Advanced Access Control Configuration
This configuration module is used to apply configuration to the runtime Liberty server. This includes configuring the runtime authorization server, context-based access, SCIM, FIDO2, Authentication, Context-Based Access and MMFA.
Example
access_control:
authentication:
policies:
- name: "Username Password"
description: "Username and password authentication policy."
enabled: true
uri: "urn:ibm:security:authentication:asf:password"
policy: "<Policy xmlns=\"urn:ibm:security:authentication:policy:1.0:schema\" PolicyId=\"urn:ibm:security:authentication:asf:password\"><Description>Username and password authentication policy.</Description><Step type=\"Authenticator\"><Authenticator AuthenticatorId=\"urn:ibm:security:authentication:asf:mechanism:password\"/></Step><Actions><Action On=\"null\" type=\"null\"><AttributeAssignments/></Action></Actions></Policy>"
mechanisms:
- name: "Username Password"
type: "Username Password"
description: "Username password authentication"
uri: "urn:ibm:security:authentication:asf:mechanism:password"
properties:
- usernamePasswordAuthentication.enableLastLogin: "false"
- usernamePasswordAuthentication.loginFailuresPersistent: "false"
- usernamePasswordAuthentication.maxServerConnections: "16"
- usernamePasswordAuthentication.mgmtDomain: "Default"
- usernamePasswordAuthentication.sslServerStartTLS: "false"
- usernamePasswordAuthentication.useFederatedDirectoriesConfig: "false"
- usernamePasswordAuthentication.userSearchFilter: "(|(objectclass=ePerson)(objectclass=Person))"
- usernamePasswordAuthentication.ldapBindDN: "cn=root,secAuthority=Default"
- usernamePasswordAuthentication.ldapHostName: "openldap"
- usernamePasswordAuthentication.ldapBindPwd: "Passw0rd"
- usernamePasswordAuthentication.ldapPort: "636"
- usernamePasswordAuthentication.sslEnabled: "true"
- usernamePasswordAuthentication.sslTrustStore: "lmi_trust_store"
attributes:
- selector: "mobile"
name: "mobileNumber"
namespace: "urn:ibm:security:authentication:asf:mechanism:password"
- selector: "mail"
name: "emailAddress"
namespace: "urn:ibm:security:authentication:asf:mechanism:password"
API Protection
Configuration for OAuth 2.0 and OpenID Connect (OIDC) API protection definitions and clients.
api_protection:
definitions:
- name: Verify Demo - Open Banking
description: The Open Banking Definition.
tcm_behavior: NEVER_PROMPT
grant_types:
- AUTHORIZATION_CODE
multiple_refresh_tokens: true
access_policy: Open_Banking
oidc:
poc: https://my.ibmsec.idp.com
iss: https://my.ibmsec.idp.com
lifetime: 20
alg: RS256
db: rt_profile_keys
cert: server
pre_token_mapping_rule: Verify Demo - Open Banking_pre_token_generation.js
post_token_mapping_rule: Verify Demo - Open Banking_post_token_generation.js
- name: Verify Demo - Client Credentials Authorization Code Consent PSD2
description: For Fintechs, this is Client Credentials and Authorization Code with
consent.
tcm_behavior: NEVER_PROMPT
grant_types:
- AUTHORIZATION_CODE
- CLIENT_CREDENTIALS
max_authorization_grant_lifetime: 7200
- name: Verify Demo - Client Credentials AaaS
description: This is for the AaaS mock server access.
tcm_behavior: NEVER_PROMPT
grant_types:
- CLIENT_CREDENTIALS
access_token_lifetime: 999999999
clients:
- name: J.P. Norvill
client_id: ob_client
client_secret: hunter2
redirect_uri:
- https://jpnorvill.com/auth
- http://my.ibmsec.spa.com:19080/auth
company_name: JPNorvill
contact_type: TECHNICAL
definition: Verify Demo - Open Banking
List of OIDC definitions to create.
No Additional ItemsEach item of this array must be:
An API protection definition that defines OAuth/OIDC behavior.
A unique name for the API protection definition.
An optional description of the API protection definition.
A list of supported authorization grant types. At least one must be specified.
Must contain a minimum of 1 items
Each item of this array must be:
Must be one of:
- "AUTHORIZATION_CODE"
- "RESOURCE_OWNER_PASSWORD_CREDENTIALS"
- "CLIENT_CREDENTIALS"
- "IMPLICIT_GRANT"
- "SAML_BEARER"
- "JWT_BEARER"
- "DEVICE"
Identifies the Trusted Client Manager behavior concerning trusted clients and consent.
Must be one of:
- "ALWAYS_PROMPT"
- "NEVER_PROMPT"
- "PROMPT_ONCE_AND_REMEMBER"
Validity of the access token, in seconds.
Value must be greater or equal to 1
Length (characters) of an access token.
Value must be greater or equal to 1 and lesser or equal to 500
True if all tokens of the authorization grant should be revoked after an access token is validated.
True if a refresh token should be issued to the client.
Length of a refresh token.
