OIDC with Verify Access

Suggest Edits

Description

The example YAML file provided below contains a basic YAML configuration for an
IBM Application Gateway (IAG) container which:

  1. Specifies a server certificate;
  2. Configures an IBM Security Verify Access or IBM Security Access Manager 9.0.7.0+ system as the identity
    provider using OIDC.

Example YAML

version: "23.04"

#
# Configure an IAG container with a very basic configuration.  This 
# configuration will simply define a server certificate, and configure an IBM 
# Security Verify Access system as the identity provider.
#

#
# Specify a server certificate to be used by the container.  The server 
# certificate was created using an openssl command:
#  openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 \
#        -out cert.pem
#
# To remove the dependency on external files a base-64 representation of the
# key.pem and cert.pem files can be embedded within this YAML, where the 
# base-64 encoded file is prefixed with 'B64:', for example: 
#   "B64:PGhy4KICAgIDxoND5...."
# 
# If no certificate is specified a self-signed certificate will be 
# automatically created and used by the container.
#

server:
  ssl:
    front_end:
      certificate: 
        - "@cert.pem"
        - "@key.pem"

#
# Specify an IBM Security Verify Access or IBM Security Access Manager 9.0.7.0+ 
# system as the identity provider for the container.  Please note that the 
# values provided below are for illustrative purposes only and don't reflect 
# a real system.
#
# The discovery endpoint is constructed from the IBM Security Verify Access
# hostname, the junction point and the OIDC definition, and is of the following
# format:
#     https://<host>/<junction>/sps/oauth/oauth20/metadata/<oidc definition>
#
# The redirect URI which is used in the SSO flow is constructed from the host 
# header contained in the request, appended with '/pkmsoidc' (for example: 
# https://ibm-app-gateway.ibm.com/pkmsoidc).  This redirect URI should be
# specified when creating the custom application within the Security Verify 
# Access administrators console.
#
# The certificate used in this example is the exported CA certificate in pem
# format of the Security Verify Access system which has been copied to the IAG 
# container in the default configuration location:
#  /var/iag/config


identity:
  oidc:
    discovery_endpoint: "https://www.myidp.ibm.com/mga/sps/oauth/oauth20/metadata/oidc_def"
    client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba"
    client_secret: "wPP8rM8N0d"
    ssl:
      certificate: 
        - "@cert.pem"

Updated about 1 month ago