SSO Configurations
Ibm security
This guide walks you through setting up SAML 2.0 Single Sign-On (SSO) using IBM Security Verify as the Identity Provider (IdP) for PADS4 Workspace.
Leave Service Provider Certificate and Encryption Options blank unless encryption is required by your org.
Prerequisites
Ensure the following items are ready:- Access to IBM Security Verify Console
- Signing Certificate (.pem or .cer) from IBM Verify
- PFX Certificate with Private Key for PADS4 (.pfx)
- Federation Metadata URL (optional if importing manually)
- PADS4 server URL (e.g.,
https://pads4serverurl/crystal/domainone)
Step 1: IBM Security Verify – Application Configuration
Navigate to:
Directory > Applications > Add Application > Custom ApplicationUnder the Sign-on tab:
| Field | Value |
|---|---|
| Sign-on method | SAML 2.0 |
| Provider ID | https://pads4serverurl/crystal/domainone/Saml2 |
| Assertion Consumer Service URL | https://dpads4serverurl/crystal/domainone/Saml2/ACS |
| Service Provider SSO URL | https://pads4serverurl/crystal/domainone/Saml2/ACS |
| SessionNotOnOrAfter | 7200 (2 hours) |
Do NOT select “Use Identity provider-initiated single sign-on
Signature Settings
| Field | Value |
|---|---|
| Sign authentication response | Enabled |
| Signature Algorithm | RSA-SHA256 |
| Signing Certificate | Choose Default personal certificate |
| Validate SAML request signature | Enabled |
| Validate logout request signature | Enabled |
| Validate logout response signature | Enabled |
SAML Subject
| Field | Value |
|---|---|
| NameID Format | Unspecified |
| Name Identifier | preferred_username |
Attribute Mapping
Enable: ☑ Send all known user attributes in the SAML assertion| Attribute Name (URN) | Format | Source |
|---|---|---|
urn:oasis:names:tc:SAML:2.0:attrname-format:email | email | |
urn:oasis:names:tc:SAML:2.0:attrname-format:family_name | text | family_name |
urn:oasis:names:tc:SAML:2.0:attrname-format:given_name | text | given_name |
urn:oasis:names:tc:SAML:2.0:attrname-format:uid | text | uid |
http://schemas.xmlsoap.org/claims/group | text | groupIDs |
These attributes will be mapped in PADS4 to assign roles/groups.
Access Policy
- Set to: ☑ Use default policy
- Allow from:
All devices
Step 2: PADS4 Workspace – SSO Configuration
In the PADS4 Administration Portal, configure the SSO Plugin as follows:| Field | Value |
|---|---|
| Type | Azure AD (or Custom / SAML as applicable) |
| Federation Service Identifier | https://pads4.verify.ibm.com/saml/sps/saml20ip/saml20 |
| SAML SSO URL | https://pads4.verify.ibm.com/saml/sps/saml20ip/saml20/login |
| Federation Metadata URL (optional) | https://pads4.verify.ibm.com/v1.0/saml/federations/saml2 |
| Certificate of Federation Server | Upload the IBM Verify signing certificate (.cer) |
| URL of Relying Party | https://pads4serverurl/crystal/domainone |
| Relying Party Signing Certificate (.pfx) | Upload your .pfx file with private key |
| Private Key Password | Enter password for .pfx |
Step 3: Mapping Groups in PADS4
Go to the Relation Table section of the SSO plugin and map incominggroupIDs from IBM to PADS4 profiles:
| Active Directory Group ID | Profile |
|---|---|
admin | Administration |
admin | Default |
developer | Default |
Final Checks
- Test login via PADS4 using an IBM-verified user.
- Ensure claims are successfully received and parsed in PADS4.
- Adjust attribute mapping or claim rules if users are not being assigned correctly.