The global configuration section documents configuration which is shared between the Access Control and Federation modules of Verify Identity Access. This includes Advanced Configuration Properties, HTTP template pages, JavaScript mapping rules, Point of Contact profiles, Access Policies and Server Connections.

Access Policies

Access policies can be applied to the deployment types:

SAML 2.0 identity provider federation
SAML 2.0 service provider partner to an identity provider federation
OpenID Connect and API Protection Definition

class src.ibmvia_autoconf.federation.FED_Configurator.Access_Policies

Example:

access_policies:
- name: "MyNewAccessPolicy"
  type: "JavaScript"
  policy_file: "path/to/policy.file"
  category: "OTP"

category: str | None: A grouping of related access polices. For example, category “OAUTH” identifies all the rules associated with the OAUTH flow. Maximum 256 bytes. Valid values are “InfoMap”, “AuthSVC”, “OAUTH”,”OTP”, “OIDC” and “SAML2_0”.

name: str: A unique name for the access policy. Maximum of 256 bytes.

policy_file: str: A file with the JavaScript content of the access policy.

type: str | None: System default type for each access policy. For example, “JavaScript”.

Attribute Sources

Identity attribute sources for federated identities.

class src.ibmvia_autoconf.federation.FED_Configurator.Attribute_Sources

Example:

attribute_sources:
- name: "username"
  type: "credential"
  value: "PrincipalName"
  properties:
  - key: "searchFilter"
    value: "(&(ObjectClass=inetOrgPerson)(memberOf=dc=ibm,dc=com))"

class Attribute_Source

class Property

key: str: The property key. Valid fields for LDAP include “serverConnection”, “scope”, “selector”, “searchFilter”, “baseDN”.

value: str: The property value.

name: str: The friendly name of the source attribute. It must be unique.

properties: List[Property] | None: The properties associated with an attribute source.

type: str

The type of the attribute source. Valid types are:

“credential”: The attribute is from the authenticated context.
“value”: The attribute is plain text from the value parameter.
“ldap”: The attribute is retrieved from an LDAP server.

value: str: The value of the source attribute. Credential type: The name of a credential attribute from the authenticated context which contains the value. Value type: The plain text to be used as the source attribute value. LDAP type: The name of the LDAP attribute to be used.

attribute_sources: List[Attribute_Source]: List of attribute sources to create or update.

Advanced Configuration Parameters

The Advanced Configuration Parameters entry is used to set module wide properties for authentication and authorization components. The list of available properties is dependant on the target version of Verify Identity Access being configured. Administrators are able to use the Verify Identity Access assigned identifier or the name of the property.

class src.ibmvia_autoconf.access_control.AAC_Configurator.Advanced_Configuration

Example:

advanced_configuration:
- name: "attributeCollection.authenticationContextAttributes"
  value: "resource,action,ac.uuid,header:userAgent,urn:ibm:demo:transferamount"
- name: "mmfa.transactionArchival.maxPendingPerUser"
  value: "1"

id: int | None: The Verify Identity Access assigned property id. Either the property ID or name must be defined.

name: str | None: The name of the advanced configuration property. Either the property ID or name must be defined.

value: str: The updated value of the advanced configuration property.

HTTP Template Files

This configuration option can be used to set files or directories containing HTML files which are compatible with the AAC and Federation templating engine. The directory structure of any directories to upload should follow the default top level directories. If you are defining a directory it should contain a trailing /.

class src.ibmvia_autoconf.access_control.AAC_Configurator.Template_Files

Example:

template_files:
- aac/isva_template_files.zip
- login.html
- 2fa.html

template_files: List[str]: List of files or zip-files to upload as HTML template pages. Path to files can be relative to the IVIA_CONFIG_BASE property or fully-qualified file paths.

JavaScript Mapping Rules

This configuration option can be used to upload different types or categories of JavaScript Mapping Rules. These rules are typically used to implement custom business logic for a particular integration requirement.

Note

Some types of mapping rules are defined elsewhere, eg OIDC pre/post token mapping rules must be defined with the OIDC definition they are associated with.

class src.ibmvia_autoconf.access_control.AAC_Configurator.Mapping_Rules

Examples:

mapping_rules:
- type: SAML2
  files:
  - saml20.js
  - adv_saml20.js
- type: InfoMap
  files:
   - mapping_rules/basic_user_email_otp.js
   - mapping_rules/basic_user_sms_otp.js
   - mapping_rules/ad_user_mfa.js
- type: Fido2
  files:
   - mediator.js

class Mapping_Rule

files: List[str]: List of files or directories to upload as JavaScript mapping rules. Path to files can be relative to the IVIA_CONFIG_BASE property or fully-qualified file paths.

type: str: Type of JavaScript rule to create. Valid values include InfoMap, AuthSVC, FIDO2, OAUTH, OTP, OIDC and SAML2_0.

mapping_rules: List[Mapping_Rule]: List of mapping rule types/files to upload.

