Example Verify Identity Access Configurations (Getting Started)
First Steps (container deployment)
Container deployment
The container deployment used for this demo can be found in the Verify Identity Access docker-compose sample deployment code.
The first steps configuration file defines some initial configuration that is required for all Verify Identity Access deployments. These steps include:
Accepting the software license agreement and initial management configuration.
Configuring service accounts for publishing snapshots to Runtime Containers.
Importing PKI for the LDAP Runtime Server and High-Volume Runtime Database.
Applying module licenses for the WebSEAL, Advanced Access Control and Federation modules.
Configuring the WebSEAL Runtime Policy Server / User Registry.
Appliance deployment
The first steps configuration file defines some initial configuration that is required for all Verify Identity Access deployments. These steps include:
Accepting the software license agreement and initial management configuration.
Setting network configuration (routes, ip addresses, dns).
Applying module licenses for the WebSEAL, Advanced Access Control and Federation modules. * if you do not have product activation codes, you can request a trial license from the trial site.
Configuring the WebSEAL Runtime Policy Server / User Registry.
WebSEAL Reverse Proxy using Advanced Access Control authentication
The WebSEAL / AAC deployment defines a Verify Identity Access deployment with a single WebSEAL reverse proxy. This proxy is configured to perform authentication using the AAC authentication capabilities. The configuration steps performed include:
Creating a WebSEAL Reverse Proxy instance
Integrating the AAC/Federation runtime to provide authentication to WebSEAL
Enable the Username/Password authentication mechanism
Create a demo user in the WebSEAL User Registry
Update the default WebSEAL login page to use AAC
You can run this configuration script on a deployment which has already been activated / licensed, eg. by running First Steps (container deployment).
The deployment can be tested with the testuser IVIA user account. The user is created in the reverse
proxy user registry, and can have password control and other account management capabilities applied.
Once you have this scenario working you should try the “Identifier First Authetication” scenario for advanced login user experiences, include MMFA, passkey, and password authentication.
Container image pipeline
This configuration example will demonstrate how administrators can set up a “pipeline” of configuration steps to build out a deployment. This is especially useful in staged (development/production) environments where a Verify Identity Access deployment might be tested in several different sandboxed environments before it is pushed to a production environment.
This workflow builds on a configuration snapshot (golden image), which can be used to scale out a Verify Identity Access deployment. The first steps involve completing steps which are required for all environments, such as accepting EULA, activating Verify Identity Access modules, or importing static resources such as JavaScript mapping rules/HTML template files. Once this configuration has been completed, the generated snapshot file can be reused to bootstrap Verify Identity Access deployments in downstream environments.
In the dev configuration step, connections to external services (database, user registry, ect) are modified to connect to temporary services, so deployment can be incrementally tested before being deployed.
Note
To make managing and promoting configuration snapshots simple, you should make use of the
SNAPSHOT_ID environment property when running configuration containers, eg: base for
the base snapshot, dev for the test environment, and published for production.
Base Snapshot
This configuration will accept the EULA, activate the modules of Verify Identity Access and enable OIDC authentication to the management interface. Giving federated users access to the management interface can be useful for compliance reasons (eg. ability to set mulit-factor authentication), however it can present some challenges.
If contact with the identity provier is lost, there is no mechanism to regain access the the management
interface (or corresponding snapshot). Container deployments also often make use of the management
authorization feature to manage access for the cfgsvc account, which is responsible for pulling
images from the configuration service. Admins must ensure that federated admin users are in the appropriate
groups and that group-to-feature management authorization mapping is performed for external users
(adminGroup and adminWrite groups in this example).
Code example for base image snapshot configuration
Set the following properties as environment variables for the process running the configuration tool:
export IVIA_CONFIG_YAML=base_image.yaml
export IVIA_MGMT_BASE_URL="https://isam.myidp.ibm.com"
export IVIA_BASE_CODE="webseal activation code"
export IVIA_AAC_CODE="access control activation code"
export IVIA_FED_CODE="federations activation code"
export OIDC_API_TOKEN=TODO
export OIDC_CLIENT_ID=clientId
export OIDC_CLIENT_SECRET=clientSecret
export OIDC_WELL_KNOWN=https://www.myidp.ibm.com/.well-known/openid-configuration
export LDAP_PKI_DIR="$HOME/dockershare/openldap"
export HVDB_PKI_DIR="$HOME/dockershare/postgres"
Note
This deployment makes use of the PKI files created for the docker-compose example deployment. You may need to update the ssl_certificates files for your environment.
Note
This deployment uses isam.myidp.ibm.com as a domain name for the management interface.
You might need to set a host file entry for your Operating System.
base_image.yaml should be a file that exist in the working directory of the
user running the configuration tool. The content of this file is expectd to be:
mgmt_user: admin
mgmt_pwd: admin
mgmt_ext_pwd: !environment OIDC_API_TOKEN
container:
management_authorization:
authorization_enforcement: True
roles:
- operation: "update"
name: "Configuration Service"
groups:
- name: "cfgsvc"
type: "local"
features:
- name: "shared_volume"
access: "w"
- operation: "update"
name: "HVDB Admin"
groups:
- name: "dbadmin"
type: "local"
features:
- name: "manage_database"
access: "w"
- operation: "update"
name: "Full Write"
groups:
- name: "adminWrite"
type: "local"
- operation: "update"
name: "Full Read"
groups:
- name: "adminGroup"
type: "local"
management_authentication:
auth_type: "federation"
oidc:
client_id: !environment OIDC_CLIENT_ID
client_secret: !environment OIDC_CLIENT_SECRET
discovery_endpoint: !environment OIDC_WELL_KNOWN
enable_pkce: true
ssl_certificates:
- name: "lmi_trust_store"
signer_certificates:
- !environment LDAP_PKI_DIR
- !environment HVDB_PKI_DIR
- name: "rt_profile_keys"
signer_certificates:
- !environment HVDB_PKI_DIR
cluster:
runtime_database:
host: "postgresql"
port: 5432
type: "postgresql"
user: "postgres"
password: "Passw0rd"
ssl: True
db_name: "isva"
activation: #Activation codes
webseal: !environment IVIA_BASE_CODE
access_control: !environment IVIA_AAC_CODE
federation: !environment IVIA_FED_CODE
Run the configuration tool in a shell using python
python -m ibmvia_autoconf
Development Environment
This configuration step will set up the WebSEAL Reverse Proxy runtime environment and create a reverse proxy instance to test with. This configuration will also re-import the required PKI for the dev environment’s LDAP and HVDB connections.
