Skip to main contentMerative SPM on Kubernetes

Enabling ISAM

IBM Security Access Manager

Merative Social Program Management (SPM) can be integrated with IBM Security Access Manager (ISAM) to enable single sign-on (SSO) authentication. SSO authentication enables users to access multiple secure applications by authenticating once with a single user name and password.

If a user authenticates to an SSO system, they are no longer prompted for credentials when they access any of the other applications that are configured to work with the SSO system.

SSO systems usually maintain the user accounts on a lightweight directory application protocol (LDAP) server. If user accounts are stored in one location, it is easier for system administrators to safeguard the accounts. Also, it is easier for users to reset one account password for multiple applications.

For an overview of ISAM as well as procurement options, please visit IBM Marketplace. The following guide provides the steps required to configure SPM on a Kubernetes environment for integration with ISAM. For steps covering the configuration of ISAM itself, please review the Federation Cookbook.

Note: The version of ISAM used for the following examples is 9.0.7.

ISAM integration with SPM

To integrate with SPM, we will need to:

  1. Retrieve the federation metadata XML file from ISAM server, either via management console or via RESTful call to API.

    For steps on using the console please review the Federation Cookbook. For steps on using the API please review the RESTful Web service documentation. This document will use the latter.

    The RESTful Web service documentation provides a library of the available Web services that can be used to interact with your ISAM server with tools such as curl. The information provided in the request section of each Web service can be used to construct a curl command.

    To export the meta-data for a specific federation, the documentation (located under Secure: Federation -> Manage: -> Federations: -> Export a federation) gives an example of:

    GET https://{appliance_hostname}/iam/access/v8/federations/{federation_id}/metadata

    and lists the accepted headers as:

    Accept:application/json
    Authorization: Basic

    The corresponding curl command would be formatted as follows:

    curl --location --request GET 'https://{appliance_hostname}/iam/access/v8/federations/{federation_id}/metadata' \
    --header 'Authorization: Basic {token}'

    The curl command will return the federation metadata XML file in the response body.

  2. Install the federation metadata file as a configmap into namespace.

    kubectl --namespace ${NAMESPACE} create configmap $releaseName-federated-metadata-cm --from-file=${federationMetadataFile}

    Note:${NAMESPACE} refers to the namespace being used for the install and ${federationMetadataFile} refers to the XML file returned from the previous step.

  3. Enable ISAM by toggling the following properties in the override values file injected through Helm during deployment:

    apps-values.yaml
    ---
    global:
      isam:
        enabled: true

  4. Return to Preparing Helm Charts and continue the installation of SPM.

    Note: The curamAuthFilter defined within the helm-charts/apps/templates/configmaps/configmap-isam.yaml resource may need expansion to handle customisations.

    This should be reviewed by your security architect.

  5. After the completion of the helm install, complete the federation steps. Detailed instructions for the following steps can be found in the Federation Cookbook.

  6. First, add the Service Provider Signer Certificate to the ISAM server’s trust store.

  7. Next import the Service Provider XML to ISAM server.

    This XML can be obtained from https://<hostname>/ibm/saml20/defaultSP/samlmetadata.

  8. Reload the applicances on the ISAM server.

Previous
Supporting infrastructure: Persistence Storage
Next
Supporting infrastructure: LogDNA