Value must be greater or equal to 1 and lesser or equal to 500
True if previously granted access tokens should be revoked after a new access token is generated.
True if multiple refresh tokens are stored.
True if the refresh token will be further protected with a PIN.
The length of a PIN.
Value must be greater or equal to 3 and lesser or equal to 12
String of characters that can be used to generate tokens.
Must be at most 200 characters long
The OIDC configuration for this API protection definition.
The issuer identifier of this definition. Should have the prefix https://.
The Point of Contact URL for this definition, must be a valid URL.
The lifetime of the id_tokens issued.
Value must be greater or equal to 1
The signing algorithm for the JWT.
Must be one of:
- "HS256"
- "HS384"
- "HS512"
- "RS256"
- "RS384"
- "RS512"
- "ES256"
- "ES384"
- "ES512"
The database containing the signing key for RS/ES signing methods.
The certificate label of the signing key for RS/ES signing methods.
JWT encryption config.
Is encryption enabled for this definition.
The key agreement algorithm for encryption.
The encryption algorithm.
Whether or not the client registration endpoint will be enabled for this definition.
Whether or not a client secret will be issued to dynamic clients.
Whether or not the definition should be strictly OIDC Compliant.
Whether or not the definition should be strictly FAPI Compliant. Setting this to true will automatically set OIDC Compliant to true.
The name of access policy assigned to this definition.
Array of configured attribute sources to use in id_token generation and userinfo requests.
No Additional ItemsEach item of this array must be:
An attribute source mapping for token generation.
Name the attribute should be exposed as.
Reference to the attribute source which should be used to retrieve the value.
Path to file to upload as JavaScript pre-token rule.
Path to file to upload as JavaScript post-token rule.
List of OIDC clients to create.
No Additional ItemsEach item of this array must be:
An OAuth/OIDC client registration.
A meaningful name to identify this API protection client.
The name of the related API protection definition which owns and defines this client.
The redirect URIs to use for this client.
No Additional ItemsEach item of this array must be:
Name of the company associated with this client.
URL for the company associated with this client.
Name of the contact person for this client.
Further describes the contact.
Must be one of:
- "TECHNICAL"
- "SUPPORT"
- "ADMINISTRATIVE"
- "BILLING"
- "OTHER"
The email address of the contact person for this client.
The telephone number of the contact person for this client. Input must be completely numeric.
Must match regular expression:^[0-9]+$
Other information about the client contact.
A unique OAUTH client identifier to identify this client to the authorization server.
A string that identifies this client as confidential and serves as this client's secret.
Whether or not this client must perform proof of key exchange when performing an authorization code flow.
The database containing the JWT encryption key.
The certificate label of the JWT encryption key.
URI which is the location that a clients published JWK set.
Does this client require a client secret when introspecting.
Dynamic Client information. This is free form JSON.
Attribute Sources
To set Attribute sources, see the entry in the Appliance or Container documentation.
Authentication
Configuration for authentication mechanisms and policies used in the Authentication policy engine. Authentication policies can be used in risk-based access or context-based access policies to conditionally enforce additional authentication/authorization requirements. Authentication policies can also be attached to WebSEAL objects in the policy server.
authentication:
mechanisms:
- name: Verify Demo - QR Code Initiate
uri: urn:ibm:security:authentication:asf:mechanism:qr_code_initiate
description: InfoMap to initiate the QR login
type: InfoMapAuthenticationName
properties:
mapping_rule: InfoMap_QRInitiate
template_file: ''
- name: Verify Demo - QR Code Response
uri: urn:ibm:security:authentication:asf:mechanism:qr_code_response
description: InfoMap to use the LSI for QR login
type: InfoMapAuthenticationName
properties:
mapping_rule: InfoMap_QRResponse
template_file: ''
- name: Username Password
uri: urn:ibm:security:authentication:asf:mechanism:password
description: Username password authentication
type: Username Password
properties:
usernamePasswordAuthentication.ldapHostName: openldap
usernamePasswordAuthentication.loginFailuresPersistent: 'false'
usernamePasswordAuthentication.ldapBindDN: '!secret default/isva-secrets:ldap_bind_dn'
usernamePasswordAuthentication.maxServerConnections: '16'
usernamePasswordAuthentication.mgmtDomain: Default
usernamePasswordAuthentication.sslEnabled: 'true'
usernamePasswordAuthentication.ldapPort: '636'
usernamePasswordAuthentication.sslTrustStore: lmi_trust_store
usernamePasswordAuthentication.userSearchFilter: usernamePasswordAuthentication.userSearchFilter
usernamePasswordAuthentication.ldapBindPwd: '!secret default/isva-secrets:ldap_bind_pwd'
usernamePasswordAuthentication.useFederatedDirectoriesConfig: 'false'
- name: TOTP One-time Password
uri: urn:ibm:security:authentication:asf:mechanism:totp
description: Time-based one-time password authentication
type: TOTP One-time Password
properties:
otp.totp.length: '6'
otp.totp.macAlgorithm: HmacSHA1
otp.totp.oneTimeUseEnabled: 'true'
otp.totp.secretKeyAttributeName: otp.hmac.totp.secret.key
otp.totp.secretKeyAttributeNamespace: urn:ibm:security:otp:hmac
otp.totp.secretKeyUrl: otpauth://totp/Example:@USER_NAME@?secret=@SECRET_KEY@&issuer=Example
otp.totp.secretKeyLength: '32'
otp.totp.timeStepSize: '30'
otp.totp.timeStepSkew: '10'
- name: reCAPTCHA Verification
uri: urn:ibm:security:authentication:asf:mechanism:recaptcha
description: Human user verification using reCAPTCHA Version 2.0.