Code example for dev image snapshot configuration
Set the following properties as environment variables for the process running the configuration tool:
export IVIA_CONFIG_YAML=dev_image.yaml
export IVIA_MGMT_BASE_URL="https://isam.myidp.ibm.com"
export LDAP_PWD="Passw0rd"
export RUNTIME_USER="easuser"
export RUNTIME_PWD="passw0rd"
python -m ibmvia_autoconf
dev_image.yaml:
container:
deployments:
- "isvawrp"
- "isvaruntime"
snapshot: "snapshots/isva_10.0.8.0.base.snapshot"
ssl_certificates:
- name: "lmi_trust_store"
signer_certificates:
- "pki/dev/postgresql/postgres.crt"
- "pki/dev/openldap/ca.crt"
- name: "rt_profile_keys"
signer_certificates:
- "pki/dev/postgresql/postgres.crt"
template_pages:
- "template_pages.zip"
mapping_rules:
- "mapping_rules.zip"
webseal:
runtime:
policy_server: "ldap"
user_registry: "ldap"
ldap:
host: "openldap"
port: 636
dn: "cn=root,secAuthority=Default"
dn_password: !environment LDAP_PWD
key_file: "lmi_trust_store"
clean_ldap: True
domain: "Default"
admin_user: "sec_master"
admin_password: !environment LDAP_PWD
admin_cert_lifetime: 1460
ssl_compliance: "fips"
reverse_proxy:
- name: "wrp_instance"
host: "isvawrp"
junction_point: "/app"
junction_type: "tpc"
server_hostname: "my.backend.app"
server_port: "9080"
aac_configuration:
hostname: "isvaruntime"
port: 9443
runtime:
user: !environment RUNTIME_USER
password: !environment RUNTIME_PWD
junction: "/mga"
reuse_acls: True
reuse_certs: True
Production Environment
This configuration step will deploy the development snapshot image to a production environment, updating the required PKI for connections to the HVDB and LDAP services.
Code example for prod image snapshot configuration
To run this configuration you should define the following properties:
export IVIA_CONFIG_YAML=prod_image.yaml
export IVIA_MGMT_BASE_URL="https://isam.myidp.ibm.com"
export IVIA_MGMT_PWD="apiKeyGoesHere"
python -m ibmvia_autoconf
prod_image.yaml:
container:
deployments:
- "isvawrp"
- "isvaruntime"
snapshot: "snapshots/isva_10.0.8.0.dev.snapshot"
ssl_certificates:
- name: "lmi_trust_store"
signer_certificates:
- "pki/prod/postgresql/postgres.crt"
- "pki/prod/openldap/ca.crt"
- name: "rt_profile_keys"
signer_certificates:
- "pki/prod/postgresql/postgres.crt"
Installation of the Instana monitoring agent
The Instana monitoring example defines a Verify Identity Access deployment where a third party infrastructure monitoring tool (Instana) is installed onto a Verify Identity Access appliance using a Verify Identity Access Extension. This extension allows administrators to collect detailed system information (CPU, RAM, Disk, Networking) during runtime. This example assumes that you have a valid Instana tenant and have downloaded the latest Agent RPM for JDK 11. The configuration steps performed include:
Applying the module licenses - a temporary IBM Verify Identity Access License can be obtained from the trial site (requires a W3ID)
Set static networking properties - Static IPv4 addresses - Gateway (default route) settings - Set DNS properties
Install the Instana extension
Configure the WebSEAL RTE (Policy Server/User Registry)
Mobile Multi-Factor Authentication Cookbook
The mobile multi-facter authentication example follows the previously release cookbook deployment guide and adds in passkey and identifier-first authentiction scenarios. This guide will configure Verify Identity Access to demonstrate the transaction signing, context-base access and risk-based access capabilities of the product.
It will aslo add an “advanced” login scenario to the WebSEAL html login template page which will permit username only login.
Before you start
To successfully run this demo there are some prerequisites which your environment must meet.
Deploy the user registry (ISDS/LDAP) and runtime database (HVDB).
Temporary services can be deployed using the verify access demo containers, an exampele deployment is available here.
[Optional] Deploy the Verify Identity Access Operator to manage runtime containers and configuration snapshots.
Deploy the configuration, web reverse proxy, and runtime Verify Identity Access containers.
An example deployment of configuration, reverse proxy and runtime containers with the Operator on OpenShift can be found here
Generate any additional PKI for reverse proxy instances, ect.
This demo assumes you will generate a key/certificate for the reverse proxy that is signed by an external Certificate Authority
Update the
ssl_certificates.ziparchive with any keys, certificates that are required.
Note
Many services now have requirements related to domain names and “CN” or “SubjectAltName” X.509 attributes when establishing trust via TLS connections. These requirements are not met by the default self-signed certificates generated by Verify Identity Access during first installation.
Obtain a copy of the template files and mapping rules used by this demo. The latest version of these files is available here.
Create the Kubernetes ConfigMaps and Secrets required for this demo.
Update your local environment to resolve the domain
mmfa.myidp.ibm.comto the web reverse proxy interface and portDownload the Glowroot agent and extension files from IBM AppXchange
Obtain a trial license for Verify Identity Access.
Note
This is often as simple as updating your hosts file to map this domain to your wrp container or ingress route.
More detailed steps to create the required keys, certificates and kubernetes objects can be found in the MMFA demo readme.
Mobile Multi-Factor Authentication scenario configuration:
Testing it out
This demo scenario makes use of the mmfa.myidp.ibm.com domain. This can be set via a hose file entry
in your Operating System.
Mobile demo sample app https://mmfa.myidp.ibm.com/app/mobile-demo/
Scim user self care demo https://mmfa.myidp.ibm.com/scim/demo.html
Federation Cookbook
The federation example follows the previously release cookbook deployment guide for Verify Identity Access (and ISVA, ISAM). For this demo, both the IDP and SP roles are performed by Verify Identity Access, either can be substituted with a different identity provider or service, as long as they are compliant with the relevant identity standard.
Before you start
To successfully run this demo there are some prerequisites which your environment must meet:
Create the PKI for the IDP and SP deployments.
Demo assumes self-signed certificates
Require keys and certificates for: IDP wrp, SP wrp, IDP LDAP, SP LDAP, IDP runtime database, SP runtime database
Obtain a copy of the required JavaScript mapping rules for this demo. The latest version of these files is available here.
Create the Kubernetes ConfigMaps and Secrets required for this demo.
Create the configuration, web reverse proxy, and runtime Verify Identity Access containers.
This demo requires the IDP and SP to both have wrp and runtime containers deployed.
Update your local environment to resolve the domain
www.myidp.ibm.comto the IDP web reverse proxy interface and port; andwww.mysp.ibm.comto the SP reverse proxy interface and port.Note
This is often as simple as updating your hosts file to map this domain to your wrp container or ingress route.
More detailed steps to create the required keys, certificates and kubernetes objects can be found in the Federation demo readme.
You can use the previous mmfa exmple for Kubernetes Job deployments to run the configuration tool for pods running in a given namespace. Alternatively you can use the Readme.md for a sample configurator deployment.
