Configuring IBM Security Verify Access

Configuring IBM Security Verify Access(ISVA) Web Reverse Proxy

IBM Security Verify Access (ISVA) Web Reverse Proxy acts as the point of contact for the IBM Security Verify Access OIDC Provider(ISVAOP).

The minimum version required for the IBM Security Verify Access OIDC Provider is 10.0.6.0.

The steps below must be followed to configure ISVA:

  • Configure the OAuth and OpenID Connect Provider Configuration, Navigate to Web -> Reverse Proxy, select the reverse proxy the you to configure as point of contact.[block:image]
    {
    "images": [
    {
    "image": [
    "https://files.readme.io/af25377-wrp.png",
    "af25377-wrp.png",
    1191,
    441,
    "#000000",
    null,
    "6678cb9655590a001163041c"
    ]
    }
    ]
    }
    [/block]

  • Navigate to Manage -> AAC and Federation Configuration -> OAuth and OpenID Connect Provider Configuration.Wizard

  • Select ISVA OIDC container based provider.Provider

  • Navigate to IBM Security Verify Access OIDC Provider Runtime tab. Provide the ISVAOP runtime details such as Host name, Port, Junction and the option to Load Certificate. Click on Next.
    Details

  • Reuse certificates and Reuse ACLs are selected by default, uncheck them to change the default behavior. Click on Finish.Finish

  • (Recommended) Set content-security-policy and x-frame-options headers to be restrictive. Navigate to Web -> Edit Configuration File and update the [rsp-header-names] to the desired values.

  • Deploy pending changes and restart reverse proxy. In the case of a container deployment of Verify Access, you will also need to publish the container configuration before restarting the Web Reverse Proxy container.

1575

๐Ÿ“˜

Note

To run device flow, set the user_authorize endpoint to anyauth ACL.

  • Once this is completed, update the base_url in the provider.yml to https://<proxy>:<port>/{junction}. This is the point-of-contact URL to access ISVAOP and is used to update the OpenID Connect Discovery Metadata endpoints.
definition:
  ...
  # Other configuration
  base_url: https://isvaop.ibm.com:445/{junction}                      # Base url of the endpoints.

Authentication

IBM Security Verify Access OIDC Provider does not embed an authentication service. It relies on the Web Reverse Proxy (WRP) as a point-of-contact for authentication or directly uses Verify Access Advanced Access Control. In both cases, Verify Access WRP acts as the session manager and is configured to forward session credentials (as a JSON Web Token) to ISVAOP.

The recommended approach is to use the Web Reverse Proxy to mediate and manage authentication.

ISVA Web Reverse Proxy acts as the point of contact IBM Security Verify Access OIDC Provider, by default. The POC wizard configures an anyauth ACL to the /{junction}/oauth2/auth endpoint. When a specific flow, such as the authorization code grant flow, requires authentication, ISVAOP redirects to this endpoint to initiate user authentication.

No additional configuration is required for this.