type: ReCAPTCHAAuthenticationName
properties:
reCAPTCHA.HTMLPage: /authsvc/authenticator/recaptcha/standalone.html
reCAPTCHA.apiKey: '!secret default/isva-secrets:recaptcha_key'
- name: End-User License Agreement
uri: urn:ibm:security:authentication:asf:mechanism:eula
description: End-user license agreement authentication
type: End-User License Agreement
properties:
eulaAuthentication.acceptIfLastAcceptedBefore: 'true'
eulaAuthentication.alwaysShowLicense: 'false'
eulaAuthentication.licenseFile: /authsvc/authenticator/eula/license.txt
eulaAuthentication.licenseRenewalTerm: '0'
- name: FIDO Universal 2nd Factor
uri: urn:ibm:security:authentication:asf:mechanism:u2f
description: FIDO Universal 2nd Factor Token Registration and Authentication
type: U2FName
properties:
U2F.attestationSource: ''
U2F.attestationType: None
U2F.appId: www.myidp.ibm.com
U2F.attestationEnforcement: Optional
policies:
- name: Verify Demo - Initiate Generic Message Demo Policy
uri: urn:ibm:security:authentication:asf:verify_generic_message
description: IBM MFA generic message policy.
policy: <Policy xmlns="urn:ibm:security:authentication:policy:1.0:schema" PolicyId="urn:ibm:security:authentication:asf:verify_generic_message"><Description>IBM
MFA generic message policy.</Description><Step id="id15342210896710" type="Authenticator"><Authenticator
id="id15342210896711" AuthenticatorId="urn:ibm:security:authentication:asf:mechanism:generic_message"/></Step><Step
id="id15342211135160" type="Authenticator"><Authenticator id="id15342211135161"
AuthenticatorId="urn:ibm:security:authentication:asf:mechanism:mmfa"><Parameters><AttributeAssignment
AttributeId="contextMessage"><AttributeDesignator AttributeId="message" Namespace="urn:ibm:security:asf:response:token:attributes"
Source="urn:ibm:security:asf:scope:session" DataType="String"/></AttributeAssignment><AttributeAssignment
AttributeId="mode"><AttributeValue DataType="String">Initiate</AttributeValue></AttributeAssignment><AttributeAssignment
AttributeId="policyURI"><AttributeValue DataType="URI">urn:ibm:security:authentication:asf:verify_mmfa_response_fingerprint</AttributeValue></AttributeAssignment><AttributeAssignment
AttributeId="username"><AttributeDesignator AttributeId="username" Namespace="urn:ibm:security:asf:response:token:attributes"
Source="urn:ibm:security:asf:scope:session" DataType="String"/></AttributeAssignment></Parameters></Authenticator></Step></Policy>
- name: Verify Demo - QR Code Initiate
uri: urn:ibm:security:authentication:asf:qrlogin_initiate
description: Login without a password - use your phone and scan a QR code!
policy: <Policy xmlns="urn:ibm:security:authentication:policy:1.0:schema" PolicyId="urn:ibm:security:authentication:asf:qrlogin_initiate"><Description>Login
without a password - use your phone and scan a QR code!</Description><Step id="id15033758674560"
type="Authenticator"><Authenticator id="id15033758674561" AuthenticatorId="urn:ibm:security:authentication:asf:mechanism:qr_code_initiate"/></Step></Policy>
- name: Verify Demo - QR Code Response
uri: urn:ibm:security:authentication:asf:qrlogin_response
description: Login without a password - use your phone and scan a QR code!
policy: <Policy xmlns="urn:ibm:security:authentication:policy:1.0:schema" PolicyId="urn:ibm:security:authentication:asf:qrlogin_response"><Description>qrlogin_response</Description><Step
id="id15033758436320" type="Authenticator"><Authenticator id="id15033758436321"
AuthenticatorId="urn:ibm:security:authentication:asf:mechanism:qr_code_response"/></Step></Policy>
- name: FIDO U2F Authenticate
uri: urn:ibm:security:authentication:asf:u2f_authenticate
description: FIDO Universal 2nd Factor Token Authentication
policy: <Policy xmlns="urn:ibm:security:authentication:policy:1.0:schema" PolicyId="urn:ibm:security:authentication:asf:u2f_authenticate"><Description>FIDO
Universal 2nd Factor Token Authentication</Description><Step id="Step_1" type="Authenticator"><Authenticator
id="Auth_1" AuthenticatorId="urn:ibm:security:authentication:asf:mechanism:u2f"><Parameters><AttributeAssignment
AttributeId="mode"><AttributeValue DataType="String">Authenticate</AttributeValue></AttributeAssignment><AttributeAssignment
AttributeId="username"><AttributeDesignator AttributeId="username" Namespace="urn:ibm:security:asf:request:parameter"
Source="urn:ibm:security:asf:scope:request" DataType="String"/></AttributeAssignment></Parameters></Authenticator></Step><Actions><Action
On="null" type="null"><AttributeAssignments/></Action></Actions></Policy>
List of authentication mechanism to create or update.
