Versions Compared

Old Version 6

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 7

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Insert excerpt
IL:External Directory Prerequisites V21
IL:External Directory Prerequisites V21
nopaneltrue

Step 1 – Create an IBM Security Verify Access account store

  1. On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.

  2. On the Account Stores page, select the Actions tab and then click Create Account Store.

     

  3. Under System Types, search for IBM Security.

  4. Click the IBM Security Verify Access record to select the type and then click Submit.


    This opens the IBM Security Verify Access Settings form, which is where you enter information that allows EmpowerID to connect to the system.

    Image RemovedImage Added

  5. On the IBM Security Verify Access Settings form, fill in the following information according to your authentication scenario:

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<doctype html></doctype>\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\n<div class =\"bd-example\">\n<div class=\"accordion\" id=\"accordionExample\">\n <div class=\"accordion-item\">\n <h2 class=\"accordion-header\" id=\"headingOne\">\n <button class=\"accordion-button\" type=\"button\" data-bs-toggle=\"collapse\" data-bs-target=\"#collapseOne\" aria-expanded=\"true\" aria-controls=\"collapseOne\">\n Using EmpowerID for Authentication\n </button>\n </h2>\n <div id=\"collapseOne\" class=\"accordion-collapse collapse show\" aria-labelledby=\"headingOne\" data-bs-parent=\"#accordionExample\">\n <div class=\"accordion-body\">\n <p>Use this option when hosting the microservice outside of Azure.</p>\n <ul>\n <li><b>Name</b> - Enter a name for your account store</li>\n <li><b>Base DN</b> - Enter the root OU of the LDAP system, such as, \n <code><mark>dc=example,dc=com</mark></code></li>\n <li><b>SCIM Base URL</b> - Enter the URL for the SCIM app service. The base URL should include the \n version and look similar to the following: <br /><code><mark>http://192.168.87.106:8080/empoweridisam/scim/v2/</mark></code></li>\n <li><b>Use EmpowerID Authentication</b> - Select this option when using EmpowerID for authentication</li>\n <li><b>OAuth Application GUID</b> - Enter the GUID of the OAuth application you created for IBM Security Verify Access in EmpowerID.</li>\n <li><b>URL For Access Token</b> - Enter the URL to your EmpowerID environment, such as <code><mark>https://sso.empoweriam.com</mark></code>, where <code><mark>sso.empoweriam.com</mark></code>\n is the FQDN of your EmpowerID front-end server.</li>\n <li><b>Is Remote (Requires Cloud Gateway)</b> - This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, \n please see <a href=\"https://dotnetworkflow.jira.com/wiki/spaces/EAGV21/pages/2276065995/Install+the+Cloud+Gateway+Client\">Installing the EmpowerID Cloud Gateway Client</a>.</li>\n <li><b>Check For Deleted Objects</b> - Select this option to sync deleted objects. If this is not set to true,\n the connector will not disable deleted objects.</li>\n <li><b>Check For Deleted Objects Interval Minutes</b> - Specify the interval in minutes that EmpowerID should check for deleted objects.</li>\n </ul>\n </div>\n </div>\n </div>\n <div class=\"accordion-item\">\n <h2 class=\"accordion-header\" id=\"headingTwo\">\n <button class=\"accordion-button collapsed\" type=\"button\" data-bs-toggle=\"collapse\" data-bs-target=\"#collapseTwo\" aria-expanded=\"false\" aria-controls=\"collapseTwo\">\n Using Azure AD for Authentication\n </button>\n </h2>\n <div id=\"collapseTwo\" class=\"accordion-collapse collapse\" aria-labelledby=\"headingTwo\" data-bs-parent=\"#accordionExample\">\n <div class=\"accordion-body\">\n <p>Use this option when hosting the microservice in Azure.</p>\n <ul>\n <li><b>Name</b> - Enter a name for your account store</li>\n <li><b>Base DN</b> - Enter the root OU of the LDAP system, such as, <code><mark>dc=example,dc=com</mark></code></li>\n <li><b>SCIM Base URL</b> - Enter the URL for the SCIM app service. The base URL should include the \n version and look similar to the following: <br /><code><mark>http://192.168.87.106:8080/empoweridisam/scim/v2/</mark></code></li>\n <li><b>Application ID</b> - Enter the Client ID of the service principal application you registered in Azure for EmpowerID.</li>\n <li><b>Tenant ID</b> - Enter the Tenant ID for your Azure tenant hosting the app service.</li>\n <li><b>Is Remote (Requires Cloud Gateway)</b> - This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, \n please see <a href=\"https://dotnetworkflow.jira.com/wiki/spaces/EAGV21/pages/2276065995/Install+the+Cloud+Gateway+Client\">Installing the EmpowerID Cloud Gateway Client</a>.</li>\n <li><b>Azure App Certificate Thumbprint</b> - Enter the thumbprint of the certificate you uploaded to Azure for the service principal application</li>\n <li><b>Check For Deleted Objects</b> - Select this option to sync deleted objects. If this is not set to true,\n the connector will not disable deleted objects.</li>\n <li><b>Check For Deleted Objects Interval Minutes</b> - Specify the interval in minutes that EmpowerID should check for deleted objects.</li>\n </ul>\n </div>\n </div>\n </div>\n </div>\n <br />\n <ol start=\"5\">\n <li>When ready, click <b>Submit</b>.</li>\n </ol>\n</div>","javascript":"","css":""}
EmpowerID creates the account store and the associated resource system. The next step is to verify the resource system parameters.
Step 2 – Verify Resource System Configuration Parameters
  1. On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.
  2. On the Find Account Store page, select the Account Stores tab and search for the IBM Security Verify Access account store you just created.
  3. Click the Account Store link for the account store.
    Image Added