IdP Configuration
Click to see the YAML configuration.
mgmt_user: admin
mgmt_pwd: !secret default/ivia-fed-autoconf-env:ISVA_MGMT_PWD
mgmt_old_pwd: !secret default/ivia-fed-autoconf-env:ISVA_MGMT_OLD_PWD
container:
admin_cfg:
session_timeout: 720
ssl_certificates:
- name: "myidpkeys"
personal_certificates:
- p12_file: "idpkeys.p12"
name: myidpkey
secret: !secret default/ivia-fed-autoconf-env:IDPKEYSP12_SECRET
signer_certificates:
- "sp.pem"
- name: "lmi_trust_store"
signer_certificates:
- "postgresql.pem"
- "ldap.pem"
- name: "rt_profile_keys"
signer_certificates:
- "postgresql.pem"
- "ldap.pem"
- name: "pdsrv"
personal_certificates:
- p12_file: "idpkeys.p12"
name: myidpkey
secret: !secret default/ivia-fed-autoconf-env:IDPKEYSP12_SECRET
- p12_file: "spkeys.p12"
name: myspkey
secret: !secret default/ivia-fed-autoconf-env:SPKEYSP12_SECRET
signer_certificates:
- "ssl_certificates"
cluster:
runtime_database:
host: !secret default/ivia-fed-autoconf-env:IDP_HVDB_HOST
port: !secret default/ivia-fed-autoconf-env:HVDB_PORT
type: "postgresql"
user: !secret default/ivia-fed-autoconf-env:HVDB_USER
password: !secret default/ivia-fed-autoconf-env:HVDB_PW
ssl: True
db_name: !secret default/ivia-fed-autoconf-env:HVDB_DB
activation: #Activation codes
trial_license: "ISAM-Trial-IBM.cer"
mapping_rules:
- type: "saml2"
files:
- "mapping_rules/idp/ip_post_ldap.js"
- "mapping_rules/idp/ip_pre_ldap.js"
- "mapping_rules/idp/ip_saml20_httpclient.js"
- "mapping_rules/idp/ip_saml20_httpclient_wstrust.js"
- "mapping_rules/idp/ip_saml20.js"
- "mapping_rules/idp/ivc_to_ltpa.js"
- "mapping_rules/idp/ivc_to_passticket.js"
- "mapping_rules/idp/ivc_to_saml20.js"
- "mapping_rules/idp/saml20_ivc_to_saml20.js"
- "mapping_rules/idp/saml20_to_saml20.js"
- "mapping_rules/idp/stsuutostsuu.js"
- "mapping_rules/idp/ut_to_saml20.js"
server_connections:
- name: "idp-ldap"
type: "ldap"
description: "A connection to IDP LDAP."
locked: false
properties:
hostname: !secret default/ivia-fed-autoconf-env:IDP_LDAP_HOST
port: !secret default/ivia-fed-autoconf-env:LDAP_PORT
bind_dn: !secret default/ivia-fed-autoconf-env:LDAP_BIND_DN
bind_password: !secret default/ivia-fed-autoconf-env:LDAP_BIND_PW
ssl: true
key_file: "lmi_trust_store"
attribute_sources:
- name: "PhoneNumber"
type: "ldap"
value: "honePhone"
properties:
- key: "serverConnection"
value: "idp-ldap"
- key: "scope"
value: "subtree"
- key: "selector"
value: "displayName"
- key: "searchFilter"
value: "(objectClass=*)"
- key: "baseDN"
value: "dc=ibm,dc=com"
- name: "DisplayName"
type: "ldap"
value: "displayName"
properties:
- key: "serverConnection"
value: "idp-ldap"
- key: "scope"
value: "Subtree"
- key: "selector"
value: "homePhone"
- key: "searchFilter"
value: "(objectClass=*)"
- key: "baseDN"
value: "dc=ibm,dc=com"
access_policies:
- name: "AccessPolicyForPrompt"
type: "JavaScript"
category: "OIDC"
policy_file: "mapping_rules/idp/accesspolicy_prompt.js"
advanced_configuration:
- name: "live.demos.enabled"
value: "true"
- name: "live.demos.settings"
value: !secret default/ivia-fed-autoconf-env:IDP_LIVE_DEMO_CONFIG
- name: "sps.authService.policyKickoffMethod"
value: "both"
- name: "sps.authsvcTargetURLAllowList"
value: "https://www.myidp.ibm.com/mga/.*"
- name: "sps.targetURLWhitelist"
value: "https://www.myidp.ibm.com/.*,https://www.mysp.ibm.com/.*"
webseal:
runtime:
policy_server: "ldap"
user_registry: "ldap"
ldap:
host: !secret default/ivia-fed-autoconf-env:IDP_LDAP_HOST
port: !secret default/ivia-fed-autoconf-env:LDAP_PORT
dn: !secret default/ivia-fed-autoconf-env:LDAP_BIND_DN
dn_password: !secret default/ivia-fed-autoconf-env:LDAP_BIND_PW
key_file: "lmi_trust_store"
clean_ldap: True
domain: "Default"
admin_user: "sec_master"
admin_password: !secret default/ivia-fed-autoconf-env:LDAP_SEC_PW
admin_cert_lifetime: 1460
ssl_compliance: "fips"
pdadmin:
acls:
- name: "sts-unauth"
groups:
- name: "iv-admin"
permissions: "TcmdbsvaBRrxl"
- name: "webseal-servers"
permissions: "Tgmdbsrxl"
users:
- name: "sec_master"
permissions: "TcmdbsvaBRrxl"
any_other: "Tr"
unauthenticated: "Tr"
- name: "unauth-oidc"
groups:
- name: "iv-admin"
permissions: "TcmdbsvaBRrxl"
- name: "webseal-servers"
permissions: "Tgmdbsrxl"
users:
- name: "sec_master"
permissions: "TcmdbsvaBRrxl"
any_other: "Tr"
unauthenticated: "Tr"
users:
- username: "testuser"
dn: "cn=testuser,dc=ibm,dc=com"
password: !secret default/ivia-fed-autoconf-env:TEST_PASSWORD
- username: "admin"
dn: "cn=admin,dc=ibm,dc=com"
password: !secret default/ivia-fed-autoconf-env:TEST_PASSWORD
- username: "cfgsvc"
dn: "cn=cfgsvc,dc=ibm,dc=com"
password: !secret default/ivia-fed-autoconf-env:TEST_PASSWORD
- username: "adminuser"
dn: "cn=adminuser,dc=ibm,dc=com"
password: !secret default/ivia-fed-autoconf-env:TEST_PASSWORD
- username: "dbadmin"
dn: "cn=dbadmin,dc=ibm,dc=com"
password: !secret default/ivia-fed-autoconf-env:TEST_PASSWORD
reverse_proxies:
- host: "www.myidp.ibm.com"
instance: "default"
acls:
- name: "unauth-oidc"
junctions:
- "/mga/sps/auth"
- "/isam/mobile-demo/theme"
- "/isam/mobile-demo/oauth/oauth2Client.jsp"
- name: "sts-unauth"
junctions:
- "/isam/TrustServer/SecurityTokenService"
- "/isam/TrustServerWST13/services/RequestSecurityToken"
- name: "default-webseal"
junctions:
- "/isam/mobile-demo"
objects:
- hostname: "www.myidp.ibm.com"
instance: "default"
junction: "/isam/mobile-demo"
attributes:
- key: "HTTP-Tag-Value"
value: "AUTHENTICATION_LEVEL=authentication_level"
reverse_proxy:
- name: "default"
host: "www.myidp.ibm.com"
http:
enabled: "no"
https:
enabled: "yes"
domain: "Default"
ldap:
ssl: "yes"
port: !secret default/ivia-fed-autoconf-env:LDAP_PORT
key_file: "lmi_trust_store"
aac_configuration:
runtime:
hostname: !secret default/ivia-fed-autoconf-env:IDP_RT_HOST
port: "9443"
username: !secret default/ivia-fed-autoconf-env:RUNTIME_USER
password: !secret default/ivia-fed-autoconf-env:RUNTIME_PASSWORD
junction: "/mga"
reuse_acls: True
reuse_certs: True
api_protection_configuration:
junction: "/mga"
runtime:
hostname: !secret default/ivia-fed-autoconf-env:IDP_RT_HOST
port: "9443"
username: !secret default/ivia-fed-autoconf-env:RUNTIME_USER
password: !secret default/ivia-fed-autoconf-env:RUNTIME_PASSWORD
api: True
browser: True
federation_configuration:
