Login  
Hello there!

Need Help? We are right here!

Support Icon
miniOrange Email Support
success

Thanks for your Enquiry. Our team will soon reach out to you.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

Configure IBM Secure Verify Access (ISVA) as an Identity Provider for SSO

Configure ISVA as a Identity Provider (IdP) for Single Sign-On (SSO) into your applications, enabling users to authenticate themselves across multiple applications using their existing ISVA credentials without needing to sign in again.

In this setup, ISVA acts as the Identity Provider (IdP), miniOrange acts as a broker, and other applications act as Service Providers (SPs). This setup eliminates the need to manage different identities as all information is stored in a unified location - ISVA, simplifying the integration process and enhancing overall security.

Additionally, miniOrange's Identity Broker solution facilitates cross-protocol authentication , allowing the user to authenticate using ISVA via the SAML protocol and obtain access to the application, which supports SAML, OAuth and other protocols. This demonstrates how miniOrange Identity brokering enables users to authenticate across different protocols, improving the flexibility and interoperability of SSO solutions.

Get Free Installation Help


miniOrange offers free help through a consultation call with our System Engineers to configure SSO for different apps using ISVA as IDP in your environment with 30-day free trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you in no time.



Follow the Step-by-Step guide given below to enable SSO for your apps using ISVA

1. Configure miniOrange as SP in ISVA

  • Login to ISVA as an administrator, go to applications and click on Add Application.
    • Single Sign On with ISVA

  • Click on Custom Application button to create a Custom Application.
    • Single Sign On with ISVA

  • Give it a name and select Add Application.
  • In the company name field, give your company name.
    • Single Sign On with ISVA

  • Navigate to Sign on tab.
    • Single Sign On with ISVA

  • In the provider ID field, enter the Entity ID provided by miniorange.
  • In the ACS URL & Service provider SSO URL field, enter the ACS URL provided by miniorange.
  • Now go to the Security tab >> Certificates section.
  • Add the signing certificate provided by miniorange by clicking on the Add signer certificate button.
    • Single Sign On with ISVA

  • Now go to your application and in the Service Provider signer certificate, select the certificate which you have added.
    • Single Sign On with ISVA

  • Now go to the settings of the newly created Application. Go to the Sign in tab and scroll to the right.
    • Single Sign On with ISVA

  • Here you will find the values to be added in the miniOrange dashboard.

2. Configure ISVA as Identity Provider (IDP) in miniOrange

  • Go to miniOrange Admin Console .
  • From the left navigation bar select Identity Provider.
  • Click on Add Identity Provider button.
    • ISVA SSO

  • In the IDP entity ID field enter the Provider ID.
  • In the SAML login URL field enter the Login URL.
  • In the SAML Logout URL field enter the Logout URL.
  • And in the certificate field enter the certificate provided by ISVA.
    • ISVA SSO

  • Click Save.

3. Test Connection

  • Now to check the configurations, click on Test connection button.
    • ISVA SSO

  • Upon correct configuration you will see a test successful page.
    • ISVA SSO

4. Configure your app in miniOrange


Note:

If you have already configured your application in miniOrange you can skip the following steps.




  • Under Choose Application, select SAML/WS-FED from the All Apps dropdown.
    • Select SAML application

  • In the next step, search for your application from the list. If your application is not found, search for custom and you can set up your app via Custom SAML App. Click on Submit New App Request if you want to submit a new SSO application request.
    • Search custom application

  • Under the Basic tab, you can configure the following settings.
    Display Name (required) Enter the Display name for your app as per your preference.
    SP Entity ID or Issuer (required) Is used to identify your app against the SAML request received from SP. The SP Entity ID or Issuer can be in either URL or in String format.
    ACS URL or Assertion Consumer Service URL (required) Defines where the SAML Assertion should be sent after authentication. Make sure the ACS URL is in the format: https://www.domain-name.com/a/[domain_name]/acs
    Audience URL As the name suggests, specifies the valid audience for SAML Assertion. It is usually the same as SP Entity ID. If Audience URL is not specified separately by SP, leave it blank.
    Single Logout URL The URL where you want the logout request to be consumed and where your users should be redirected after single logout from the applications.
    Upload App Logo Upload a logo for your application.
    • Uner Basic settings, enter the details

