Enabling ISAM
IBM Security Access Manager
Merative Social Program Management (SPM) can be integrated with IBM Security Access Manager (ISAM) to enable single sign-on (SSO) authentication. SSO authentication enables users to access multiple secure applications by authenticating once with a single user name and password.
If a user authenticates to an SSO system, they are no longer prompted for credentials when they access any of the other applications that are configured to work with the SSO system.
SSO systems usually maintain the user accounts on a lightweight directory application protocol (LDAP) server. If user accounts are stored in one location, it is easier for system administrators to safeguard the accounts. Also, it is easier for users to reset one account password for multiple applications.
For an overview of ISAM
as well as procurement options, please visit IBM Marketplace.
The following guide provides the steps required to configure SPM on a Kubernetes environment for integration with ISAM
.
For steps covering the configuration of ISAM itself, please review the Federation Cookbook.
Note: The version of ISAM
used for the following examples is 9.0.7.
ISAM integration with SPM
To integrate with SPM, we will need to:
Retrieve the federation metadata XML file from ISAM server, either via management console or via RESTful call to API.
For steps on using the console please review the Federation Cookbook. For steps on using the API please review the RESTful Web service documentation. This document will use the latter.
The
RESTful Web service documentation
provides a library of the available Web services that can be used to interact with your ISAM server with tools such as curl. The information provided in the request section of each Web service can be used to construct a curl command.To export the meta-data for a specific federation, the documentation (located under
Secure: Federation -> Manage: -> Federations: -> Export a federation
) gives an example of:GET https://{appliance_hostname}/iam/access/v8/federations/{federation_id}/metadataand lists the accepted headers as:
Accept:application/jsonAuthorization: BasicThe corresponding curl command would be formatted as follows:
curl --location --request GET 'https://{appliance_hostname}/iam/access/v8/federations/{federation_id}/metadata' \--header 'Authorization: Basic {token}'The
curl
command will return the federation metadata XML file in the response body.Install the federation metadata file as a configmap into namespace.
kubectl --namespace ${NAMESPACE} create configmap $releaseName-federated-metadata-cm --from-file=${federationMetadataFile}Enable ISAM by toggling the following properties in the override values file injected through Helm during deployment:
apps-values.yaml---global:isam:enabled: trueReturn to Preparing Helm Charts and continue the installation of SPM.
After the completion of the helm install, complete the federation steps. Detailed instructions for the following steps can be found in the Federation Cookbook.
First, add the Service Provider Signer Certificate to the ISAM server’s trust store.
Next import the Service Provider XML to ISAM server.
This XML can be obtained from
https://<hostname>/ibm/saml20/defaultSP/samlmetadata
.Reload the applicances on the ISAM server.