Achieving Financial-grade API (FAPI) conformance with IBM Security Verify Access
The Financial-grade API aims to provide specific implementation guidelines for online financial services.
The Financial-grade API security profile can be applied to online services in any market area that requires a higher level of security than provided by standard OAuth or OpenID Connect.
Verify Access supports the OpenID Connect protocol, ISAM can act both as an OpenID Provider and as a Relying Party. This topic provides additional information that is mentioned in the OpenID Connect Provider Conformance chapter. Most of the scenarios are FAPI-conformant out-of-the-box. However there are some scenarios that require changes to be done to the mapping rules and transformation rules. To achieve FAPI conformance on an existing Verify Access setup, follow the procedures mentioned in this chapter. The steps mentioned in this document are additional procedures to perform in OpenID Connect Provider Conformance. Ensure the procedures in the OpenID Connect Provider Conformance are completed before the procedures for FAPI conformance are performed.
- OpenID Connect Discovery
There are some optional discovery parameters which are required to be present for FAPI conformance.- WebSEAL Configuration
As part of the FAPI conformance, the ISAM appliance supports Mutual TLS-based client authentication (MTLS) for confidential client authentication- HTTP Transformation Rules
- Mapping Rules
- STS Chains
As a part of OIDC OP Conformance, an STS chain is created to handle parameters that are sent in a JWT to the authorize endpoint. This STS chain template must be updated to include a map module.- FAPI Definition Configurations
This topic describes the FAPI definitions configurations.- FAPI - MTLS and Certificate Bound Tokens
FAPI specs require that Verify Access supports [OAUTB] or [MTLS] as a hold of key mechanism.- FAPI- Private Key JWT
When FAPI_CertEAI authenticates a client with MTLS, client_assertion STS chain is not triggered as the client is already authenticated.- Configure FAPI Client
FAPI conformance requires MTLS and Certificate bound token to use a Client Certificate.
Parent topic: Conformance