Exporting from Verify Access

Suggest Edits

IBM Security Verify Access environments using v10.0.4.0 or newer contain a capability which makes it possible to export parts of Reverse Proxy instances to IAG.

The scope of the export operation includes resources servers (known as junctions in Verify Access) and optional reverse proxy features which exist in both IAG and Verify Access' reverse proxy. To learn more about the export process, visit the IBM Security Verify Access documentation.

Next Steps

The exported bundle contains the selected resource servers and any selected features. As IAG uses a different model for authentication and authorization, these must be configured manually.

Understanding IAG Configuration

For clarity, each element of the configuration YAML has been split into separate files. IAG can be configured using a single YAML document if desired by combining the contents of each YAML document. The file names of the YAML configuration documents are not significant, IAG will load and parse all files ending with .yaml or .yml. Refer to the topic Configuration for more information about how configuration data for IAG is structured.

Configuring Authentication

To get started with authentication, review the topic Authentication and refer to the examples OIDC with Verify or (OIDC with Verify Access)[../../yaml/examples/oidc-verify-access-yaml].

For example, to configure IBM Security Verify as an identity provider, a document containing the details of an IBM Security Verify Application like the following could be specified in a new file named verify-identity-provider.yaml:

version: 23.04
identity:
  oidc:
    discovery_endpoint: "https://ibm-app-gw.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration"
    client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba"
    client_secret: "wPP8rM8N0d"

For information about creating an IBM Security Verify Application, see the Scenarios/IBM Security Verify topic.

Configuring Authorization

After authentication is configured, IAG will default to a policy which only allows access to authenticated users. Authorization is also configured differently in IAG, to get started review the topic Authorization and refer to the example Authorization Policy YAML.

For example, to add a policy which allows unauthenticated access to some resources, and only users in the "application-owners" groups access to some others, the following could be added to policies.yaml: (Note that if the export did not contain any features which reside in the policy section of the configuration, a new file could be created.)

version: 23.04
policies:
  ...


  authorization:
    - name: "unauthenticated-access"
      methods:
        - "GET"
      paths: 
        - "/landing"
        - "/landing-assets/*"
      rule: "anyuser"
      action: "permit"
    - name: "application-owners"
      methods:
        - "GET"
        - "POST"
        - "PUT"
        - "DELETE"
      paths: 
        - "/admin/*"
      rule: (any groupIds = "application owners")
      action: "permit"

Starting the IAG Container

The included export_trace.log includes an example command that can be used to start IAG using Docker on your workstation:

docker run --rm -p 8443:8443 \
    -v [config-directory]:/var/iag/config \
    icr.io/ibmappgateway/ibm-application-gateway:23.04

Once the container has started, visit https://localhost:8443 (or https://<your-container-hosts-ip>:8443, depending on your environment) to see IAG in action.

More detailed guides demonstrating how get IAG up and running in different environments are available in the Hello World section. For further information about additional environment, see the Deployments section.

Updated about 2 months ago