- name: "saml20idp"
runtime:
username: !secret default/ivia-fed-autoconf-env:RUNTIME_USER
password: !secret default/ivia-fed-autoconf-env:RUNTIME_PASSWORD
hostname: !secret default/ivia-fed-autoconf-env:IDP_RT_HOST
port: 9443
type: "remote"
reuse_acls: true
reuse_certs: true
junctions:
- junction_point: "/samljct"
junction_type: "ssl"
server_hostname: !secret default/ivia-fed-autoconf-env:IDP_RT_HOST
server_port: "9443"
tfim_sso: "yes"
stanza_configuration:
- stanza: "ssl"
entry_id: "webseal-cert-keyfile-label"
value: "CN=www.myidp.ibm.com,OU=Security,O=IBM,C=AU"
operation: "update"
- stanza: "server"
entry_id: "web-host-name"
value: "CN=www.myidp.ibm.com,OU=Security,O=IBM,C=AU"
operation: "update"
- stanza: "step-up"
entry_id: "verify-step-up-user"
value: "no"
operation: "update"
- stanza: "session"
entry_id: "user-session-ids"
value: "yes"
operation: "update"
- stanza: "session"
entry_id: "inactive-timeout"
value: "1800"
operation: "update"
- stanza: "session"
entry_id: "create-unauth-sessions"
value: "yes"
operation: "update"
- stanza: "junction:/isam"
operation: "add"
- stanza: "junction:/isam"
operation: "add"
entry_id: "reset-cookies-list"
value: "*ac.uuid,*JSESSIONID"
- stanza: "TAM_CRED_ATTRS_SVC"
operation: "add"
entry_id: "eperson"
value: "azn_cred_registry_id"
- stanza: "TAM_CRED_ATTRS_SVC:eperson"
operation: "add"
- stanza: "TAM_CRED_ATTRS_SVC:eperson"
entry_id: "emailAddress"
value: "mail"
operation: "add"
- stanza: "TAM_CRED_ATTRS_SVC:eperson"
operation: "add"
entry_id: "firstName"
value: "cn"
- stanza: "TAM_CRED_ATTRS_SVC:eperson"
operation: "add"
entry_id: "lastName"
value: "sn"
operation: "add"
- stanza: "tfim-cluster:samljct"
operation: "add"
- stanza: "tfim-cluster:samljct"
operation: "add"
entry_id: "server"
value: "9,https://ivia-fed-idp-rt:9443/TrustServerWST13/services/RequestSecurityToken"
- stanza: "tfim-cluster:samljct"
operation: "add"
entry_id: "ssl-keyfile"
value: "pdsrv.p12"
- stanza: "tfim-cluster:samljct"
operation: "add"
entry_id: "ssl-keyfile-stash"
value: "pdsrv.sth"
- stanza: "tfim-cluster:samljct"
operation: "add"
entry_id: "handle-pool-size"
value: "10"
- stanza: "tfim-cluster:samljct"
operation: "add"
entry_id: "handle-idle-timeout"
value: "240"
- stanza: "tfim-cluster:samljct"
operation: "add"
entry_id: "timeout"
value: "240"
- stanza: "tfim-cluster:samljct"
operation: "add"
entry_id: "basic-auth-user"
value: !secret default/ivia-fed-autoconf-env:RUNTIME_USER
- stanza: "tfim-cluster:samljct"
operation: "add"
entry_id: "basic-auth-passwd"
value: !secret default/ivia-fed-autoconf-env:RUNTIME_PASSWORD
- stanza: "tfimsso:/samljct"
operation: "add"
- stanza: "tfimsso:/samljct"
operation: "add"
entry_id: "token-type"
value: "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
- stanza: "tfimsso:/samljct"
operation: "add"
entry_id: "applies-to"
value: "http://appliesto/saml20"
- stanza: "tfimsso:/samljct"
operation: "add"
entry_id: "renewal-window"
value: "15"
- stanza: "tfimsso:/samljct"
operation: "add"
entry_id: "preserve-xml-token"
value: "false"
- stanza: "tfimsso:/samljct"
operation: "add"
entry_id: "tfim-cluster-name"
value: "samljct"
- stanza: "tfimsso:/samljct"
operation: "add"
entry_id: "token-transmit-type"
value: "header"
- stanza: "tfimsso:/samljct"
operation: "add"
entry_id: "token-transmit-name"
value: "SAMLAssertion"
- stanza: "tfimsso:/samljct"
operation: "add"
entry_id: "one-time-token"
value: "true"
- stanza: "tfimsso:/samljct"
operation: "add"
entry_id: "token-collection-size"
value: "1"
- stanza: "tfimsso:/samljct"
operation: "add"
entry_id: "always-send-tokens"
value: "true"
access_control:
authentication:
policies:
- name: "Username Password"
description: "Username and password authentication policy."
enabled: true
uri: "urn:ibm:security:authentication:asf:password"
policy: "<Policy xmlns=\"urn:ibm:security:authentication:policy:1.0:schema\" PolicyId=\"urn:ibm:security:authentication:asf:password\"><Description>Username and password authentication policy.</Description><Step type=\"Authenticator\"><Authenticator AuthenticatorId=\"urn:ibm:security:authentication:asf:mechanism:password\"/></Step><Actions><Action On=\"null\" type=\"null\"><AttributeAssignments/></Action></Actions></Policy>"
mechanisms:
- name: "Username Password"
type: "Username Password"
description: "Username password authentication"
uri: "urn:ibm:security:authentication:asf:mechanism:password"
properties:
usernamePasswordAuthentication.enableLastLogin: "false"
usernamePasswordAuthentication.loginFailuresPersistent: "false"
usernamePasswordAuthentication.maxServerConnections: "16"
usernamePasswordAuthentication.mgmtDomain: "Default"
usernamePasswordAuthentication.sslServerStartTLS: "false"
usernamePasswordAuthentication.useFederatedDirectoriesConfig: "false"
usernamePasswordAuthentication.userSearchFilter: "(|(objectclass=ePerson)(objectclass=Person))"
usernamePasswordAuthentication.ldapBindDN: !secret default/ivia-fed-autoconf-env:LDAP_BIND_DN
usernamePasswordAuthentication.ldapHostName: !secret default/ivia-fed-autoconf-env:IDP_LDAP_HOST
usernamePasswordAuthentication.ldapBindPwd: !secret default/ivia-fed-autoconf-env:LDAP_BIND_PW
usernamePasswordAuthentication.ldapPort: !secret default/ivia-fed-autoconf-env:LDAP_PORT
usernamePasswordAuthentication.sslEnabled: "true"
usernamePasswordAuthentication.sslTrustStore: "lmi_trust_store"
attributes:
- selector: "mobile"
name: "mobileNumber"
namespace: "urn:ibm:security:authentication:asf:mechanism:password"
- selector: "mail"
name: "emailAddress"
namespace: "urn:ibm:security:authentication:asf:mechanism:password"
api_protection:
definitions:
- name: "OIDCDefinition"
access_policy: "AccessPolicyForPrompt"
oidc:
enabled: True
alg: "RS256"
iss: "https://www.myidp.ibm.com"
poc: "https://www.myidp.ibm.com/mga"
dynamic_clients: true
issue_secret: True
lifetime: 3600
db: myidpkeys
cert: "CN=www.myidp.ibm.com,OU=Security,O=IBM,C=AU"
oidc_Complaint: True
attribute_sources:
- name: "displayName"
source: "DisplayName"
- name: "phoneNumber"
source: "PhoneNumber"
tcm_behavior: "ALWAYS_PROMPT"
grant_types:
- "AUTHORIZATION_CODE"
- "CLIENT_CREDENTIALS"
- "RESOURCE_OWNER_PASSWORD_CREDENTIALS"
- "IMPLICIT_GRANT"
- "SAML_BEARER"
- "JWT_BEARER"
- "DEVICE"
clients:
- name: "IVIA Client"
client_id: !secret default/ivia-fed-autoconf-env:OIDC_CLIENT_ID
definition: "OIDCDefinition"
introspect_with_secret: True
client_secret: !secret default/ivia-fed-autoconf-env:OIDC_CLIENT_SECRET
redirect_uri:
- "https://www.mysp.ibm.com/isam/sps/oidc/rp/isvarp/redirect/isva_op_partner"
- "https://www.mysp.ibm.com/isam/sps/oidc/rp/isvarp_implicit/redirect/isva_op_partner"
- "https://www.mysp.ibm.com/isam/sps/oidc/rp/isvarp_code/redirect/isva_op_partner"
company_name: "IBM"
contact_person: "Administrative"
- name: "WebSEAL Native RP Client"
definition: "OIDCDefinition"
client_id: !secret default/ivia-fed-autoconf-env:WEBSEAL_OIDC_CLIENT_ID
client_secret: !secret default/ivia-fed-autoconf-env:WEBSEAL_OIDC_CLIENT_SECRET
redirect_uri:
- "https://www.mysp.ibm.com/pkmsoidc"
company_name: "IBM"
contact_person: "Administrative"
federation:
federations:
- name: "saml20idp"
protocol: "SAML2_0"
role: "ip"
export_metadata: "idpmetadata.xml"
configuration:
company_name: "IdP Company"
point_of_contact_url: "https://www.myidp.ibm.com/isam/sps"
assertion_settings:
valid_before: 300
valid_after: 300
need_consent_to_federate: false
signature_settings:
validation_options:
validate_authn_request: true
signing_options:
sign_authn_response: true
sign_logout_request: true
sign_logout_response: true
signing_key_identifier:
store: "myidpkeys"
label: "CN=www.myidp.ibm.com,OU=Security,O=IBM,C=AU"
validation_key_identifier:
store: "myidpkeys"
label: "CN=www.myidp.ibm.com,OU=Security,O=IBM,C=AU"
key_info_elements:
include_x509_certificate_data: true
include_x509_subject_name: false
include_x509_subject_key_identifier: false
include_x509_issuer_details: false
include_public_key: false
identity_mapping:
active_delegate_id: "default-map"
properties:
mapping_rule: "ip_saml20"
extension_mapping:
active_delegate_id: "skip-extension-map"
name_id_format:
default: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
single_sign_on_service:
- binding: "post"
- binding: "redirect"
exclude_session_index_in_single_logout_request: false
single_logout_service:
- binding: "post"
- binding: "redirect"
encryption_settings:
decryption_key_identifier:
store: "myidpkeys"
label: "CN=www.myidp.ibm.com,OU=Security,O=IBM,C=AU"
message_valid_time: 300
session_timeout: 7200
sts:
chain_templates:
- name: "UsernameTokentoSAML20"
description: "Maps from UsernameToken to SAML20"
modules:
- id: "Default UserNameToken"
mode: "validate"
- id: "Default Map Module"
mode: "map"
- id: "Default SAML 2.0 Token"
mode: "issue"
- name: "STSUUtoSTSUU"
description: "STSUU to STSUU"
modules:
- id: "Default STSUU"
mode: "validate"
- id: "Default Map Module"
mode: "map"
- id: "Default STSUU"
mode: "issue"
- name: "IVCredsToSAML20JunctionExample"
description: "IVCredsToSAML20JunctionExample"
modules:
- id: "Default IVCred Token"
mode: "validate"
- id: "Default Map Module"
mode: "map"
- id: "Default SAML 2.0 Token"
mode: "issue"
- name: "STSUULDAPAttributeMapper"
description: "Maps STSUU to another STSUU reading in LDAP attributes"
modules:
- id: "Default STSUU"
mode: "validate"
- id: "Default Map Module"
mode: "map"
- id: "Default Attribute Mapping Module"
mode: "map"
- id: "Default Map Module"
mode: "map"
- id: "Default STSUU"
mode: "issue"
- name: "SAML20toSAML20"
description: "Maps from SAML20 to SAML20"
modules:
- id: "Default SAML 2.0 Token"
mode: "validate"
- id: "Default Map Module"
mode: "map"
- id: "Default SAML 2.0 Token"
mode: "issue"
chains:
- name: "SAML20ToSAML20Chain"
description: "Chain for saml20 to saml20"
chain_template: "SAML20toSAML20"
request_type: "validate"
applies_to:
address: "http://appliesto/saml20"
issuer:
address: "http://issuer/saml20"
sign_responses: false
validate_requests: false
properties:
myself:
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.replay.validation"
index: 0
value:
- "false"
- name: "map.rule.reference.name"
index: 1
value:
- "saml20_to_saml20"
- name: "map.rule.type"
index: 1
value:
- "JAVASCRIPT"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.issuer"
index: 2
value:
- "https://www.myidp.ibm.com/newissuer"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.pretime.valid"
index: 2
value:
- "60"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.posttime.valid"
index: 2
value:
- "60"
partner:
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.verify.signatures"
index: 0
value:
- "true"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.keystore.alias"
index: 0
value:
- "true"
- name: "com.tivoli.am.fim.sts.saml.2.0.WantMultipleAttributeStatements"
index: 0
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.default.nameidformat"
index: 0
value:
- "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
- name: "com.tivoli.am.fim.sts.saml.2.0.DecryptionKeyIdentifier.db"
index: 0
value:
- "myidpkeys"
- name: "com.tivoli.am.fim.sts.saml.2.0.DecryptionKeyIdentifier.cert"
index: 0
value:
- "CN=www.myidp.ibm.com,OU=Security,O=IBM,C=AU"
- name: "com.tivoli.am.fim.sts.saml.2.0.map.unknown.alias"
index: 0
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier.db"
index: 0
value:
- "myidpkeys"
- name: "com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier.cert"
index: 0
value:
- "CN=www.myidp.ibm.com,OU=Security,O=IBM,C=AU"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.attribute.types"
index: 2
value:
- "*"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.sign"
index: 2
value:
- "true"
- name: "com.tivoli.am.fim.sts.saml.2.0.SigningKeyIdentifier.db"
index: 2
value:
- "myidpkeys"
- name: "com.tivoli.am.fim.sts.saml.2.0.SigningKeyIdentifier.cert"
index: 2
value:
- "CN=www.myidp.ibm.com,OU=Security,O=IBM,C=AU"
- name: "com.tivoli.am.fim.sts.saml.2.0.WantMultipleAttributeStatements"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.SignatureAlgorithm"
index: 2
value:
- "RSA-SHA256"
- name: "com.tivoli.am.fim.sts.saml.2.0.DigestAlgorithm"
index: 2
value:
- "SHA256"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.cert.data"
index: 2
value:
- "true"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.public.key"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.subject.name"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.subject.keyid"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.issuer.details"