No Additional ItemsEach item of this array must be:
An authentication mechanism configuration.
A unique name for the authentication mechanism.
An optional description of the authentication mechanism.
The unique resource identifier of the authentication mechanism.
Type of mechanism to create.
Must be one of:
- "HOTP One-time Password"
- "MAC One-time Password"
- "RSA One-time Password"
- "TOTP One-time Password"
- "Consent to device registration"
- "One-time Password"
- "HTTP Redirect"
- "Username Password"
- "End-User License Agreement"
- "Knowledge Questions"
- "Mobile User Approval"
- "reCAPTCHA Verification"
- "Info Map Authentication"
- "Email Message"
- "MMFA Authenticator"
- "SCIM Config"
- "FIDO Universal 2nd Factor"
- "Cloud Identity JavaScript"
- "QRCode Authenticator"
- "FIDO2 WebAuthn Authenticator"
- "Decision JavaScript"
- "RSA SecurID"
- "FIDO2 WebAuthn Registration"
- "OTP Enrollment"
List of properties to configure for mechanism. The property names are different for each of the mechanism types.
List of attribute to add from the request context.
No Additional ItemsEach item of this array must be:
An attribute to retrieve from the authentication context.
Name of a registry attribute to obtain.
Authentication service namespace of name.
Authentication service context attribute.
List of authentication policies to create or update.
No Additional ItemsEach item of this array must be:
An authentication policy that defines the authentication flow.
Specify a unique name for the authentication policy.
Description of the authentication policy.
Specify a unique resource identifier for the authentication policy.
Authentication policy specification used to format the authentication policy.
Must be one of:
- "urn:ibm:security:authentication:policy:1.0:schema"
Configured policy content that uses the specified authentication policy dialect (XML format).
True if the policy is enabled and invocable at runtime. Set to false to disable the policy.
Context Based Access
Configuration for the Context Based Access (CBA) policy engine of a Verify Identity Access deployment including risk profiles, policies, and resource protection. Context Based Access policies are capable of defining conditional authentication requirements based on administrator defined logic (such as device registration status, ip reputation, authentication method enrollment for a user).
access_control:
risk_profiles:
- name: myLocation
active: true
attributes:
- weight: 50
id: '28'
- weight: 10
name: geoCountryCode
- weight: 10
name: geoRegionCode
- weight: 10
name: geoCity
predefined: false
policies:
- name: Verify Demo - MFA Login Policy
policy: <?xml version="1.0" encoding="UTF-8"?><!-- PolicyTag=urn:ibm:security:isam:8.0:xacml:2.0:config-policy
--><!-- PolicyName='Verify Demo - MFA Login Policy' --><PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:ibm:security:config-policy" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides"><Description>Example
CBA Policy for the MFA Banking Demo password-less login</Description><Target/><Policy
PolicyId="urn:ibm:security:rule-container:0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Target/><Rule
RuleId="urn:ibm:security:rule:0" Effect="Permit"></Rule><Obligations><Obligation
ObligationId="urn:ibm:security:authentication:asf:verify_mmfa_request_fingerprint"
FulfillOn="Permit"/></Obligations></Policy></PolicySet>
- name: Verify Demo - EULA
policy: <?xml version="1.0" encoding="UTF-8"?><!-- PolicyTag=urn:ibm:security:isam:8.0:xacml:2.0:config-policy
--><!-- PolicyName='Verify Demo - EULA' --><PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:ibm:security:config-policy" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"><Description>GDPR
Compliance (Acceptance of ToS)</Description><Target/><Policy PolicyId="urn:ibm:security:rule-container:0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Target/><Rule
RuleId="urn:ibm:security:rule:0" Effect="Permit"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"><Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"><Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"><AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:ibm:security:authentication:asf:mechanism:eula</AttributeValue></Apply><SubjectAttributeDesignator
AttributeId="urn:ibm:security:subject:authenticationMechanismTypes" DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false"/></Apply></Apply></Condition></Rule></Policy><Policy PolicyId="urn:ibm:security:rule-container:1"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Target/><Rule
RuleId="urn:ibm:security:rule:1" Effect="Permit"></Rule><Obligations><Obligation
ObligationId="urn:ibm:security:authentication:asf:eula" FulfillOn="Permit"/></Obligations></Policy></PolicySet>
description: GDPR Compliance (Acceptance of ToS)
resources:
- server: my.ibmsec.idp
resource_uri: /login
policies:
- name: Verify Demo - MFA Login Policy
type: policy
- server: my.ibmsec.idp
resource_uri: /protected/transfer
policies:
- name: Verify Demo - MFA Transaction Policy
type: policy
- server: my.ibmsec.idp
resource_uri: /isam/sps/SP-SAML-QC/saml20/login
policies:
- name: Verify Demo - MFA Office 365 Login
type: policy
List of Risk Profiles to create.
