Configuring IBM Security Verify Access
Configuring IBM Security Verify Access(ISVA) Web Reverse Proxy
IBM Security Verify Access (ISVA) Web Reverse Proxy acts as the point of contact for the IBM Security Verify Access OIDC Provider(ISVAOP).
The minimum version required for the IBM Security Verify Access OIDC Provider is 10.0.6.0.
The steps below must be followed to configure ISVA:
-
Configure the OAuth and OpenID Connect Provider Configuration, Navigate to Web -> Reverse Proxy, select the reverse proxy the you to configure as point of contact.[block:image]
{
"images": [
{
"image": [
"https://files.readme.io/e30152c7444ba16f4cfc5798e45394f07f240885aae9c1ffbd445659884969cc-wrp.png",
"e30152c7444ba16f4cfc5798e45394f07f240885aae9c1ffbd445659884969cc-wrp.png",
1191,
441,
"#f1f1f1",
null,
"66fcbe93591c59006179a596"
]
}
]
}
[/block] -
Navigate to Manage -> AAC and Federation Configuration -> OAuth and OpenID Connect Provider Configuration.
-
Select ISVA OIDC container based provider.
-
Navigate to IBM Security Verify Access OIDC Provider Runtime tab. Provide the ISVAOP runtime details such as Host name, Port, Junction and the option to Load Certificate. Click on Next.
-
Reuse certificates and Reuse ACLs are selected by default, uncheck them to change the default behavior. Click on Finish.
-
(Recommended) Set
content-security-policy
andx-frame-options
headers to be restrictive. Navigate toWeb -> Edit Configuration File
and update the[rsp-header-names]
to the desired values. -
Deploy pending changes and restart reverse proxy. In the case of a container deployment of Verify Access, you will also need to publish the container configuration before restarting the Web Reverse Proxy container.
Note
To run device flow, set the user_authorize endpoint to anyauth ACL.
- Once this is completed, update the
base_url
in the provider.yml tohttps://<proxy>:<port>/{junction}
. This is the point-of-contact URL to access ISVAOP and is used to update the OpenID Connect Discovery Metadata endpoints.
definition:
...
# Other configuration
base_url: https://isvaop.ibm.com:445/{junction} # Base url of the endpoints.
Authentication
IBM Security Verify Access OIDC Provider does not embed an authentication service. It relies on the Web Reverse Proxy (WRP) as a point-of-contact for authentication or directly uses Verify Access Advanced Access Control. In both cases, Verify Access WRP acts as the session manager and is configured to forward session credentials (as a JSON Web Token) to ISVAOP.
The recommended approach is to use the Web Reverse Proxy to mediate and manage authentication.
ISVA Web Reverse Proxy acts as the point of contact IBM Security Verify Access OIDC Provider, by default. The POC wizard configures an anyauth
ACL to the /{junction}/oauth2/auth
endpoint. When a specific flow, such as the authorization code grant flow, requires authentication, ISVAOP redirects to this endpoint to initiate user authentication.
No additional configuration is required for this.
Updated 2 months ago