Point Of Contact

The point of contact profile is used to control how the runtime server communicates with the point of contact server (usually WebSEAL).

class src.ibmvia_autoconf.federation.FED_Configurator.Point_Of_Contact_Profiles

Example:

point_of_contact:
  profiles:
  - name: "MyPoCProfile"
    description: "MyPoCProfile description"
    authenticate_callbacks:
    - index: 0
      module_reference_id: "websealPocAuthenticateCallback"
      parameters:
      - name: "authentication.level"
        value: "1"
    sign_in_callbacks:
    - index": 0
      module_reference_id: "websealPocSignInCallback"
      parameters:
      - name: "fim.user.response.header.name"
            value: "am-fim-eai-user-id"
    local_id_callbacks:
    - index: 0
      module_reference_id: "websealPocLocalIdentityCallback"
      parameters:
      - name: "fim.cred.request.header.name"
        value: "iv-creds"
    sign_out_callbacks:
    - index: 0
      module_reference_id: "websealPocSignOutCallback"
      parameters:
      - name: "fim.user.session.id.request.header.name"
            value: "user_session_id"
    authn_policy_callbacks:
    - index: 0
      module_reference_id: "genericPocAuthnPolicyCallback"
      parameters:
      - name: "authentication.level"
        value: "1"

class Point_Of_Contact_Profile

class Point_Of_Contact_Callback

class Point_Of_Contact_Parameter

name: str: The name of the parameter.

value: str: The value of the parameter.

index: int: A number reflects the position in the callbacks array.

module_reference_id: str: The module ID referenced in the callback. It must be one of the supported module IDs.

parameters: List[Point_Of_Contact_Parameter] | None: The parameters used by the callback.

authenticate_callbacks: List[Point_Of_Contact_Callback] | None: An array of callbacks for authentication.

authn_policy_callbacks: List[Point_Of_Contact_Callback] | None: An array of callbacks for authentication policy.

description: str | None: A description of the point of contact profile.

local_id_callbacks: List[Point_Of_Contact_Callback] | None: An array of callbacks for local identity.

name: str: A meaningful name to identify this point of contact profile.

sign_in_callbacks: List[Point_Of_Contact_Callback] | None: An array of callbacks for sign in.

sign_out_callbacks: List[Point_Of_Contact_Callback] | None: An array of callbacks for sign out.

active_profile: str: The name of the Point of Contact profile which should be the active profile. Only one profile can be active at a time.

profiles: List[Point_Of_Contact_Profile]: List of point of contact profiles to configure

Server Connections

Server connections are used to connect to third party infrastructure such as LDAP registries, email servers, SMS servers, ect. These connections are used by other AAC components to provide authentication/authorization services.

class src.ibmvia_autoconf.access_control.AAC_Configurator.Server_Connections

Example:

server_connections:
- name: "intent-svc"
  type: "web_service"
  description: "A connection to the intent service."
  properties:
    url: "http://ibmsec.intent.svc:16080"
    user: ""
    password: ""
    ssl: false
- name: "Cloud Identity tenant connection"
  type: "ci"
  description: "A connection to the companion CI Tenant."
  properties:
    ci_tenant: !secret default/isva-secrets:ci_tenant
    ci_client_id: !secret default/isva-secrets:ci_client_id
    ci_client_secret: !secret default/isva-secrets:ci_client_secret
    ssl_truststore: "rt_profile_keys.kdb"
- name: "Local LDAP connection"
  type: "ldap"
  description: "A connection to this ISAMs LDAP."
  locked: false
  properties:
    hostname: ibmsec.ldap.domain
    port: 636
    bind_dn: "cn=root,secAuthority=Default"
    bind_password: !secret default/isva-secrets:ldap_bind_secret
    ssl: true
    ssl_truststore: "lmi_trust_store"
  - name: "SCIM web service connection"
    type: "web_service"
    description: "A connection to this ISAMs SCIM server."
    locked: false
    properties:
      url: https://ibmsec.runtime.svc
      user: !secret default/isva-secrets:runtime_user
      password: !secret default/isva-secrets:runtime_secret
      ssl: true
      key_file: "rt_profile_keys.kdb"

class Server_Connection

class IbmsecVerifyConnection

ci

admin_host: str: The IBM Security Verify administration host to connect to.

authenticators_endpoint: str | None: The versioned endpoint for authenticator requests.