  • Click Next to go to the Advanced settings. Configure the following settings.
    Signed Request Enable this to sign the saml request sent by SP. Provide the X509 certificate or upload the certificate.
    Sign Response Enable this if you want the entire SAML response to be signed.
    Sign Assertion Enable this if you want only the assertion within the SAML response should be signed.
    Signature Algorithm Select the algorithm that will be used to sign the SAML request/response.
    Encrypt Assertion Select this if you want to encrypt the assertion in SAML response and provide the algorithm and certificate for encryption.
    Relay State Enter the URL where you want the user to redirect after sign in to the application.
    Override Relay state Enable this to override the default relay state of the SP.
    Logout Response Binding A Logout Response is sent in reply to a Logout Request from SP. It could be sent by an Identity Provider or Service Provider.
    IdP initiated Logout Request Binding: A Logout Response is sent in reply to a Logout Request from the IdP dashboard. It could be sent by an Identity Provider or Service Provider.
    • HTTP Redirect - A Logout Response with its Signature
    • HTTP POST - A Logout Response with the signature embedded
    SAML Authentication Validity Period The time for which the authentication should be considered valid and the user should be able to perform SSO. After that, the user will have to sign in again.
    Enable Shared Identity This feature lets you control whether a specific application can be accessed by shared user or not.
    • Switch to Advanced settings

  • Click Next to go to the Login Options tab. Here, you can configure the following settings:
    Primary Identity Provider Select the identity source from where you want the authentication to happen. You will see the list of all configured sources.
    Force Authentication Enable this to enforce authentication on each request to access the application.
    Show On End User Dashboard Disable this if you do not want the app to be visible for all users on end user dashboard.
    • Go to Login Options and click on Next button

  • Click Next to go to the Attributes tab. Here you can add and configure the attributes to be sent to the app.
    NameID NameID is the unique identifier for the authenticated user included in the SAML assertion. It allows the Service Provider to recognize and map the user to an account. Generally, NameID is a username or Email Address.
    NameID Format Defines what type of identifier is used in the NameID (e.g., email, persistent, transient) so the SP can correctly map the user. If the SP does not request a specific format, the IdP can leave it unspecified and use a default.
    Add Name Format Name Format defines how attribute names are represented in a SAML assertion (e.g., as simple strings or URIs). It helps the SP correctly interpret attribute naming and ensures consistency between IdP and SP.
    Enable Multi-Valued Attributes

    Enabled:Commas (,) and semicolons (;) are treated as separators, so the attribute is split into a clean list. Example: roles = ['admin', 'editor', 'viewer'].

    Disabled:Commas and semicolons are not treated as separators, so the attribute stays as one combined string. Example: roles = "admin;editor;viewer".
    Attribute Mapping You can Add Attributes to be sent in SAML Assertion to SP. The attributes include user’s profile attributes such as first name, last name, full name, username, email, custom profile attributes, and user groups, etc.
    • Navigate to Attributes tab and map the attributes

  • Click Next to go to the Policies tab. You need to Save the Application first to configure the policy for the application.
    • Save the application in the Policies section

  • After the application is saved you can configure the policy for that application.
    • Go to Policies and Assign Group

  • Click on the Assign group button. A new Configure Group Assignment modal tab will open.
    • Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
      • Configure group assignment

    • If you need to create new group. Click on Add New Group button.
    • Enter the Group Name and click on Create Group.
      • Create new group

    • Click on Next.
    • Assign Policies: Add the required policies to the selected groups. Enter the following details:
    • First Factor: Select the login method from the dropdown.
      • If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
      • If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.
    • Add login policy details

  • Click on Save. Policies will be created for all the selected groups.
  • You will see the policy listed once it’s successfully added.
    • Add multiple login policies

  • In the Metadata tab, click on any of the two tabs:
    • Click on miniOrange as Idp If you want to use miniOrange as a User-Store i.e., your user identities will be stored in miniOrange.
    • Click on External source as IdP If you want to authenticate your users via any external Identity Provider like Active Directory, Okta, OneLogin, etc. or any other custom IDPs.
      • Select miniOrange as IdP

