Protect enterprise applications with single sign-on (SSO) and monitor their usage using IBM Security Verify

IBM Security Verify provides identity-as-a-service for every user, including single sign-on (SSO), risk-based multi-factor authentication (MFA) and adaptive access, user lifecycle management, and identity analytics.

In this tutorial, you will learn how to:

• Add and configure a custom application on Security Verify for SSO
• Modify a Java application for SSO using Spring Security
• Monitor the usage of the application on Security Verify

Prerequisites

• IBM Security Verify account. After you sign up for an account, the account URL (https://[tenant name].verify.ibm.com/ui/admin) is sent in an email.

When you create your account, you are added with an admin account.

• Maven

• Java

• Git client

Estimated time

Completing this tutorial should take about 30 minutes.

Steps

Add a custom application on IBM Security Verify

1. Login to Security Verify. Use the URL for your admin account that was sent to you in the confirmation email: https://[tenant name].verify.ibm.com/ui/admin.

2. Select Applications from the menu on the left.

3. To add an application, click Add application.

4. Select Custom Application as the application type, then click Add application.

5. Specify a name for the application. Then, on the General tab, specify a company name.

1. Click the Sign-on tab. Configure SSO using the OpenID Connect based authentication with Authorization code scheme. Specify these values:

   • For the Sign-on method, select Open ID Connect 1.0.
   • For the Application URL, enter http://localhost:8080.
   • For the Grant types, check Authorization code.
   • Uncheck Require proof key for code exchange (PKCE) verification.

   • For Redirect URIs, enter http://localhost:8080/login.

     Click Save to save this SSO configuration.

2. Click the Entitlements tab. For the Access Type, select Automatic access for all users and groups. Click Save to save the custom application.

Note down the application settings and endpoints

To set up SSO in the Java application, you need the application settings and endpoints.

1. From the Security Verify menu, click Applications.

2. From the Applications list, select the row with the custom app you just created, and then click the Settings icon.

3. Click the Sign-on tab. Note down the client ID and the client secret.

4. In the far right information pane, note down the IBM Security Verify endpoint.

5. In a new browser window, open the IBM Security Verify endpoint. Then, note down the following endpoints: authorization_endpoint, token_endpoint, and userinfo_endpoint.

Deploy a sample Java application

1. Clone the GitHub repo that contains a sample Java application.

    git clone https://github.com/IBM/custom-javaapp-security-verify-tutorial.git
   

   Show more

2. On your local system, go to the resources directory: custom-javaapp-security-verify-tutorial/src/main/resources/.

3. Edit and configure the application.yml file. With the application settings and endpoints you noted down in the previous step, fill in the clientId, clientSecret, accessTokenUri,userAuthorizationUri and userInfoUri with the Client ID,Client secret, token_endpoint,authorization_endpoint and userinfo_endpoint information.

   Make sure that there is a space after the colon for every entry. If there is no space, the application.yml file does not load correctly.

    security:
      oauth2:
        client:
          clientId: 317xxxxxxxxxxxxxxxxx2717d
          clientSecret: LXuxxxxxZ4
          accessTokenUri: https://xxxx.verify.ibm.com/v1.0/endpoint/default/token
          userAuthorizationUri: https://xxxx.verify.ibm.com/v1.0/endpoint/default/authorize
          tokenName: access_token
          authorizedGrantTypes: authorization_code
          authenticationScheme: form
          clientAuthenticationScheme: form
          scope: openid,profile,email
        resource:
          userInfoUri: https://xxxx.verify.ibm.com/v1.0/endpoint/default/userinfo
    server:
      port : 8080
   

   Show more

4. Run the sample java application from the custom-javaapp-security-verify-tutorial folder:

mvn spring-boot:run

Add a new user to Security Verify

Add yourself as a user, to test out the SSO for the Java application. Make sure that you use a different email address than the one you used when you created your Security Verify account.

1. From the Security Verify menu, click Users & Groups.

2. Click Add user.

3. In the Add user dialog, select Cloud Directory for Identity source. Then, enter values for Given name, Surname, User name, and Work e-mail. Make sure that you use a different email address than the one you used when you created your Security Verify account. Click Save.

4. Check the email account for a confirmation mail from Security Verify. The email contains a temporary password and a link to login to Security Verify. Login to Security Verify and change your password.

Access the application using SSO

1. Open a new browser window. Clear all the browser cache.

2. Navigate to http://localhost:8080. This will re-direct you to the Security Verify authentication page. Enter your credentials and click Continue to provide access. The application page is shown.

These endpoints are also protected: http://localhost:8080/user and http://localhost:8080/userInfo. To test them, open a new private (or incognito) browser window. Access one of the above endpoints, and it will redirect to Security Verify for authentication.

Monitor application usage

To monitor how much an application is accessed, you can generate a report for it.

1. From the Security Verify menu, click Reports.

2. In the Application usage box, select the application, and then click View report.

3. View the user activity for the application.

Summary and next steps

In this tutorial, you added SSO to a custom Java application with Security Verify. You saw how the OpenID Connect client is configured using Spring Security to work with Security Verify.

Next, explore how to add SSO to Node, Android, or iOS applications.