No Additional ItemsEach item of this array must be:
A risk profile defines attributes and their weights used to calculate risk scores.
A unique name for the risk profile.
An optional brief description of the risk profile.
True indicates this risk profile is the currently active risk profile. Only one profile can be active at a time.
Array of attributes comprising this risk profile and the weight value of each attribute which is used in determining the risk score.
No Additional ItemsEach item of this array must be:
An attribute used in risk calculation with its associated weight.
Determines the importance of this attribute within the associated risk profile. A higher weight value indicates the attribute has more importance within the risk profile. The weight values of the attributes are used in determining the risk score or the level of risk associated with permitting a request to access a resource.
Value must be greater or equal to 0 and lesser or equal to 100
Internally assigned ID value of the attribute. The attribute must have a type field value of true for risk. Either the name or id of the attribute must be defined.
Name of the attribute. The attribute must have a type field value of true for risk. Either the name or id of the attribute must be defined.
False to indicate this risk profile is custom defined.
List of Risk Based Access policies to create.
No Additional ItemsEach item of this array must be:
An XACML policy for access control decisions.
The name of the policy.
An optional description of the policy.
The XACML specification used within the policy. Only valid value is XACML Version 2.
Must be one of:
- "urn:oasis:names:tc:xacml:2.0:policy:schema:os"
The configured policy in XACML 2.0 format.
If true all the policy attributes must be present in the request for the policy to be evaluated.
List of resources to be created and corresponding policies which should be attached to each resource.
No Additional ItemsEach item of this array must be:
A protected resource with attached policies.
The web container that contains the protected object space for a server instance.
The resource URI of the resource in the protected object space.
Must match regular expression:^/
Array of attachments (policy, policy sets, and API protection definitions) that define the access protection for this resource.
Must contain a minimum of 1 items
Each item of this array must be:
A policy, policy set, or API protection definition attached to a resource.
Name of the policy, policy set, or API protection definition.
The type of attachment.
Must be one of:
- "policy"
- "policyset"
- "definition"
permitOverrides to allow access to the resource if any of the attachments return permit; denyOverrides to deny access to the resource if any of the attachments return deny.
Must be one of:
- "permitOverrides"
- "denyOverrides"
0 to disable the cache for this resource, -1 to cache the decision for the lifetime of the session or any number greater than 1 to set a specific timeout (in seconds) for the cached decision.
Attributes
Configuration for custom attributes used in risk profiles and access control policies. Attributes allow an administrator to source information about a user from a number of different places (LDAP, Session, Static) to build up credential attributes, which can then be used by subsequent authentication and authorization flows.
No Additional ItemsEach item of this array must be:
A custom attribute definition for use in risk-based access control.
A unique name for the attribute.
An optional description of the attribute.
The identifier of the attribute that is used in the generated XACML policy.
Type of attribute being used.
True if the attribute is used in risk profiles.
True if the attribute is used in policies.
The type of values that the attribute can accept.
Must be one of:
- "String"
- "Integer"
- "Double"
- "Boolean"
- "Time"
- "Date"
- "X500Name"
The name of the policy information point from which the value of the attribute is retrieved.
The part of the XACML request that the attribute value comes from.
Must be one of:
- "Subject"
- "Environment"
- "Action"
- "Resource"
ID of the attribute matcher that is used to compare the value of this attribute in an incoming device fingerprint with an existing device fingerprint of the user.
Define where the attribute is stored.
True if the attribute is collected in the user session. Session attributes are stored temporarily until the session times out.
True if historic data for this attribute is stored in the database and used for behavior-based attribute matching.
True if the attribute is stored when a device is registered as part of the device fingerprint.
attributes:
- name: urn:ibm:demo:transferamount
description: Verify Demo Transfer Amount
uri: urn:ibm:demo:transferamount
type:
risk: true
policy: false
datatype: Double
issuer: ''
category: Action
matcher: '1'
storage:
session: true
behavior: false
device: true
Obligations
Configuration for access control obligations that define actions to be performed before access is granted. For example a user must consent to registering a device (device fingerprinting) to be permitted access.
No Additional ItemsEach item of this array must be:
An obligation that defines actions to be performed based on policy decisions.
A unique name for the obligation.
An optional description of the obligation.
The identifier of the obligation that is used in generated XACML.
Should be set to Obligation.
Must be one of:
- "Obligation"
The obligation type id. If not provided, the value will be set to 1, which is the Enforcement Point type.
Array of parameters associated with the obligation.
No Additional ItemsEach item of this array must be:
A parameter for an obligation.
A unique name for the parameter.
Label for the parameter. Set it to the value of the name.
Data type for the parameter.