    This directs you to the Account Store and Resource System page for the account store. This page contains several tabs related to the account store that you can access to view and manage the account store and resource system.
    Image Added
  4. Select the Resource System tab and then expand the Configuration Parameters accordion on the page.
    Image Added
  5. Verify the following parameters are correct for your system:
     Insert excerpt
    IL:Resource System Config Parameters
    IL:Resource System Config Parameters
    nameTAM
    nopaneltrue
  6. To edit the value of a parameter, click the Edit button for the parameter you want edit.
    Image Added
  7. Enter the new value in the Value field and click Save.
  8. Repeat as needed.
The next step is to configure attribute flow.
Step 3 – Configure Attribute Flow
 Insert excerpt
IL:Configure Attribute Flow Rules-V21
IL:Configure Attribute Flow Rules-V21
nopaneltrue
Now that the attribute flow has been set, you can configure the mapping between the SCIM microservice attribute and the EmpowerID account/group/OU table attribute if needed. Please follow the steps below if this is the case. the next steps include configuring the account store and enabling EmpowerID to inventory it.
Step 4 – Schema Mapping (Optional)
  1. On the navbar, expand Admin > Applications and Directories and select Manage Schema.
  2. Select the Security Boundary Object Attributes tab and search for user as Object Type ID and IBMTAMScim as Security Boundary Type.
    Image Added
  3. Click the Edit button beside the Security Boundary Object Attribute you want to modify.
    Image Added
  4. Change the RBACObject Attribute you want to use in the mapping and save your change.
    Image Added
  5. Repeat for each mapping you want to change.
Step 4 – Configure account store settings
  1. On the Account Store and Resource System page, select the Account Store tab and then click the pencil icon to put the account store in edit mode.
    Image Added

    This opens the edit page for the account store. This page allows you to specify the account proxy used to connect EmpowerID to your IBM Security Verify Access system as well as how you want EmpowerID to handle the user information it discovers during inventory. Settings that can be edited are described in the table below the image.
    Image Added
     Insert excerpt
    IL:AD Account Store Settings V21
    IL:AD Account Store Settings V21
    nameTAM
    nopaneltrue
  2. Edit the account store as needed and then click Save to save your changes.
 Div
stylefloat: left; position: fixed; 
IN THIS ARTICLE
 Table of Contents
maxLevel4
minLevel2
stylenone
 Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue
 Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue