IBM Security Verify

IBM Security Verify SaaS – L4 Technical Workshop

Sushmita Das
Suraj Kanth
IBM Ecosystem Engineering – SI Lab
Agenda

• Case study – FRs, AS-IS Arch

• Case study – TO-BE Arch, Project Scope

• User Story 1 – Walkthrough

• App On-boarding
• Identity Providers (Enterprise/Social)
• Identity Linking
• Multi Factor Authentication

2
Case study – FRs, AS-IS arch

3
Case study – AS-IS arch

Backend Services
Manual
Onboarding SaaS App

OIDC
Login via app Compliant
Ticketing specific credentials
Login via App
username/password System

Ticketing Tool Admin

Workforce Users Custom Solution Legacy App

Customer has a custom built ticketing solution on .NET. Any user who needs access to any of the enterprise applications
need to create a ticket in the ticketing portal. The solution uses local DB authentication.
Once the request reaches the admin, they route the request to the application owners who create the user manually in the
application and then share the credential with the end users.
4
Case study – TO-BE arch, Project Scope

5
TO BE Solution Architecture
Personas
at Office & Remote Hosted on Cloud Hosted on On-Prem

IBM Security
Service Now or Verify
Workforce @
Office Salesforce SaaS IAG

Intranet Micro-services
Microsoft Entra ID WebApp / APIs
Workforce @
Remote
IBM Security
Verify
SaaS Verify
IBM Security
IBM Security
Verify
Bridge Access Verify
(ISAM)
Workforce Gateway
Privileged

6
TO BE Solution Architecture Contd.

The enterprise intends to move to a SaaS based solution that can support modern as well as legacy authentication protocols.
They have decided to go ahead with IBM Security Verify SaaS as it supports SAML, OIDC and legacy protocols via IBM
Application Gateway. There is SaaS application that is SAML enabled, OIDC (can be used for consumers as well) and an on-
prem application that is hosted locally.

There is a specific group of users who work remotely and they should be able to access applications over the internet.

In addition, they also have partners accessing their applications. To ensure security, partners need to authenticate against
their organization’s identity provider rather than creating their local identity or sharing common credentials. They provider
can be either Okta or Entra.

Besides, the enterprise also uses Active Directory and it must be ensured that users can be authenticated against the
enterprise AD as well.
Verify SaaS – Case study Workshop Sprint Scope

User Story 1 – Workforce IAM Sprint

Module – Identity Providers/Sources
a) Enabling authentication of Employee Workforce
using Verify SaaS a) SAML & OIDC Identity Providers
b) Enabling authentication of employees against b) Target App Integration
‘OpenLDAP’ or ‘AD’ using Verify SaaS c) Directory Servers & Identity agents
c) Enabling authentication of Agent Workforce against d) Cloud Directory
SAML/OIDC Enterprise provider through MS Entra e) Adaptive Access
ID or any 3rd party IDP using Verify SaaS
d) Multi-Factor Authentication
e) Enabling access to On-Prem application via IAG

8
Methodology – Roles & Deliverables

9
Verify Project Roles and Deliverables

Who is going to
IAM Architect play what role Developer / Tester
today?
Deliverables
• Detailed Design document
Product Owner • Scripts/Code repo
• Configuration document
• Deployment guide
• Test scripts and results
IAM Specialist Scrum Master
• Demo

10
Guidelines, Dos & Don’ts

11
Guidelines for stand-ups

✓ Provide updates along with blockers/issues voluntarily (fail early & fast)

✓ Don’t forget to update Agile board frequently (at the end of every task or
at occurrence of issue)

✓ Collaborate, collaborate, collaborate (you are stronger as a team than

individual)

✓ Involve product owner as when as possible

✓ Have DevOps in-place…automate repetitive tasks

12
Guidelines to conduct Retrospective session

✓ Discuss what is achieved in last Sprint (in terms of Backlog)

✓ Discuss what is not achieved in last Sprint (in terms of Backlog)

✓ Discuss what you should start doing as a team

✓ Discuss what you should stop doing as a team

✓ Discuss what you should continue doing as a team…

13
User Story 1 – Walkthrough

14
User Story 1 – From end-user perspective
As an end user, I should be able to access the applications to which I have access after
authentication with my username/password. I should also have a centralised dashboard where
I can view all the applications to which I have access or should be able to access request for an
additional app.

If I am logged in to app dashboard after successful authentication, I shouldn’t be prompted to

enter my credentials when I try to access another application. In short, SSO should take care
of the authentication process. I should be able to use my LDAP credentials or authenticate
against another IDP like Entra ID for application access. To enhance security, I should be
prompted for MFA when accessing critical apps.
---------
1. Enabling authentication of Employee Workforce against ‘Workforce AD’ or 'LDAP' using Verify SaaS
2. Enabling authentication of Agent Workforce against SAML Enterprise provider through Entra ID or any 3rd party
IDP using Verify SaaS
3. Authorize user access to applications through IAM system
4. Passwordless sign-in using passkeys
5. Adaptive Access
User Story 1 – Product features

16
Use Story 1 – In-picture
Use case – 1 Use case – 3 Use case – 4
✓ Enabling frictionless ✓ Seamless secured engagement ✓ Data Privacy controls and
on-boarding experience thru Adaptive access Consent Management
SaaS App
On Cloud

Legacy App
On-Premise

Users
Cloud Based
Consumer IAM
(IBM Security Verify)
Social Login

Devices Single Sign On Employee/Agent

Gallery Apps
Login from different SaaS / Hybrid Cloud / On-Prem
device/geo

MFA Authentication
IBM Microsoft QRadar
ISAM Active Directory SIEM

IBM Security / © 2020 IBM Corporation

 Application On-boarding(SAML/OIDC)

Useful Links:
https://www.ibm.com/docs/en/security-verify?topic=applications-managing-your
https://www.ibm.com/docs/en/security-verify?topic=applications-custom-application
https://www.ibm.com/docs/en/security-verify?topic=reference-supported-application-connectors
https://github.com/ibm-security-verify/dev-portal-sample-authorization-code-flow
IBM Security / © 2020 IBM Corporation 18
 Developer Portal

Useful Links:
https://docs.verify.ibm.com/verify/docs/developer-portal
https://docs.verify.ibm.com/verify/docs/support-
developers-add-developer-portal

IBM Security / © 2020 IBM Corporation 19

SAML/OIDC Identity Providers

SAML IDP: https://www.ibm.com/docs/en/security-verify?topic=providers-adding-saml-

enterprise-identity-provider
OIDC IDP: https://www.ibm.com/docs/en/security-verify?topic=providers-configuring-oidc-
enterprise-identity-provider
IBM Security / © 2020 IBM Corporation 20
 Supported Social Providers

Useful Links:
https://docs.verify.ibm.com/verify/docs/identity-sources-1-connect-social-providers
https://www.ibm.com/docs/en/security-verify?topic=providers-adding-social-identity-provider
IBM Security / © 2020 IBM Corporation 21
 Identity Linking

Verify Guide: https://docs.verify.ibm.com/verify/docs/identity-sources-1-identity-linking

IBM Security / © 2020 IBM Corporation 22

 Adaptive Access & MFA

Useful Links:
https://www.ibm.com/docs/en/security-verify?topic=access-overview
https://www.ibm.com/docs/en/security-verify?topic=users-managing-user-multi-factor-authentication-mfa-enrollments

IBM Security / © 2020 IBM Corporation 23