      Select External source as IdP

    • You can Download Metadata, Download Certficate, copy Metadata URL or copy Certificate based on your requirements.
    • Similarly, you can get the values of SAML Login URL, SAML Logout URL, IDP Entity ID or issuer, IDP Logout URL, Metadata URL from here according to your metadata requirements.
  • Under Choose Application, select OAuth/OpenID from the All Apps dropdown.
    • Select OAuth/OpenID as Apps Type

  • Search for your application from the list. If your application is not found, search for oauth and you can set up your app via OAuth2/OpenID Connect.
    • Search for OAuth custom app

  • In the Basic tab, enter the following details:
    Display Name Enter the Display Name (i.e., the name for this application).
    Redirect URL Enter the Redirect URL. Make sure it follows this format: https://<mycompany.domain-name.com>
    Client ID Auto-generated. Click the copy icon to use it in your application.
    Client Secret Client Secret is hidden by default. Click the eye icon to reveal it and use the clipboard icon to copy it.
    Subject (Optional) Select an attribute from the dropdown list.
    Description (Optional) Add a description if required.
    Upload App Logo (Optional) Upload an app logo (Optional). The app will be shown in the end-user dashboard with the logo that you configure here.
  • Click on Save.
    • Enter the OAuth app details and click on Save button

  • You will be redirected to the Policies section.
    • Go to Policies and Add Policy

  • Click on the Assign group button. A new Configure Group Assignment modal tab will open.
    • Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
      • Configure group assignment

    • If you need to create new group. Click on Add New Group button.
    • Enter the Group Name and click on Create Group.
      • Create new group

    • Click on Next.
    • Assign Policies: Add the required policies to the selected groups. Enter the following details:
    • First Factor: Select the login method from the dropdown.
      • If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
      • If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.
    Add login policy details

  • Click on Save. Policies will be created for all the selected groups.
  • You will see the policy listed once it's successfully added.
    • Policy successfully added

  • You can go to the Advanced tab to change other settings, such as the expiry time for Access, JWT, and Refresh tokens.
    • Access Token Expiry: For how long the provided access token should be valid from creation. [In Hours] A new access token has to be generated after the expiry.
    • JWT Token Expiry: For how long the generated JWT token should be valid. [ In Hours ]
    • Refresh Token Expiry: For how long the generated refresh token should be valid. [In Days] You will have to generate a new refresh token after the mentioned no. of days.
    • Enable Shared Identity: This feature lets you control whether a specific application can be accessed by shared user or not.
    Advanced tab token expiry settings

  • Switch to the Login options tab.
    Primary Identity Provider Select the default ID source from the dropdown for the application. If not selected, users will see the default login screen and can choose their own IDP. [Choose miniOrange in this case.]
    SSO FLows Select the desired SSO flow from the dropdown, such as miniOrange as IDP, miniOrange as Broker, or miniOrange as Broker with Discovery Flow.
    Show on Enduser Dashboard Enable this option if you want to show this app in the end-user dashboard.
    Force Authentication If you enable this option, users will have to log in every time, even if their session already exists.
    Allowed Logout URIs Click the Allowed Logout URIs link to add a list of post-logout redirect URIs. Users will be redirected to one of these URIs after a successful logout from miniOrange.
    Single Logout Enabled Enable this option to send logout requests to other applications when logging out from this app.
    Sign in URL

    You can include user attributes in the sign-in URL using placeholders like {{username}}, {{primaryEmail}}, {{customAttribute1}}, etc. These placeholders will be dynamically replaced with the actual user values during the IdP-initiated SSO flow.

    You can generate url using following attributes: username, primaryEmail, alternateEmail, fname, lname, primaryPhone and customAttribute1.

    The url could be like this login.com/{{username}}/?primaryEmail={{primaryEmail}}

  • Query Parameter Format: https://<sso-url>>?username={{username}} https://<sso-url>>?username={{username}}&email={{primaryEmail}}
  • Path Parameter Format: https://<sso-url>>/{{customAttribute1}}/{{customAttribute2}}/?username={{username}}
    		•
    • Navigate to Login options tab

  • Switch to the Attributes tab.
    • Enable Multi-Valued Attributes Option:
      • Enable multi-valued attributes

