Skip to main content

We Have Moved

The IBM Application Gateway has a new home -

The documentation on this site will no longer be maintained after v21.02, please update your bookmarks.


The yaml file provided below contains an example YAML configuration for an IBM Application Gateway (IAG) container which:

  1. Configures an IBM Security Verify tenant as the identity provider using OIDC;
  2. Defines a single Web application which will be proxied by the IAG;
  3. Defines an authorization policy for the Web application which will enforce second-factor (2FA) authentication.

Example Yaml File

version: "21.02"

# Configure an IAG container to proxy a single Web application, and define
# an authorization policy for the Web application. The authorization policy
# will enforce that a particular ACR is present in the token received from
# IBM Security Verify.

# Specify an IBM Security Verify tenant as the identity provider for the 
# container.  Please note that the values provided below are for illustrative
# purposes only and don't reflect a real tenant.  A free tenant can be created 
# using the instructions found at the following URL:
# The discovery endpoint has the following format:
#    https://<verify host>/oidc/endpoint/default/.well-known/openid-configuration
# The redirect URI which is used in the SSO flow is constructed from the host 
# header contained in the request, appended with '/pkmsoidc' (for example: 
#  This redirect URI should be
# specified when creating the custom application within the CI administrators
# console.

    discovery_endpoint: ""
    client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba"
    client_secret: "wPP8rM8N0d"

# Define an resource server which will be hosted at the '/static' path of the
# IAG container.  A single Web server, located at, 
# hosts the resource server.

  - path: "/static"
    connection_type: "tcp"
      - host: ""
        port: 1337
    transparent_path: false

# The following authorization policy will enforce that the current credential
# contains the 'acr' attribute with the value 'urn:ibm:security:policy:id:2'.
# If the 'acr' is any other value, this policy will obligate that 
# authentication should take place again and indicate to the identity provider
# that we want the 'urn:ibm:security:policy:id:2' authentication experience to
# take place.
# Note that:
#  - The field which we receive from the identity provider is 'acr', this is 
#    stored in the credential and can be used in our policy rule authoring.
#  - The parameter we send to the identity provider during authentication is
#    named 'acr_values', this is a space separated string of authentication
#    experiences that IAG as a relying party is asking to take place.


    - name: "enforce_2fa"
        - "*"
      rule: 'acr != "urn:ibm:security:policy:id:2"'
      action: "obligate"
          acr_values: "urn:ibm:security:policy:id:2"

    - name: "permit_with_2fa"
        - "*"
      rule: 'acr = "urn:ibm:security:policy:id:2"'
      action: "permit"

    - name: "deny_access"
        - "*"
      rule: "()"
      action: "deny"