Must be one of:
- "Boolean"
- "Date"
- "Double"
- "Integer"
- "String"
- "Time"
- "X500Name"
Array of properties associated with the obligations.
No Additional ItemsEach item of this array must be:
A property for an obligation.
A unique key for the property.
The value for the property.
obligations:
- name: myObligation
description: Test obligation
type: Obligation
uri: urn:ibm:security:obligation:myObligation
parameters:
- name: userid
label: userid
datatype: String
Point Of Contact
To configure Point of Contact profiles, see the entry in the Appliance or Container documentation.
Policy Information Points
Policy Information Points (PIPs) allow administrators to integrate third party information sources to provide additional context to an authorization policy before making a decision to permit or deny access.
No Additional ItemsEach item of this array must be:
A policy information point that retrieves attribute values from external sources.
A unique name for the policy information point. This name is used as the Issuer for custom attributes whose value is returned by this policy information point.
A description of the policy information point.
The policy information point type for this policy information point.
Must be one of:
- "JavaScript"
- "RESTful Web Service"
- "Database"
- "LDAP"
- "FiberLink MaaS360"
- "QRadar User Behavior Analytics"
A list of custom attributes whose values are retrieved from select portions of the response from this policy information point. Specify when the policy information point type has supportSelector true.
No Additional ItemsEach item of this array must be:
Defines how to extract an attribute value from the PIP response.
Name of the attribute whose value will come from the selected data portion of the policy information point response. The attribute must be defined on the appliance before it can be assigned to this selector.
Identifies how to select the part of the policy information point response that will be assigned as the attribute value. The format of the selector for a RESTful Web Service policy information point is dependent on the responseFormat property value (JSON, XML, or Text).
Configurable properties defining this policy information point. These entries are specific to the policy information point type.
No Additional ItemsEach item of this array must be:
A configurable property for the policy information point.
True if the property value cannot be updated.
Value given to the property.
Data type of the property.
Must be one of:
- "Binary"
- "Boolean"
- "Double"
- "Integer"
- "String"
- "JavaScript"
- "KeyStore"
- "Email"
- "X500"
- "URI"
- "URL"
- "Hostname"
Name of the property as used by the policy information point. A key of 'javascript.code' or 'fileContent' identify special properties whose values can be imported and exported by a file.
Used internally to indicate properties with values private in nature, such as passwords.
pips:
- name: myJSpip
description: Custom JavaScript PIP.
type: JavaScript
attributes: []
properties:
- read_only: false
value: '
/** Import packages necessary for the script to execute. */
importPackage(com.ibm. . .);
/** Your code here */
....
var name = getName();
return
'
datatype: JavaScript
key: javascript.code
sensitive: false
- read_only: false
value: '89'
datatype: Integer
key: limit
sensitive: false
HTTP Template Files
To upload HTTP template files, see the entry in the Appliance or Container documentation.
JavaScript Mapping Rules
To upload JavaScript mapping rules, see the entry in the Appliance or Container documentation.
Push Notification Service
Push notification configuration is used to integrate with mobile push notification service. Supports Apple APNS and Android Firebase providers.
No Additional ItemsEach item of this array must be:
A push notification provider configuration.
The application identifier associated with the registration.
The platform the registration is for.
Must be one of:
- "apple"
- "android"
The host:port address of the push notification service provider.
Must match regular expression:^[^:]+:\d+$
The key store database containing the APNS certificate. Only valid if 'platform' is 'apple'.
The key label of the imported APNS certificate. Only valid if 'platform' is 'apple'.
The server key for access to the Firebase push notification service. Only valid if 'platform' is 'android'.
The IBM Marketing Cloud issued Oauth client ID.
The IBM Marketing Cloud issued Oauth client secret.
The IBM Marketing Cloud issued Oauth refresh token.
The app key issued by IBM Marketing Cloud for the associated application.
push_notification_providers:
- platform: android
app_id: com.ibm.security.verifyapp
provider: imc
provider_address: verifypushcreds.mybluemix.net
imc_app_key: android_app_key
imc_client_id: android_client_id
imc_client_secret: android_client_secret
imc_refresh_token: android_refresh_token
- platform: apple
app_id: com.ibm.security.verifyapp
provider: imc
provider_address: verifypushcreds.mybluemix.net
imc_app_key: apple_app_key
imc_client_id: apple_client_id
imc_client_secret: apple_client_secret
imc_refresh_token: apple_refresh_token
Mobile Multi-Factor Authentication
Configuration for IBM Verify mobile multi-factor authentication (MMFA) integration. These properties are used as a discovery mechanism for mobile devices which have been registered for a user; and is capable of initiating or completing an "out of band" authentication or authorization challenge.
mmfa:
client_id: IBMVerify
hostname: https://www.myidp.ibm.com
port: 444
options: ignoreSslCerts=true
junction: /mga
discovery_mechanisms:
- urn:ibm:security:authentication:asf:mechanism:totp
- urn:ibm:security:authentication:asf:mechanism:mobile_user_approval:user_presence
- urn:ibm:security:authentication:asf:mechanism:mobile_user_approval:fingerprint
The OAuth client ID required for the MMFA service.
