Achieving OpenID Connect Provider conformance with IBM Security Verify Access

ISAM supports the OpenID Connect protocol. IBM Security Verify Access acts as both the OpenID Provider and the Relying Party.

This topic provides the information required to be performed on IBM Security Verify Access for it to be conformant as an OpenID Connect Provider.

Most of the scenarios are conformant Out-of-the-box. However there are some scenarios where access policies and mapping rule can be used.

These artifacts required to achieve conformance with IBM Security Verify Access are placed in a compressed file under System > File Downloads > Federation > examples. In the examples folder, download oidc_op_conformance.zip and extract its contents. The oidc_op_conformance.zip contains the following files:

• pre_token.js
• post_token.js
• authsvc_credential.js
• access_policy.js
• metadata.json
• httptransform.xsl
• stschains.json

There are comments specified in the files listed above that explains in detail about the scenario that is achieved for OIDC Conformance.

The files also contain “OIDC Conformance-Example" which indicates a snippet of code to be added to achieve a certain scenario for conformance.

To achieve conformance on an existing IBM Security Verify Access setup, copy the snippets of AccessPolicy, Mapping Rule, and create the necessary STS chains.

• OpenID Connect Provider Access Policies
  We can use access policies to perform step-up and re-authentication during a single sign-on flow based on contextual information.
• Mapping Rules
  
• STS Chains
  Three STS chains are required to achieve conformance. The STS chain JSON is included in the compressed file.
• OpenID Connect Discovery
  ISAM provides an endpoint for discovery which is the metadeta endpoint. However, the specification strictly states the discovery endpoint is /.well-known/openid-configuration appended to the issuer endpoint.

Parent topic: Conformance