Skip to main content

Configuring OAuth Introspection for IBM Security Verify Access

Introduction

IBM Security Verify Access provides user-friendly access management and multifactor authentication to help organizations maintain security as they adopt new technologies. It can be used as an Identity Provider by the IBM Application Gateway (IAG) using OAuth Introspection (as depicted below).

OAuth Introspection Flow

Prerequisites

Before attempting to configure Security Verify Access as an identity provider for IAG:

  1. You need an IBM Security Verify Access or IBM Security Access Manager 9.0.3.0+ appliance with the Advanced Access Control offering activated.
  2. You need to create an API Protection definition. More information on how to create an API Protection definition can be found in the IBM Security Verify Access documentation: https://www.ibm.com/support/knowledgecenter/en/SSPREK_10.0.0/com.ibm.isva.doc/config/concept/OAuthConfiguring.htm#oauthconfiguring. When creating the Client for the API Protection definition you need to take special note of the created client ID and secret.

Configuration

The IBM Security Verify Access configuration is contained within the 'identity/oauth' node of the IAG configuration YAML:

  • A description of the configuration options is available from the oauth page within the YAML reference. A minimal configuration requires the following configuration data:

    • Name
    • Introspection Endpoint
    • Client Identity
    • Client Secret
    • Attributes
    • IBM Security Verify Access CA certificate
  • An example configuration file is also available in the IBM Security Verify Access: OAuth example page.