Configuring SGNL for SSO with IBM Verify

Prerequisites

  • A SGNL user with a Global Admin role
  • User accounts created in SGNL for any user wanting to perform SSO
  • An understanding of configuration for [OIDC Applications] (https://www.ibm.com/docs/en/security-verify?topic=sign-configuring-single-in-openid-connect-application) in IBM Verify
  • Knowledge of the Callback URL for your SGNL Client – you can find this in SGNL, within Admin-> Security, checking the Enable OIDC SSO, and scrolling down to the OIDC Callback URL – it will take the form of https://{{your console url}}/auth/oidcCallback, e.g. https://clientname.sgnl.cloud/auth/oidcCallback

Configuring IBM Verify

IBM Verify details the steps necessary to configure an OIDC Application for use with SGNL

  1. Select Applications, and ‘Add Application’
  2. Select ‘OpenID Connect’ as the Application type
  3. In General, specify the relevant name and metadata for the Application for your organization
  4. Select the Sign-On Tab, and in the Application URL, you’ll want to specify the Callback URL for your SGNL Client, e.g. https://clientname.sgnl.cloud/auth/oidcCallback
  5. Select Authorization Code in the Grant Types, code in the Response Types and accept the default for Response Modes
  6. Uncheck “Require proof key for code exchange (PKCE) verification”
  7. In the “Redirect URIs” enter your SGNL Callback URL, e.g https://clientname.sgnl.cloud/auth/oidcCallback
  8. While you’re in Sign-In, scroll down the help pane on the right and grab the URL for your well-known endpoint, it should look like: “https://{{your IBM Verify Tenant Name}}.verify.ibm.com/oauth2/.well-known/openid-configuration”
  9. Accept other Default settings and select ‘Save’
  10. Select the Application and in the Sign-On configuration, copy your Client ID and Client Secret

Configuring SGNL

  1. In SGNL, using the navigation pane, browse to Admin → Security and Enable OIDC SSO
    • Issuer: The Issuer for your OIDC App, this is available from the well-known endpoint in IBM Verify and should take the form of https://{{your IBM Verify Tenant Name}}.verify.ibm.com/oauth2, e.g. https://wsc.verify.ibm.com/oauth2
    • OIDC Client ID: The Client ID from your IBM Verify Application
    • Client Secret The Client Secret from your IBM Verify Application
  2. Test the connection to verify your configuration was successful
  3. Save your settings

Testing

  1. Once SSO is configured, that will be the only way to sign-in, so if you want to do additional testing beyond the Test Sign-In button, you can do so with a new browser window
  2. Browse to your SGNL Sign-On Page, e.g. https://WholesaleChips.sgnl.cloud
  3. Click to ‘Sign-in with your Identity Provider’, you will be redirected to your Identity Provider to authenticate
  4. After authentication, you should be redirected to SGNL and be signed-in, by default onto the dashboard