Skip to main content

Configuring OAuth Introspection with IBM Security Verify

Introduction

IBM Security Verify provides identity-as-a-service for employees, including SSO, multifactor authentication, and user lifecycle management. It can be used as an Identity Provider by the IBM Application Gateway (IAG) using OAuth Introspection (as depicted below).

OAuth Introspection Flow

Prerequisites

Before attempting to configure IBM Security Verify as an identity provider for IAG:

  1. You need a IBM Security Verify tenant. If you do not already have a IBM Security Verify tenant a free tenant can be obtained from https://www.ibm.com/account/reg/au-en/signup?formid=urx-36648.
  2. You need to create an API client in your IBM Security Verify tenant. Information on how to do this can be obtained from the Protecting Web Applications with IBM Security Verify page. When creating the API client you need to take special note of the created client ID and secret.

Configuration

The IBM Security Verify configuration is contained within the 'identity/oauth' node of the IAG configuration YAML:

  • A description of the configuration options is available from the oauth page within the YAML reference. A minimal configuration requires the following configuration data:

    • Name
    • Introspection Endpoint
    • Client Identity
    • Client Secret
    • Attributes
  • An example configuration file is also available in the OAuth Configuration example page.