authnmethods_endpoint: str | None: The DEPRECATED versioned endpoint for authentication method requests.

authorize_endpoint: str | None: The versioned endpoint for authorization requests.

client_id: str: The client ID to authenticate to the IBM Security Verify tenant.

client_secret: str: The client secret to authenticate to the IBM Security Verify tenant.

factors_endpoint: str | None: The versioned endpoint for factors requests.

ssl: bool: Controls whether SSL is used to establish the connection.

ssl_key_label: str | None: The name of the key which should be used during mutual authentication with the web server.

ssl_truststore: str | None: The key database to be used as an SSL truststore. This field is required when ssl is true.

user_endpoint: str | None: The versioned endpoint for user requests.

class Java_Database_Connection

jdbc

age_timeout: int | None: Amount of time before a physical connection can be discarded by pool maintenance. A value of -1 disables this timeout. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. (Default value is -1)

connection_purge_policy: str | None: Specifies which connections to destroy when a stale connection is detected in a pool. Valid values include EntirePool (When a stale connection is detected, all connections in the pool are marked stale, and when no longer in use, are closed.) FailingConnectionOnly (When a stale connection is detected, only the connection which was found to be bad is closed.) ValidateAllConnections (When a stale connection is detected, connections are tested and those found to be bad are closed.) (Default value is EntirePool)

connection_reap_time: str | None: Amount of time between runs of the pool maintenance thread. A value of “-1” disables pool maintenance. Default value is 3m.

connection_timeout: int | None: Amount of time after which a connection request times out. A value of -1 disables this timeout. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. (Default value is 30s)

connections_per_thread: int | None: Caches the specified number of connections for each thread.

database_name: str | None: The name of the database to connect to. Only applicable for DB2 and PostgreSQL connections, this parameter is required for all DB2 and PostgreSQL connections.

max_connections_per_thread: int | None: Limits the number of open connections on each thread.

max_idle_time: int | None: Amount of time after which an unused or idle connection can be discarded during pool maintenance, if doing so does not reduce the pool below the minimum size. A value of -1 disables this timeout. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. (Default value is 30m)

max_pool_size: int | None: Maximum number of physical connections for a pool. A value of 0 means unlimited. (Default value is 50)

min_pool_size: int | None: Minimum number of physical connections to maintain in the pool. The pool is not pre-populated. Aged timeout can override the minimum.

password: str: The password used to to authenticate with the database.

port: int: The port that the database is listening on.

server_name: str: The IP address or hostname of the database.

service_name: str | None: The name of the database service to connect to. Only applicable for Oracle connection, this parameter is required for all Oracle connections.

ssl: bool: Controls whether SSL is used to establish the connection.

type: str | None: The Oracle JDBC driver type. Valid types are thin and oci. Only applicable for Oracle connection, this parameter is required for all Oracle connections.

user: str: The user name used to to authenticate with the database.

class LDAPConnection

ldap

class Server

connection: dict: The connection properties. This dictionary uses the properties from LDAPConnection.

order: int: The order of precedence for this server.

bind_dn: str: The distinguished name to use to bind to the LDAP server.

bind_password: str: The password for bindDN to use when binding to the LDAP server.

hostname: str: The IP address or hostname of the LDAP server.

key_file: str: The key database to be used as an SSL truststore.

key_label: str: The name of the key which should be used during mutual authentication with the LDAP server.

port: int: The port that the LDAP server is listening on.

servers: List[Server] | None: Additional LDAP servers for this connection.

ssl: bool: Controls whether SSL is used to establish the connection.

timeout: int | None: Amount of time, in seconds, after which a connection to the LDAP server times out.

class RedisConnection

redis

class Server

hostname: str: The IP address or hostname of the Redis server.

port: str: The port that the Redis server is listening on.

connection_timeout: int | None: Amount of time, in seconds, after which a connection to the Redis server times out.

deployment_model: str: The Redis deployment model. Valid values are standalone and sentinel.

hostname: str | None: The IP address or hostname of the Redis server. This is only required if the deployment_model is set as standalone.

idle_timeout: int | None: Amount of time, in seconds, after which an established connection will be discarded as idle.

io_timeout: int | None: Amount of time, in seconds, after which the connection socket will timeout.

master_name: str: The key used in the redis sentinel node to store the master/slave configuration.

max_idle_size: int | None: The maximum number of idle connections in the pool.

max_pool_size: int | None: Number of connections which will be pooled.

min_pool_size: int | None: The minimum number of idle connections in the pool.

password: str | None: The password used to to authenticate with the Redis server.

port: int: The port that the Redis server is listening on.

servers: List[Server] | None: Additional Redis servers for this connection.