The hostname of the MMFA endpoint URI. Protocol used will be https. Must be configured if 'endpoints' is not included.
The port of the MMFA endpoint URI. Must be configured if 'endpoints' is not included.
Value must be greater or equal to 1 and lesser or equal to 65535
The junction of the MMFA endpoint URI. Must be configured if 'endpoints' is not included.
Must match regular expression:^/
A list of configurable key-value pairs to be presented in the QR code. Recommended formatting: key=value,key=value.
An object containing the endpoints returned from the registration QR code or the discovery endpoint. If configured, overwrites 'hostname', 'port', and 'junction' configuration.
The discovery endpoint included in the registration QR code.
The enrollment endpoint returned from the discovery endpoint.
The QR Code login endpoint returned from the discovery endpoint.
The OAuth token endpoint returned from the discovery endpoint.
The SCIM Transaction endpoint returned from the discovery endpoint.
The prefix of the runtime endpoint that is constructed and saved as the requestUrl of a transaction.
A list of authentication mechanism URIs to be included in the discovery endpoint response.
No Additional ItemsEach item of this array must be:
Server Connections
To configure third party Server Connections, see the entry in the Appliance or Container documentation.
Advanced Configuration Parameters
To set Advanced Configuration Properties, see the entry in the Appliance or Container documentation.
SCIM
System for Cross-domain Identity Management (SCIM) configuration. SCIM can be configured with a LDAP or a Verify Identity Access User Registry (WebSEAL runtime component) server connection. SCIM allows administrators to create and manage users, as well as provide attributes to other Verify Identity Access authentication components.
scim:
admin_group: SecurityGroup
schemas:
- uri: urn:ietf:params:scim:schemas:core:2.0:User
properties:
connection_type: ldap
ldap_connection: Local LDAP connection
search_suffix: dc=ibm,dc=com
user_suffix: dc=ibm,dc=com
attribute_modes:
- schema: urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Transaction
modes:
- attribute: transactionsPending
mode: readwrite
- attribute: transactionsPending
subattribute: txnStatus
mode: readwrite
The name of the administrator group. Used to determine if the authenticated user is an administrator.
List of managed schema to modify
No Additional ItemsEach item of this array must be:
SCIM schema configuration.
Name of schema properties to modify.
Must be one of:
- "urn:ietf:params:scim:schemas:core:2.0:User"
- "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
- "urn:ietf:params:scim:schemas:core:2.0:Group"
- "urn:ietf:params:scim:schemas:extension:isam:1.0:User"
Schema unique properties to apply. The structure depends on the schema URI.
Properties for urn:ietf:params:scim:schemas:core:2.0:User
The name of the ldap server connection.
The list of ldap object classes that are used to indicate a user object.
No Additional ItemsEach item of this array must be:
LDAP object class definition.
The name of the ldap object class type that is used to indicate a user or group object.
The suffix from which searches will commence in the LDAP server.
The suffix that will house any users that are created through the SCIM interface.
The LDAP attribute that will be used to construct the user DN. Defaults to cn.
Indicates the type of ldap server connection type.
Must be one of:
- "ldap"
- "isamruntime"
The name of a federated directory used to generate the list of available ldap object classes and ldap attribute names. Only valid if the connection_type is set to isamruntime.
Set this field to true if SCIM needs to honour the backend password policy when changing a user password.
The LDAP attribute that will be used as the user ID. Defaults to uid.
The list of SCIM attribute mappings.
No Additional ItemsEach item of this array must be:
Mapping between SCIM attributes and backend attributes.
The name of the SCIM attribute being mapped.
For a simple SCIM attribute - the mapping for this attribute. For a complex SCIM attribute this can be an array of mappings.
Single mapping for simple SCIM attribute
The type of attribute to map to the SCIM attribute.
Must be one of:
- "ldap"
- "session"
- "fixed"
The attribute to map to the SCIM attribute.
For a multivalued attribute - the second level SCIM attribute name to be mapped. eg. work or home for SCIM attribute email.
Array of mappings for complex SCIM attribute
No Additional ItemsEach item of this array must be:
Individual attribute mapping definition.
Same definition as schemas_items_properties_oneOf_i0_mappings_items_mapping_oneOf_i0Properties for urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
The list of SCIM enterprise user attribute mappings.
No Additional ItemsEach item of this array must be:
Mapping between SCIM attributes and backend attributes.
Same definition as schemas_items_properties_oneOf_i0_mappings_itemsProperties for urn:ietf:params:scim:schemas:core:2.0:Group
The list of ldap object classes that are used to indicate a group object.
No Additional ItemsEach item of this array must be:
LDAP object class definition.
Same definition as schemas_items_properties_oneOf_i0_ldap_object_classes_itemsThe LDAP attribute that will be used to construct the group DN.
Properties for urn:ietf:params:scim:schemas:extension:isam:1.0:User
The name of the ldap server connection to the Verify Identity Access user registry. If a connection is not specified the SCIM application will not attempt to manage Verify Identity Access users.