index: 2
value:
- "false"
- name: "UsernameTokentoSAML2.0Chain"
description: "Chain for UsernameToken to SAML20"
chain_template: "UsernameTokentoSAML20"
request_type: "http://schemas.xmlsoap.org/ws/2005/02/trust/Validate"
applies_to:
address: "http://appliesto/saml20"
issuer:
address: "http://issuer/username"
sign_responses: false
validate_requests: false
properties:
myself:
- name: "username.skip.password.validation"
index: 0
value:
- "false"
- name: "username.password.validator"
index: 0
value:
- "TAMRD"
- name: "username.server.connection.id"
index: 0
value:
- "idp-ldap"
- name: "username.tamrd.management.domain"
index: 0
value:
- "Default"
- name: "username.tamrd.login.failures.persistent"
index: 0
value:
- "false"
- name: "username.tamrd.maximum.server.connections"
index: 0
value:
- "16"
- name: "map.rule.reference.name"
index: 1
value:
- "ut_to_saml20"
- name: "map.rule.type"
index: 1
value:
- "JAVASCRIPT"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.issuer"
index: 2
value:
- "https://www.myidp.ibm.com/isam/sps/saml20idp/saml20"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.pretime.valid"
index: 2
value:
- "3600"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.posttime.valid"
index: 2
value:
- "3600"
partner:
- name: "username.validate.freshness"
index: 0
value:
- "false"
- name: "username.freshness.limit"
index: 0
value:
- "300"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.attribute.types"
index: 2
value:
- "*"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.sign"
index: 2
value:
- "true"
- name: "com.tivoli.am.fim.sts.saml.2.0.SigningKeyIdentifier.db"
index: 2
value:
- "myidpkeys"
- name: "com.tivoli.am.fim.sts.saml.2.0.SigningKeyIdentifier.cert"
index: 2
value:
- "CN=www.myidp.ibm.com,OU=Security,O=IBM,C=AU"
- name: "com.tivoli.am.fim.sts.saml.2.0.SignatureAlgorithm"
index: 2
value:
- "RSA-SHA512"
- name: "com.tivoli.am.fim.sts.saml.2.0.DigestAlgorithm"
index: 2
value:
- "SHA512"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.cert.data"
index: 2
value:
- "true"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.public.key"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.subject.name"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.subject.keyid"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.issuer.details"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.EncryptAssertions"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.EncryptAllAttributes"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.EncryptNameIdentifiers"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.SubjectConfirmationMethod"
index: 2
value:
- "urn:oasis:names:tc:SAML:2.0:cm:bearer"
- name: "STSUUMapper"
description: "STSUUMapper"
chain_template: "STSUULDAPAttributeMapper"
request_type: "validate"
applies_to:
address: "http://stsuu/appliesto"
issuer:
address: "http://stsuu/issuer"
properties:
myself:
- name: "map.rule.type"
index: 1
value:
- "JAVASCRIPT"
- name: "map.rule.reference.name"
index: 1
value:
- "ip_pre_ldap"
- name: "map.rule.type"
index: 3
value:
- "JAVASCRIPT"
- name: "map.rule.reference.name"
index: 3
value:
- "ip_post_ldap"
- name: "STSUUAttributeMapper"
description: "STSUUAttributeMapper"
chain_template: "STSUUtoSTSUU"
request_type: "validate"
applies_to:
address: "http://appliesto/stsuu"
issuer:
address: "http://issuer/stsuu"
properties:
attribute_mapping:
- name: "displayName"
attribute: "DisplayName"
- name: "homePhone"
attribute: "HomePhone"
myself:
- name: "map.rule.type"
index: 1
value:
- "JAVASCRIPT"
- name: "map.rule.reference.name"
index: 1
value:
- "stsuutostsuu"
- name: "IVCredToSAML20Chain"
description: "IVCredToSAML20Chain"
chain_template: "IVCredsToSAML20JunctionExample"
request_type: "issue(Oasis)"
applies_to:
address: "http://appliesto/saml20"
issuer:
address: "amwebrte-sts-client"
token_type: "SAML 2.0"
properties:
myself:
- name: "map.rule.type"
index: 1
value:
- "JAVASCRIPT"
- name: "map.rule.reference.name"
index: 1
value:
- 'saml20_ivc_to_saml20'
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.issuer"
index: 2
value:
- "https://www.myidp.ibm.com/isam/sps/saml20idp/saml20"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.pretime.valid"
index: 2
value:
- "3600"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.posttime.valid"
index: 2
value:
- "3600"
partner:
- name: "ivcred.verify.signatures"
index: 0
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.attribute.types"
index: 2
value:
- "*"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.sign"
index: 2
value:
- "true"
- name: "com.tivoli.am.fim.sts.saml.2.0.SigningKeyIdentifier.db"
index: 2
value:
- "myidpkeys"
- name: "com.tivoli.am.fim.sts.saml.2.0.SigningKeyIdentifier.cert"
index: 2
value:
- "CN=www.myidp.ibm.com,OU=Security,O=IBM,C=AU"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.subject.keyid"
index: 2
value:
- "true"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.public.key"
index: 2
value:
- "true"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.issuer.details"
index: 2
value:
- "true"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.subject.name"
index: 2
value:
- "true"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.cert.data"
index: 2
value:
- "true"
- name: "com.tivoli.am.fim.sts.saml.2.0.SignatureAlgorithm"
index: 2
value:
- "RSA-SHA512"
- name: "com.tivoli.am.fim.sts.saml.2.0.DigestAlgorithm"
index: 2
value:
- "SHA256"
- name: "com.tivoli.am.fim.sts.saml.2.0.EncryptionKeyIdentifier.db"
index: 2
value:
- ""
- name: "com.tivoli.am.fim.sts.saml.2.0.EncryptionKeyIdentifier.cert"
index: 2
value:
- ""
- name: "com.tivoli.am.fim.sts.saml.2.0.EncryptAssertions"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.EncryptAllAttributes"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.EncryptNameIdentifiers"
index: 2
value:
- "false"
- name: "com.tivoli.am.fim.sts.saml.2.0.BlockEncryptionAlgorithm"
index: 2
value:
- "TRIPLEDES"
- name: "com.tivoli.am.fim.sts.saml.2.0.EncryptionKeyTransportAlgorithm"
index: 2
value:
- "RSA-OEAP"
- name: "com.tivoli.am.fim.sts.saml.2.0.assertion.SubjectConfirmationMethod"
index: 2
value:
- "urn:oasis:names:tc:SAML:2.0:cm:bearer"
SP Configuration
Click to see the YAML configuration.
