Protect enterprise applications with single sign-on (SSO) and monitor their usage using IBM Security Verify

IBM Security Verify provides identity-as-a-service for every user, including single sign-on (SSO), risk-based multi-factor authentication (MFA) and adaptive access, user lifecycle management, and identity analytics.

In this tutorial, you will learn how to:

  • Add and configure a custom application on Security Verify for SSO
  • Modify a Java application for SSO using Spring Security
  • Monitor the usage of the application on Security Verify

Prerequisites

  • IBM Security Verify account. After you sign up for an account, the account URL (https://[tenant name].verify.ibm.com/ui/admin) is sent in an email.

When you create your account, you are added with an admin account.

Estimated time

Completing this tutorial should take about 30 minutes.

Steps

Add a custom application on IBM Security Verify

  1. Login to Security Verify. Use the URL for your admin account that was sent to you in the confirmation email: https://[tenant name].verify.ibm.com/ui/admin.

  2. Select Applications from the menu on the left.

  3. To add an application, click Add application.

  4. Select Custom Application as the application type, then click Add application.

    Adding an application dialog in IBM Security Verify

  5. Specify a name for the application. Then, on the General tab, specify a company name.

Security Verify dialog for adding a custom application

  1. Click the Sign-on tab. Configure SSO using the OpenID Connect based authentication with Authorization code scheme. Specify these values:

    • For the Sign-on method, select Open ID Connect 1.0.
    • For the Application URL, enter http://localhost:8080.
    • For the Grant types, check Authorization code.
    • Uncheck Require proof key for code exchange (PKCE) verification.
    • For Redirect URIs, enter http://localhost:8080/login.

      Security Verify dialog for configuring SSO settings

      Click Save to save this SSO configuration.

  2. Click the Entitlements tab. For the Access Type, select Automatic access for all users and groups. Click Save to save the custom application.

Note down the application settings and endpoints

To set up SSO in the Java application, you need the application settings and endpoints.

  1. From the Security Verify menu, click Applications.

  2. From the Applications list, select the row with the custom app you just created, and then click the Settings icon.

    Security Verify dialog for application settings

  3. Click the Sign-on tab. Note down the client ID and the client secret.

    Security Verify dialog for application credentials

  4. In the far right information pane, note down the IBM Security Verify endpoint.

    Security Verify dialog for Security Verify endpoints

  5. In a new browser window, open the IBM Security Verify endpoint. Then, note down the following endpoints: authorization_endpoint, token_endpoint, and userinfo_endpoint.

    Security Verify dialog for other endpoints

Deploy a sample Java application

  1. Clone the GitHub repo that contains a sample Java application.

     git clone https://github.com/IBM/custom-javaapp-security-verify-tutorial.git
    
  2. On your local system, go to the resources directory: custom-javaapp-security-verify-tutorial/src/main/resources/.

  3. Edit and configure the application.yml file. With the application settings and endpoints you noted down in the previous step, fill in the clientId, clientSecret, accessTokenUri,userAuthorizationUri and userInfoUri with the Client ID,Client secret, token_endpoint,authorization_endpoint and userinfo_endpoint information.

    Make sure that there is a space after the colon for every entry. If there is no space, the application.yml file does not load correctly.

     security:
       oauth2:
         client:
           clientId: 317xxxxxxxxxxxxxxxxx2717d
           clientSecret: LXuxxxxxZ4
           accessTokenUri: https://xxxx.verify.ibm.com/v1.0/endpoint/default/token
           userAuthorizationUri: https://xxxx.verify.ibm.com/v1.0/endpoint/default/authorize
           tokenName: access_token
           authorizedGrantTypes: authorization_code
           authenticationScheme: form
           clientAuthenticationScheme: form
           scope: openid,profile,email
         resource:
           userInfoUri: https://xxxx.verify.ibm.com/v1.0/endpoint/default/userinfo
     server:
       port : 8080
    
  4. Run the sample java application from the custom-javaapp-security-verify-tutorial folder:

mvn spring-boot:run

Add a new user to Security Verify

Add yourself as a user, to test out the SSO for the Java application. Make sure that you use a different email address than the one you used when you created your Security Verify account.

  1. From the Security Verify menu, click Users & Groups.

  2. Click Add user.

  3. In the Add user dialog, select Cloud Directory for Identity source. Then, enter values for Given name, Surname, User name, and Work e-mail. Make sure that you use a different email address than the one you used when you created your Security Verify account. Click Save.

    Security Verify dialog for adding users

  4. Check the email account for a confirmation mail from Security Verify. The email contains a temporary password and a link to login to Security Verify. Login to Security Verify and change your password.

    Security Verify dialog for confirming email

Access the application using SSO

  1. Open a new browser window. Clear all the browser cache.

  2. Navigate to http://localhost:8080. This will re-direct you to the Security Verify authentication page. Enter your credentials and click Continue to provide access. The application page is shown.

    Animated GIF showing the custom app using SSO for login

These endpoints are also protected: http://localhost:8080/user and http://localhost:8080/userInfo. To test them, open a new private (or incognito) browser window. Access one of the above endpoints, and it will redirect to Security Verify for authentication.

Monitor application usage

To monitor how much an application is accessed, you can generate a report for it.

  1. From the Security Verify menu, click Reports.

  2. In the Application usage box, select the application, and then click View report.

  3. View the user activity for the application.

    Security Verify dialog for the application report

Summary and next steps

In this tutorial, you added SSO to a custom Java application with Security Verify. You saw how the OpenID Connect client is configured using Spring Security to work with Security Verify.

Next, explore how to add SSO to Node, Android, or iOS applications.