One of the key concepts to understand with the IBM Application Gateway (IAG) is that it has no direct dependency on a user registry or any other user database. This means that it is unable to perform native authentication but instead relies upon trusted external identity providers, using well-known Federated Single-Sign-On protocols, to prove and assert a users identity.
The following diagram further illustrates the authentication flow:
The steps in the flow are as follows:
- The client requests a resource which is protected by the IAG;
- The IAG determines that a trusted identity is required in order to be able to access the resource and sends a redirect to the configured identity provider;
- The client sends the request for identity information to the identity provider.
- The identity provider authenticates the user against a configured user repository/database. This step is transparent to the IAG and is dependent on the identity provider itself.
- The identity provider redirects the client back to the IAG, providing the requested identity information.
- The client passes the identity information to the IAG. At this point the IAG will complete the single sign-on flow (which sometimes requires further interaction with the identity provider) and eventually produces a user session which contains the asserted identity information.
- IAG then passes the original request onto the destination application.
The IAG currently supports identity assertion using two popular Federated Single-Sign-On protocols:
- OpenID Connect : where the IAG can act as an OIDC relying party to receive trusted identity information;
- OAuth 2.0 : where the IAG can use token introspection to validate an OAuth access token.
NB: OAuth is not currently supported but support will be added in a future release.
When the identity information is provided to IAG it is passed as a token which contains various attributes of the user, otherwise known as claims. These attributes will be included in the established IAG user session, which can then be used in conjunction with authorization policies to control access to the applications which are hosted by the IAG. See the Authorization page for further details on understanding and defining authorization policies.
IBM Security Verify helps you secure user productivity with cloud-delivered Single Sign-On (SSO), multifactor authentication, and identity governance. It is a trusted identity provider for the IBM Application Gateway. See the Protecting Web Applications with IBM Security Verify page for further details on configuring IBM Security Verify as an identity provider for IAG.
IBM Security Verify Access (formerly IBM Security Access Manager) provides a user-friendly access management and multifactor authentication solution to help organizations maintain security as they adopt new technologies. It is a trusted identity provider for the IBM Application Gateway. See the Protecting Web Applications with IBM Security Verify Access page for further details on configuring Security Verify Access as an identity provider for IAG.