IBM Security Verify provides identity-as-a-service for every user, including single sign-on (SSO), risk-based multi-factor authentication (MFA) and adaptive access, user lifecycle management, and identity analytics.
In this tutorial, you will learn how to:
- Add and configure a custom application on Security Verify for SSO
- Modify a Java application for SSO using Spring Security
- Monitor the usage of the application on Security Verify
Prerequisites
- IBM Security Verify account. After you sign up for an account, the account URL (
https://[tenant name].verify.ibm.com/ui/admin
) is sent in an email.
When you create your account, you are added with an admin account.
Estimated time
Completing this tutorial should take about 30 minutes.
Steps
Add a custom application on IBM Security Verify
Login to Security Verify. Use the URL for your admin account that was sent to you in the confirmation email:
https://[tenant name].verify.ibm.com/ui/admin
.Select Applications from the menu on the left.
To add an application, click Add application.
Select
Custom Application
as the application type, then click Add application.Specify a name for the application. Then, on the General tab, specify a company name.
Click the Sign-on tab. Configure SSO using the OpenID Connect based authentication with
Authorization code
scheme. Specify these values:- For the Sign-on method, select
Open ID Connect 1.0
. - For the Application URL, enter
http://localhost:8080
. - For the Grant types, check Authorization code.
- Uncheck Require proof key for code exchange (PKCE) verification.
For Redirect URIs, enter
http://localhost:8080/login
.Click Save to save this SSO configuration.
- For the Sign-on method, select
Click the Entitlements tab. For the Access Type, select Automatic access for all users and groups. Click Save to save the custom application.
Note down the application settings and endpoints
To set up SSO in the Java application, you need the application settings and endpoints.
From the Security Verify menu, click Applications.
From the Applications list, select the row with the custom app you just created, and then click the Settings icon.
Click the Sign-on tab. Note down the client ID and the client secret.
In the far right information pane, note down the IBM Security Verify endpoint.
In a new browser window, open the IBM Security Verify endpoint. Then, note down the following endpoints:
authorization_endpoint
,token_endpoint
, anduserinfo_endpoint
.
Deploy a sample Java application
Clone the GitHub repo that contains a sample Java application.
git clone https://github.com/IBM/custom-javaapp-security-verify-tutorial.git
On your local system, go to the resources directory:
custom-javaapp-security-verify-tutorial/src/main/resources/
.Edit and configure the
application.yml
file. With the application settings and endpoints you noted down in the previous step, fill in theclientId
,clientSecret
,accessTokenUri
,userAuthorizationUri
anduserInfoUri
with theClient ID
,Client secret
,token_endpoint
,authorization_endpoint
anduserinfo_endpoint
information.Make sure that there is a space after the colon for every entry. If there is no space, the
application.yml
file does not load correctly.security: oauth2: client: clientId: 317xxxxxxxxxxxxxxxxx2717d clientSecret: LXuxxxxxZ4 accessTokenUri: https://xxxx.verify.ibm.com/v1.0/endpoint/default/token userAuthorizationUri: https://xxxx.verify.ibm.com/v1.0/endpoint/default/authorize tokenName: access_token authorizedGrantTypes: authorization_code authenticationScheme: form clientAuthenticationScheme: form scope: openid,profile,email resource: userInfoUri: https://xxxx.verify.ibm.com/v1.0/endpoint/default/userinfo server: port : 8080
Run the sample java application from the
custom-javaapp-security-verify-tutorial
folder:
mvn spring-boot:run
Add a new user to Security Verify
Add yourself as a user, to test out the SSO for the Java application. Make sure that you use a different email address than the one you used when you created your Security Verify account.
From the Security Verify menu, click Users & Groups.
Click Add user.
In the Add user dialog, select
Cloud Directory
for Identity source. Then, enter values for Given name, Surname, User name, and Work e-mail. Make sure that you use a different email address than the one you used when you created your Security Verify account. Click Save.Check the email account for a confirmation mail from Security Verify. The email contains a temporary password and a link to login to Security Verify. Login to Security Verify and change your password.
Access the application using SSO
Open a new browser window. Clear all the browser cache.
Navigate to http://localhost:8080. This will re-direct you to the Security Verify authentication page. Enter your credentials and click Continue to provide access. The application page is shown.
These endpoints are also protected: http://localhost:8080/user
and http://localhost:8080/userInfo
. To test them, open a new private (or incognito) browser window. Access one of the above endpoints, and it will redirect to Security Verify for authentication.
Monitor application usage
To monitor how much an application is accessed, you can generate a report for it.
From the Security Verify menu, click Reports.
In the Application usage box, select the application, and then click View report.
View the user activity for the application.
Summary and next steps
In this tutorial, you added SSO to a custom Java application with Security Verify. You saw how the OpenID Connect client is configured using Spring Security to work with Security Verify.
Next, explore how to add SSO to Node, Android, or iOS applications.