ssl: bool: Controls whether SSL is used to establish the connection.

ssl_key_label: str | None: The key database to be used as an SSL keystore. Only required if ssl is set to true.

ssl_truststore: str | None: The key database to be used as an SSL truststore. Only required if ssl is set to true.

user: str | None: The user name to authenticate to the Redis server.

class SMTPConnection

smtp

hostname: str: The IP address or hostname of the SMTP server.

password: str | None: The password used to to authenticate with the SMTP server.

port: int: The port that the SMTP server is listening on.

ssl: bool: Controls whether SSL is used to establish the connection.

timeout: int | None: Amount of time, in seconds, after which a connection to the SMTP server times out.

user: str | None: The user name to authenticate to the SMTP server.

class VerifyAccessRuntimeConnection

isamruntime

bind_dn: str: The distinguished name to use to bind to the Verify Identity Access Runtime LDAP server.

bind_pwd: str: The password for bindDN to use when binding to the Verify Identity Access Runtime LDAP server.

ssl: bool: Controls whether SSL is used to establish the connection.

ssl_key_label: str | None: The name of the key which should be used during mutual authentication with the Verify Identity Access runtime LDAP server.

ssl_truststore: str | None: The key database to be used as an SSL truststore. This field is required when ssl is true.

class WebServiceConnection

ws

key_file: str | None: The key database to be used as an SSL truststore. This field is required when ssl is true.

key_label: str | None: The name of the key which should be used during mutual authentication with the web server.

password: str: The password used to to authenticate with the web service.

ssl: bool: Controls whether SSL is used to establish the connection.

url: str: The fully qualified URL of the web service endpoint, including the protocol, host/IP, port and path.

user: str: The user name to authenticate to the web service.

description: str | None: A description of the connection.

locked: bool | None: Controls whether the connection is allowed to be deleted. If not present, a default of false will be assumed.

name: str: The name of the connection.

properties: IbmsecVerifyConnection | Java_Database_Connection | RedisConnection | LDAPConnection | SMTPConnection | VerifyAccessRuntimeConnection | WebServiceConnection: Connection specific properties.

type: str

ci, ldap, isamruntime, oracle, db2, soliddb, psotgresql, smtp and ws.

Type:: The type of server connection. Valid types are

connections: List[Server_Connection]: List of server connections to create or update. Properties of individual connections are described in the _Connection subclasses.

Runtime Server Configuration

This property can be used to configure the runtime liberty server. This includes: configuring trace; managing endpoints/interfaces that the runtime server can respond to requests; setting server configuration parameters (such as proxy settings, SSL configuration); and defining users in the runtime user registry.

class src.ibmvia_autoconf.access_control.AAC_Configurator.Runtime_Configuration

Example:

runtime_properties:
  users:
  - name: "easuser"
    password: !secret default/isva-secrets:runtime_password
    groups:
    - "scimAdmin"
    - "fidoAdmin"
  tuning_parameters:
  - name: "https_proxy_host"
    value: "http://my.proxy"
  - name: "https_proxy_port"
    value: "3128"
  endpoints:
  - interface: "1.1"
    address: "192.168.42.102"
    port: 444
    ssl: true
  - interface: "1.2"
    dhcp4: true
    dhcp6: false
    port: 443
    ssl: true

class Endpoint

address: str | None: The static address that the runtime endpoint will listen on.

dhcp4: bool | None: Endpoint should listen on the DHCP IPv4 address for the given interface.

dhcp6: bool | None: Endpoint should listen on the DHCP IPv6 address for the given interface.

interface: str: The interface the runtime endpoint will listen on.

port: int: Port that endpoint will listen on.

ssl: bool: Endpoint should use SSL encryption for connections.

class Group

name: str: Name of the group to create or update.

users: List[str] | None: List of users to add to the group.

class Runtime_Tuning_Parameter

name: str: The tuning parameter to set.

value: str: The new value for the specified parameter.

class User

groups: List[str] | None: A list of groups the new user will belong to.

name: str: Name of the user to create or update.

password: str: The password for the new user. This can contain any ASCII characters.

endpoints: List[Endpoint] | None: List of http(s) endpoints that the AAC/Federation runtime is listenting on.

groups: List[Group] | None: List of groups to add/update in the AAC/Federation runtime user registry

trace: str | None: Set the runtime trace specification in Liberty.

tuning_parameters: List[Runtime_Tuning_Parameter] | None: List of AAC/Federation runtime JVM tuning parameters.

users: List[User] | None: List of users to add/update in the AAC/Federation runtime user registry. Users are created before groups, so if you are creating a user and a group in the same autoconf; then only add you user to the list of users when creating the group.