    • When this option is enabled, both commas (,) and semicolons (;) are treated as delimiters. Any attribute containing these characters will be automatically split and converted into a multi-valued attribute based on their positioning.
    • This feature ensures that attributes with multiple values are delivered in a structured format instead of as a single concatenated string.
    • For example: when this option is enabled, Attributes will be will appear as a list like roles = ['admin', 'editor', 'viewer'] instead of a single string like roles = "admin;editor;viewer".
    • When this option is disabled, attributes stored as a single concatenated string with commas (,) and semicolons (;) are treated in the way they are stored instead of a structured list.
    • In this case, commas (,) and semicolons (;) are not treated as separators, so the values remain combined in one string.
    • Getting Required App Details / Updating App Information:
    • Go to the Apps section from the side menu. From the list of configured apps, locate the app you created. Click the three-dot icon next to the app and select the Edit option.
      • Edit application

    • You can edit any of the above-mentioned details in case you want to change them.
      • OAuth endpoints

    • OAuth Endpoints:
      • Authorization Endpoint [ https://<your-company-name>.xecurify.com/moas/idp/openidsso ]
        • This endpoint is used to authenticate the end user with their miniOrange credentials. This authenticates the users and returns a response back to the redirect_url based on the parameters passed in the request. [Mainly the authorization code]
        • This endpoint takes the following parameters:
          • Client_id: client_id of the application as configured in the previous steps
          • Redirect_uri: The callback URL where you want to return the response
          • scope: scope of authorization or level of access, you can send a single or multiple scopes separated by ‘+’. e.g “email+openid”. We support the following scopes :
            • Email: returns the email address of the user in the response
            • Profile: returns user profile information in the response
            • OpenID: returns the id_token containing user profile details.
        • This returns the authorization code and the state parameters in the response.
      • Token Endpoint [ https://<your-company-name>.xecurify.com/moas/rest/oauth/token ]
        • This endpoint returns the following:
        • Id_token ​Contains user attributes and signatures which you have to validate with provided public certificate.
          • iss https URI that indicates the issuer
          sub identifier of the user at the issuer
          aud client_id of the requesting client
          nonce the nonce parameter value received from the client
          exp expiration time of this token
          iat time when this token was issued
          auth_time time the authentication happened
          at_hash the first half of a hash of the access token
        • Access_token: Valid for 1 hour and can be used to access user info or other endpoints until it is expired.
        • This endpoint takes the following parameters in the request:
          • Client_id: client_id of the application as configured in the previous steps.
          • Client_secret: client_secret of the application as configured in the previous step.
          • Redirect_url: The callback url where the response should be posted.
          • Code: The authorization code received from the authorization endpoint.
          • Grant_type: The OAuth grant you want to use for the request.
      • User Info Endpoint [ https://<your-domain>.xecurify.com/moas/api/oauth/getuserinfo ] Required in case of OAuth Only
        • This API can be used to fetch user profile information with an access token that was assigned to the user. A GET request is sent to the user info endpoint.
        • You need to send the access token in the authorization header to receive the user details.
      • OpenID Single Logout Endpoint [ https://<your-domain>.xecurify.com/moas/idp/oidc/logout?post_logout_redirect_uri ] :
        • This endpoint removes the active user session from the miniOrange IDP and redirects the user to the URL mentioned in the post_logout_url parameter.
      View OAuth endpoints

  • Under Choose Application, select JWT from the All Apps dropdown.
    • Select JWT app from dropdown

  • Search for your application from the list. If your application is not found, search for jwt and you can set up your app via JWT App.
    • Search JWT application

  • You can configure the following details in the application:
    Display Name Enter the Display Name (i.e. the name for this application)
    Redirect URL Enter the Redirect URL (i.e. the endpoint where you want to send/post your JWT token). You can add multiple redirect URLs by separating them with a ‘;’.E.g. abc.com;xyz.com
    Client ID The Client ID is shown in the field below. Click the clipboard icon to copy it.
    Client Secret Client Secret is hidden by default. Click the eye icon to reveal it and use the clipboard icon to copy it. This is used in the HS256 signature algorithm for generating the signature.
    Description (Optional) Add a description if required.
    Upload App Logo (Optional) Upload an app logo (Optional). The app will be shown in the end-user dashboard with the logo that you configure here.
    • Enter JWT app details

  • Click Save.
  • You will be redirected to the Policies section.
    • Go to Policies and Add Policy