The name of the Verify Identity Access domain. This will default to Default
Enable update of Verify Identity Access specific attributes when LDAP standard attributes are updated.
Indicates the type of ldap server connection ldap or isamruntime.
Must be one of:
- "ldap"
- "isamruntime"
The name of a federated directory used to generate the list of available ldap object classes and ldap attribute names. Only valid if the connection_type is set to isamruntime.
Set this field to true if SCIM needs to honour the backend password policy when changing a user password.
Whether or not SCIM header authentication is enabled.
Whether or not the authorization filter is enabled.
The customized attribute modes.
No Additional ItemsEach item of this array must be:
Customized attribute access modes for a SCIM schema.
The name of the schema.
An array of customised attribute modes for the schema.
No Additional ItemsEach item of this array must be:
Access mode for a specific attribute.
The name of the attribute.
The mode for the attribute.
Must be one of:
- "readonly"
- "writeonly"
- "readwrite"
- "adminwrite"
- "immutable"
For a multivalued attribute - the second level SCIM attribute name.
The maximum number of entries that can be returned from a single call to the /User endpoint.
Value must be greater or equal to 1
FIDO2
Configuration for FIDO2/WebAuthn authentication including relying parties, metadata, and mediator JavaScript mapping rules.
fido2:
relying_parties:
- name: fidointerop.securitypoc.com
rp_id: fidointerop.securitypoc.com
origins:
- https://fidointerop.securitypoc.com
- urn:ibm:security:verify:app:namespace
use_all_metadata: true
metadata_soft_fail: false
metadata_services:
- https://mds3.fidoalliance.org
mediator: fido2_mediator_verifysecuritypoc.js
attestation:
statement_types:
- basic
- self
- attCA
- anonCA
- none
statement_formats:
- fido-u2f
- packed
- self
- android-key
- android-safetynet
- tpm
- none
metadata:
metadata:
- fido2/metadata
metadata_services:
- url: https://mds.fidoalliance.org
timeout: 30
truststore: rt_profile_keys
jws_truststore: fido_mds_certs
JavaScript files to upload as FIDO2 mediators.
No Additional ItemsEach item of this array must be:
Path to JavaScript mediator file.
Files to upload as static FIDO2 metadata documents, or URL's to use as dynamic metadata services.
List of metadata services to enable for the relying party.
No Additional ItemsEach item of this array must be:
A FIDO2 metadata service configuration.
Address of the metadata service.
Wait interval (in seconds) before retrying the download when metadata retrieval fails.
Value must be greater or equal to 0
The name of the JWS verification truststore.
The name of the truststore to use for HTTPS connections and JWS verification.
The basic authentication username.
The basic authentication password.
The client keystore for client certificate authentication.
The client key alias for client certificate authentication.
The SSL protocol to use for the HTTPS connection.
Must be one of:
- "TLS"
- "TLSv1"
- "TLSv1.1"
- "TLSv1.2"
The request timeout in seconds. A value of 0 will result in no timeout.
Value must be greater or equal to 0
The URL of the proxy server used to connect to the metadata service.
A list of HTTP headers to be added to the HTTP request when retrieving the metadata from the service.
No Additional ItemsEach item of this array must be:
An HTTP header for metadata service requests.
The name of the HTTP header.
The value of the HTTP header.
List of metadata documents to enable for the relying party.
No Additional ItemsEach item of this array must be:
Path to metadata file.
List of relying parties to configure.
No Additional ItemsEach item of this array must be:
A FIDO2 relying party configuration.
Name of the relying party.
URI of the relying party base domain.
List of permitted origins. These should be valid sub-domains of the rp_id.
Must contain a minimum of 1 items
Each item of this array must be:
List of metadata documents to enable for this relying party.
No Additional ItemsEach item of this array must be:
List of metadata services to enable for this relying party. This can be either the Verify Identity Access assigned id of the metadata service, or the URL of the metadata service.
No Additional ItemsEach item of this array must be:
Use all available metadata documents for this relying party.
Mediator mapping rule to configure for this relying party.
Group used to permit admin operations for this relying party.
Attestation properties permitted for this relying party.
List of attestation types to permit.
No Additional ItemsEach item of this array must be:
Must be one of:
- "basic"
- "self"
- "attCA"
- "anonCA"
- "none"
List of attestation formats to permit.
No Additional ItemsEach item of this array must be:
Must be one of:
- "fido-u2f"
- "packed"
- "self"
- "android-key"
- "android-safetynet"
- "tpm"
- "none"
List of COSE algorithm identifiers to permit.
No Additional ItemsEach item of this array must be:
True if all attestation statements in a compound attestation must be valid to successfully register an authenticator.
Android attestation specific configuration.
Maximum age of attestation signature.
Value must be greater or equal to 0
Maximum allowed clock skew in signed attestation attributes.
Value must be greater or equal to 0
True if the Android SafetyNet CTS Profile Match flag should be enforced.
Time period a user has to complete a FIDO2/WebAuthn ceremony.
Value must be greater or equal to 1
Runtime Server Configuration
To set Runtime Server properties, see the entry in the Appliance or Container documentation.