mgmt_user: admin
mgmt_pwd: !secret default/ivia-fed-autoconf-env:ISVA_MGMT_PWD
mgmt_old_pwd: !secret default/ivia-fed-autoconf-env:ISVA_MGMT_OLD_PWD
container:
admin_cfg:
session_timeout: 720
account_management:
users:
- name: "lgleeson@au1.ibm.com"
operation: "add"
password: !secret default/ivia-fed-autoconf-env:ISVA_MGMT_PWD
- name: "cfgsvc"
operation: "update"
password: !secret default/ivia-fed-autoconf-env:ISVA_MGMT_PWD
- name: "testuser"
operation: "add"
password: !secret default/ivia-fed-autoconf-env:ISVA_MGMT_PWD
- name: "adminuser"
operation: "add"
password: !secret default/ivia-fed-autoconf-env:ISVA_MGMT_PWD
- name: "dbadmin"
operation: "add"
password: !secret default/ivia-fed-autoconf-env:ISVA_MGMT_PWD
ssl_certificates:
- name: "lmi_trust_store"
signer_certificates:
- "postgresql.pem"
- "ldap.pem"
- name: "rt_profile_keys"
signer_certificates:
- "postgresql.pem"
personal_certificates:
- p12_file: "spkeys.p12"
name: myspkey
secret: !secret default/ivia-fed-autoconf-env:SPKEYSP12_SECRET
- name: "myspkeys"
personal_certificates:
- p12_file: "spkeys.p12"
name: myspkey
secret: !secret default/ivia-fed-autoconf-env:SPKEYSP12_SECRET
- name: "pdsrv"
personal_certificates:
- p12_file: "idpkeys.p12"
name: myidpkey
secret: !secret default/ivia-fed-autoconf-env:IDPKEYSP12_SECRET
- p12_file: "spkeys.p12"
name: myspkey
secret: !secret default/ivia-fed-autoconf-env:SPKEYSP12_SECRET
signer_certificates:
- "ssl_certificates"
cluster:
runtime_database:
host: !secret default/ivia-fed-autoconf-env:SP_HVDB_HOST
port: !secret default/ivia-fed-autoconf-env:HVDB_PORT
type: "postgresql"
user: !secret default/ivia-fed-autoconf-env:HVDB_USER
password: !secret default/ivia-fed-autoconf-env:HVDB_PW
ssl: True
db_name: "isva"
activation: #Activation codes
trial_license: "ISAM-Trial-IBM.cer"
mapping_rules:
- type: "saml2"
files:
- "mapping_rules/sp/sp_saml20_dynamic_group.js"
- "mapping_rules/sp/sp_saml20.js"
- type: "oidc"
files:
- "mapping_rules/sp/oidc_adv_claims.js"
- "mapping_rules/sp/oidc_adv.js"
advanced_configuration:
- name: "live.demos.enabled"
value: "true"
- name: "live.demos.settings"
value: !secret default/ivia-fed-autoconf-env:SP_LIVE_DEMO_CONFIG
- name: "sps.authsvcTargetURLAllowList"
value: "https://www.mysp.ibm.com/mga/.*"
- name: "sps.targetURLWhitelist"
value: "https://www.mysp.ibm.com/.*,/isam/.*"
point_of_contact:
active_profile: "Non-Access Manager Username, Access Manager groups and extended attributes"
webseal:
runtime:
policy_server: "ldap"
user_registry: "ldap"
ldap:
host: !secret default/ivia-fed-autoconf-env:SP_LDAP_HOST
port: !secret default/ivia-fed-autoconf-env:LDAP_PORT
dn: !secret default/ivia-fed-autoconf-env:LDAP_BIND_DN
dn_password: !secret default/ivia-fed-autoconf-env:LDAP_BIND_PW
key_file: "lmi_trust_store"
clean_ldap: True
domain: "Default"
admin_user: "sec_master"
admin_password: !secret default/ivia-fed-autoconf-env:LDAP_SEC_PW
admin_cert_lifetime: 1460
ssl_compliance: "fips"
reverse_proxy:
- name: "default"
host: "www.mysp.ibm.com"
http:
enabled: "no"
https:
enabled: "yes"
domain: "Default"
ldap:
ssl: "yes"
port: !secret default/ivia-fed-autoconf-env:LDAP_PORT
key_file: "lmi_trust_store"
federation_configuration:
- name: "saml20sp"
runtime:
username: !secret default/ivia-fed-autoconf-env:RUNTIME_USER
password: !secret default/ivia-fed-autoconf-env:RUNTIME_PASSWORD
hostname: !secret default/ivia-fed-autoconf-env:SP_RT_HOST
port: 9443
type: "remote"
reuse_acls: true
reuse_certs: true
- name: "isvarp"
runtime:
username: !secret default/ivia-fed-autoconf-env:RUNTIME_USER
password: !secret default/ivia-fed-autoconf-env:RUNTIME_PASSWORD
hostname: !secret default/ivia-fed-autoconf-env:SP_RT_HOST
port: 9443
type: "remote"
reuse_acls: true
reuse_certs: true
- name: "isvarp_implicit"
runtime:
username: !secret default/ivia-fed-autoconf-env:RUNTIME_USER
password: !secret default/ivia-fed-autoconf-env:RUNTIME_PASSWORD
hostname: !secret default/ivia-fed-autoconf-env:SP_RT_HOST
port: 9443
type: "remote"
reuse_acls: true
reuse_certs: true
- name: "isvarp_code"
runtime:
username: !secret default/ivia-fed-autoconf-env:RUNTIME_USER
password: !secret default/ivia-fed-autoconf-env:RUNTIME_PASSWORD
hostname: !secret default/ivia-fed-autoconf-env:SP_RT_HOST
port: 9443
type: "remote"
reuse_acls: true
reuse_certs: true
stanza_configuration:
- stanza: "ssl"
entry_id: "webseal-cert-keyfile-label"
value: "CN=www.mysp.ibm.com,OU=Security,O=IBM,C=AU"
operation: "update"
- stanza: "server"
entry_id: "web-host-name"
value: "CN=www.mysp.ibm.com,OU=Security,O=IBM,C=AU"
operation: "update"
- stanza: "step-up"
entry_id: "verify-step-up-user"
value: "no"
operation: "update"
- stanza: "session"
entry_id: "user-session-ids"
value: "yes"
operation: "update"
- stanza: "session"
entry_id: "inactive-timeout"
value: "1800"
operation: "update"
- stanza: "session"
entry_id: "create-unauth-sessions"
value: "yes"
operation: "update"
- stanza: "junction:/isam"
operation: "add"
- stanza: "junction:/isam"
operation: "update"
entry_id: "reset-cookies-list"
value: "*ac.uuid,*JSESSIONID"
- stanza: "oidc"
entry_id: "oidc-auth"
value: "https"
operation: "update"
- stanza: "oidc:default"
operation: "add"
- stanza: "oidc:default"
operation: "add"
entry_id: "redirect-uri-host"
value: "www.mysp.ibm.com"
- stanza: "oidc:default"
operation: "add"
entry_id: "discovery-endpoint"
value: "https://www.myidp.ibm.com/mga/sps/oauth/oauth20/metadata/OIDCDefinition"
- stanza: "oidc:default"
operation: "add"
entry_id: "client-id"
value: !secret default/ivia-fed-autoconf-env:WEBSEAL_OIDC_CLIENT_ID
- stanza: "oidc:default"
operation: "add"
entry_id: "client-secret"
value: !secret default/ivia-fed-autoconf-env:WEBSEAL_OIDC_CLIENT_SECRET
- stanza: "oidc:default"
operation: "add"
entry_id: "response-type"
value: "id_token token"
- stanza: "oidc:default"
operation: "add"
entry_id: "mapped-identity"
value: "{iss}/{sub}"
- stanza: "oidc:default"
operation: "update"
entry_id: "external-user"
value: "true"