  • Click on the Assign group button. A new Configure Group Assignment modal tab will open.
    • Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
      • Configure group assignment

    • If you need to create new group. Click on Add New Group button.
    • Enter the Group name and click on Create Group.
      • Create new group

    • Click on Next.
    • Assign Policies: Add the required policies to the selected groups. Enter the following details:
    • First Factor: Select the login method from the dropdown.
      • If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
      • If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.
    • Add login policy details

  • Click on Save. Policies will be created for all the selected groups.
  • You will see the policy listed once it's successfully added.
    • Policy successfully added

  • Click on Advanced tab.
  • Enter the following details as required:
    Access Token Enter the access token that will be sent to your redirect URL after a user logs in. This token helps your app know the user is allowed to access certain features.
    ID Token Expiry (In Mins) Set how long (in minutes) the ID token will be valid. After this time, the user will need to log in again to get a new token.
    Subject Choose what information, like the user’s email address, will be used to identify them in the token. This helps your app know which user is logged in.
    Signature Algorithm Select your signature algorithm from the dropdown.
    The Logout URL of your application Enter the web address where users should be sent after they log out.
    Enable Shared Identity This feature lets you control whether a specific application can be accessed by shared user or not.
    • Navigate to Advanced tab

  • Signature Algorithms for JWT

      • RSA-SHA256

      • Asymmetric, uses a set of private and public keys to generate and validate the signature which is included in the JWT token.
      • The private key is used to generate the signature on the IDP side.
      • The public key is used to verify the signature on the SP side.
      • We provide the public key for this.

      HS256

      • Symmetric, uses the same secret key to generate and validate the signature
      • The secret key in this case is configurable from the app configuration page.
  • Switch to Login options tab.
    Primary Identity Provider Select the default ID source from the dropdown for the application. If not selected, users will see the default login screen and can choose their own IDP. [Choose miniOrange in this case.]
    Force Authentication If you enable this option, users will have to log in every time, even if their session already exists.
    Enable User Mapping Enable this option, if you want the app to show which user is signed in when it responds.
    Show On End User Dashboard Enable this option if you want to show this app in the end-user dashboard.
    • Navigate to Login options tab

  • Switch to Attributes tab.
    • Enable Multi-Valued Attributes Option:
      • Enable multi-valued attributes

    • When this option is enabled, both commas (,) and semicolons (;) are treated as delimiters. Any attribute containing these characters will be automatically split and converted into a multi-valued attribute based on their positioning.
    • This feature ensures that attributes with multiple values are delivered in a structured format instead of as a single concatenated string.
    • For example: when this option is enabled, Attributes will be will appear as a list like roles = ['admin', 'editor', 'viewer'] instead of a single string like roles = "admin;editor;viewer".
    • When this option is disabled, attributes stored as a single concatenated string with commas (,) and semicolons (;) are treated in the way they are stored instead of a structured list.
    • In this case, commas (,) and semicolons (;) are not treated as separators, so the values remain combined in one string.
  • Navigate to Endpoints and copy the following details:
    • Navigate to Endpoints and copy URLs

    • Single Sign-On URL:
      • This URL is used to initiate user authentication to obtain the JWT token.
      • Take redirect_uri as one of the query parameters.
      • After successful authentication on the IDP end, an active user session is created in the IDP and the user is redirected to the redirect_uri with the JWT token.
    • Single Logout URL:
      • This URL is used to log out the user from the IDP by removing the active user session.
      • Take redirect_uri as one of the query parameters.
      • After removing the active user session, the IDP redirects the user to the redirect_uri.
    • Reply back URL for IdP initiated logout:
      • This URL is used to initiate the logout in case the JWT user login was IDP Initiated [User logged in to the dashboard
        first and then initiated the login for the app from the dashboard.]
      • After logging out the user from the IDP, the user is redirected to the IDP dashboard login page.

External References

Want To Schedule A Demo?

Request a Demo
  



Our Other Identity & Access Management Products

Single Sign-On

Seamless login for workforce and customer identity to cloud or on-premise apps

Learn more

Multi-factor Authentication

Secure access for identities with an additional layer of authentication

Learn more

Adaptive Authentication

Block or grant user access based on IP, Device, Time & Location

Learn more

Lifecycle Management

Manage & automate user provisioning and deprovisioning to apps

Learn More