security Verify. If you are adding multiple instances of IBM Spectrum Control, enter a unique name.
    Description Enter a brief description of your IBM Spectrum Control installation.
    Company name Name of your organization or company.
    The following table shows the required fields and actions for the Sign-on tab in IBM Security Verify. Use the Sign-on tab to add IBM Spectrum Control as an application.
    Table 2. Table 2. Sign-on tab
    Field Action Details
    Application URL Enter the URL for IBM Spectrum Control. Enter the URL that you use to access the IBM Spectrum Control GUI in your organization. The URL is comprised of a hostname or IP address and a port number, followed by srm/Login.jsp. For example: https://192.0.2.22:9569/srm/Login.jsp.
    Grant type Select Authorization code and JWT bearer. Two grant types are required for setting up MFA for the system. Authorization code indicates that the client can request access to protected resources on behalf of users.
    Client ID This value is automatically generated when you save IBM Spectrum Control as an application. Remember this value. You must enter it when you configure multifactor authentication in IBM Spectrum Control.
    Client secret This value is automatically generated when you save IBM Spectrum Control as an application. Remember this value. You must enter it when you configure multifactor authentication in IBM Spectrum Control.
    User consent Select Do not ask for consent.
    Redirect URIs Enter the locations where the authorization server sends users after they are successfully authorized and granted an authorization code or access token.

    Enter a redirect URI for each of the IBM Spectrum Control GUIs in your environment. The redirect URI is comprised of the IP address or hostname and port of your IBM Spectrum Control installation, followed by srm/mfa.

    For example: https://hostname:9569/srm/mfa, where hostname is the hostname in the URL that you use to access IBM Spectrum Control.

    If you have multiple hostnames or IP addresses to access IBM Spectrum Control, you must enter a redirect URI for each of them.

    Important: The hostname or IP address that you enter for a redirect URI must match the hostname or IP address that you use to access the IBM Spectrum Control GUI. If you enter an incorrect URI, or do not enter a redirect URI for each hostname or IP address that you use, you will be unable to log in to the corresponding IBM Spectrum Control GUIs after multifactor authentication is enabled.
    JWT bearer user identification Select Username. Indicates that the username field in the JWT bearer is used to find users in the Cloud Directory and determines what second factors IBM Security Verify presents to users when they log into the system.
    JWT bearer default identity source Ensure Cloud Directory is selected. Indicates that the IBM Security Verify Cloud Directory is used to look up the second factor for the username. After you configure multifactor authentication on the system, users and user groups must be added to the Cloud Directory.
    Generate refresh token Ensure that this option is unchecked.
    Send all known user attributes in the ID token Ensure that this option is checked.
    Access policies Complete these steps:
    1. Deselect Use default policy.
    2. Click the Edit icon.
    3. Select Always require 2FA in all devices.
    4. Click OK.
    		 This action creates an access policy which controls the authentication steps for access to IBM Spectrum Control. Access policies can specify different authentication requirements based on properties of the user or connection. In this case, all users must complete a second factor authentication every time they access IBM Spectrum Control from all devices.
    Restrict custom scopes Ensure this option is unchecked.
  4. Click Save. After you save the application, it reloads with the Entitlements tab selected.
  5. On the Entitlements tab, select Automatic access for all users and groups.
  6. Click Save.
  7. Select Applications and select IBM Spectrum Control.
  8. On the Sign-on tab, copy the values for Client ID and Client secret. You will need these values when you configure multifactor authentication in IBM Spectrum Control.

What's next

Add IBM Spectrum Control users to IBM Security Verify. For more information, see Adding IBM Spectrum Control users to IBM Security Verify.