- stanza: "local-apps"
entry_id: "cred-viewer"
value: "cred"
operation: "update"
- stanza: "acnt-mgt"
operation: "update"
entry_id: "http-rsp-header"
value: "content-security-policy:TEXT{default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; 'unsafe-inline';}"
pdadmin:
acls:
- name: "default-webseal-unauth"
groups:
- name: "iv-admin"
permissions: "TcmdbsvaBRrxl"
- name: "webseal-servers"
permissions: "Tgmdbsrxl"
users:
- name: "sec_master"
permissions: "TcmdbsvaBRrxl"
any_other: "Tr"
unauthenticated: "Tr"
users:
- username: "anonymous"
dn: "cn=anonymous,dc=ibm,dc=com"
password: !secret default/ivia-fed-autoconf-env:FED_ANON_PASSWORD
- username: "testuser"
dn: "cn=testuser,dc=ibm,dc=com"
password: !secret default/ivia-fed-autoconf-env:TEST_PASSWORD
groups:
- name: "testgroup"
dn: "cn=testgroup,dc=ibm,dc=com"
- name: "testgroup2"
dn: "cn=testgroup2,dc=ibm,dc=com"
reverse_proxies:
- host: "www.mysp.ibm.com"
instance: "default"
acls:
- name: "default-webseal"
junctions:
- "/isam/mobile-demo"
- name: "default-webseal-unauth"
junctions:
- "/isam/mobile-demo/theme"
- "/isam/mobile-demo/oauth/oauth2Client.jsp"
objects:
- hostname: "www.mysp.ibm.com"
instance: "default"
junction: "/isam/mobile-demo"
attributes:
- key: "HTTP-Tag-Value"
value: "AUTHENTICATION_LEVEL=authentication_level"
federation:
federations:
- name: "saml20sp"
protocol: "SAML2_0"
role: "sp"
import_partners:
- name: "idp_partner"
metadata: "idpmetadata.xml"
export_metadata: "spmetadata.xml"
configuration:
company_name: "SP Company"
point_of_contact_url: "https://www.mysp.ibm.com/isam/sps"
assertion_settings:
valid_before: 300
valid_after: 300
need_consent_to_federate: false
signature_settings:
validation_options:
validate_authn_request: true
signing_options:
sign_authn_response: true
sign_logout_request: true
sign_logout_response: true
signing_key_identifier:
store: "myspkeys"
label: "CN=www.mysp.ibm.com,OU=Security,O=IBM,C=AU"
validation_key_identifier:
store: "myspkeys"
label: "CN=www.mysp.ibm.com,OU=Security,O=IBM,C=AU"
key_info_elements:
include_x509_certificate_data: true
include_x509_subject_name: false
include_x509_subject_key_identifier: false
include_x509_issuer_details: false
include_public_key: false
identity_mapping:
active_delegate_id: "default-map"
properties:
mapping_rule: "sp_saml20_dynamic_group"
extension_mapping:
active_delegate_id: "skip-extension-map"
name_id_format:
default: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
assertion_consumer_services:
- binding: "post"
index: "1"
default: "false"
- binding: "redirect"
index: "2"
default: "false"
single_logout_service:
- binding: "post"
exclude_session_index_in_single_logout_request: false
encryption_settings:
decryption_key_identifier:
store: "myspkeys"
label: "CN=www.mysp.ibm.com,OU=Security,O=IBM,C=AU"
message_valid_time: 300
session_timeout: 7200
- name: "isvarp"
protocol: "OIDC10"
role: "rp"
configuration:
redirect_uri_prefix: "https://www.mysp.ibm.com/isam"
response_types:
- "code"
- "id_token"
- "token"
identity_mapping:
active_delegate_id: "default-map"
properties:
mapping_rule: "OIDCRP"
advanced_configuration:
active_delegate_id: "default-map"
mapping_rule: "oidc_adv_claims"
partners:
- name: "isva_op_partner"
enabled: True
role: "rp"
configuration:
client_id: !secret default/ivia-fed-autoconf-env:OIDC_CLIENT_ID
client_secret: !secret default/ivia-fed-autoconf-env:OIDC_CLIENT_SECRET
basic_configuration:
active_delegate_id: "metadataEndpointUrl"
metadata_endpoint_url: "https://www.myidp.ibm.com/mga/sps/oauth/oauth20/metadata/OIDCDefinition"
scope:
- "openid"
signature_algorithm: "RS256"
token_endpoint_auth_method: "client_secret_basic"
advance_configuration:
active_delegate_id: "federation-config"
- name: "isvarp_implicit"
protocol: "OIDC10"
role: "rp"
configuration:
redirect_uri_prefix: "https://www.mysp.ibm.com/isam"
response_types:
- "id_token"
- "token"
identity_mapping:
active_delegate_id: "default-map"
properties:
mapping_rule: "OIDCRP"
advanced_configuration:
active_delegate_id: "default-map"
mapping_rule: "oidc_adv"
partners:
- name: "isva_op_partner"
enabled: True
role: "rp"
configuration:
client_id: !secret default/ivia-fed-autoconf-env:OIDC_CLIENT_ID
client_secret: !secret default/ivia-fed-autoconf-env:OIDC_CLIENT_SECRET
basic_configuration:
active_delegate_id: "metadataEndpointUrl"
metadata_endpoint_url: "https://www.myidp.ibm.com/mga/sps/oauth/oauth20/metadata/OIDCDefinition"
scope:
- "openid"
signature_algorithm: "RS256"
token_endpoint_auth_method: "client_secret_basic"
advance_configuration:
active_delegate_id: "federation-config"
- name: "isvarp_code"
protocol: "OIDC10"
role: "rp"
configuration:
redirect_uri_prefix: "https://www.mysp.ibm.com/isam"
response_types:
- "code"
identity_mapping:
active_delegate_id: "default-map"
properties:
mapping_rule: "OIDCRP"
advanced_configuration:
active_delegate_id: "default-map"
mapping_rule: "oidc_adv"
partners:
- name: "isva_op_partner"
enabled: True
role: "rp"
configuration:
client_id: !secret default/ivia-fed-autoconf-env:OIDC_CLIENT_ID
client_secret: !secret default/ivia-fed-autoconf-env:OIDC_CLIENT_SECRET
basic_configuration:
active_delegate_id: "metadataEndpointUrl"
metadata_endpoint_url: "https://www.myidp.ibm.com/mga/sps/oauth/oauth20/metadata/OIDCDefinition"
scope:
- "openid"
signature_algorithm: "RS256"
token_endpoint_auth_method: "client_secret_basic"
advance_configuration:
active_delegate_id: "federation-config"
IdP Partner Configuration
Click to see the YAML configuration.
mgmt_user: admin
mgmt_pwd: !secret default/ivia-fed-autoconf-env:ISVA_MGMT_PWD
mgmt_old_pwd: !secret default/ivia-fed-autoconf-env:ISVA_MGMT_OLD_PWD
federation:
federations:
- name: "saml20idp"
import_partners:
- name: "sp_partner"
metadata: "spmetadata.xml"
Trying it out
Test the Federated authentication scenario’s (assumes you have above default host/domain records):
- IdP initiated OIDC Login
(note: this link also contains the client id, which may vary in your environment)