Configuring SGNL for SSO with IBM Verify
Prerequisites
- A SGNL user with a Global Admin role
- User accounts created in SGNL for any user wanting to perform SSO
- An understanding of configuration for [OIDC Applications] (https://www.ibm.com/docs/en/security-verify?topic=sign-configuring-single-in-openid-connect-application) in IBM Verify
- Knowledge of the Callback URL for your SGNL Client – you can find this in SGNL, within Admin-> Security, checking the
Enable OIDC SSO, and scrolling down to the OIDC Callback URL – it will take the form of https://{{your console url}}/auth/oidcCallback, e.g. https://clientname.sgnl.cloud/auth/oidcCallback
Configuring IBM Verify
IBM Verify details the steps necessary to configure an OIDC Application for use with SGNL
- Select Applications, and ‘Add Application’
- Select ‘OpenID Connect’ as the Application type
- In General, specify the relevant name and metadata for the Application for your organization
- Select the Sign-On Tab, and in the Application URL, you’ll want to specify the Callback URL for your SGNL Client, e.g.
https://clientname.sgnl.cloud/auth/oidcCallback - Select
Authorization Code in the Grant Types, code in the Response Types and accept the default for Response Modes - Uncheck “Require proof key for code exchange (PKCE) verification”
- In the “Redirect URIs” enter your SGNL Callback URL, e.g
https://clientname.sgnl.cloud/auth/oidcCallback - While you’re in Sign-In, scroll down the help pane on the right and grab the URL for your well-known endpoint, it should look like: “https://{{your IBM Verify Tenant Name}}.verify.ibm.com/oauth2/.well-known/openid-configuration”
- Accept other Default settings and select ‘Save’
- Select the Application and in the Sign-On configuration, copy your Client ID and Client Secret
Configuring SGNL
- In SGNL, using the navigation pane, browse to Admin → Security and
Enable OIDC SSO- Issuer: The Issuer for your OIDC App, this is available from the well-known endpoint in IBM Verify and should take the form of
https://{{your IBM Verify Tenant Name}}.verify.ibm.com/oauth2, e.g. https://wsc.verify.ibm.com/oauth2 - OIDC Client ID: The Client ID from your IBM Verify Application
- Client Secret The Client Secret from your IBM Verify Application
- Test the connection to verify your configuration was successful
- Save your settings
Testing
- Once SSO is configured, that will be the only way to sign-in, so if you want to do additional testing beyond the Test Sign-In button, you can do so with a new browser window
- Browse to your SGNL Sign-On Page, e.g. https://WholesaleChips.sgnl.cloud
- Click to ‘Sign-in with your Identity Provider’, you will be redirected to your Identity Provider to authenticate
- After authentication, you should be redirected to SGNL and be signed-in, by default onto the dashboard