Introduction
This article provides detailed step-by-step instructions to configure OpenID Connect (OIDC) Single Sign-On (SSO) between IBM Security Verify and HashiCorp Cloud Platform (HCP) Boundary. This guide specifically covers the configuration required for IBM Security Verify as the Identity Provider (IdP) and HCP Boundary as the Service Provider.
Prerequisites
Before starting, ensure the following:
You have Administrator access to IBM Security Verify.
You have Administrator access to your HCP Boundary cluster.
-
You have your HCP Boundary cluster URL:
https://<your-cluster-id>.boundary.hashicorp.cloud
Configure OIDC Application in IBM Security Verify
Log in to the IBM Security Verify Admin Console.
Navigate to:
Applications > ApplicationsClick Add application.
Select OpenID Connect.
Provide a name for the application (Example: IBM Verify – HCP Boundary). Click Save.
Configure Sign-On Settings in IBM Security Verify
Open the created application.
Navigate to the Sign-on tab.
Configure the following settings:
Application URL: Enter <https://<your-cluster-id>.boundary.hashicorp.cloud>
Grant Types: Enable Authorization code.
Response Types: Enable code.
Response Mode: Select all the options.
Redirect URI:
Add:
https://<your-cluster-id>.boundary.hashicorp.cloud/v1/auth-methods/oidc:authenticate:callbackEnsure this URL matches exactly with Boundary.
Client Authentication: Leave as Default .
Signing Algorithm: Keep RS256.
Configure Access Policies : Select specific supported identity providers
Under Others, enable:
- Cloud Directory
- IBMid (optional, if required)
Save the configuration.
You can set the policy as per your business requirement.
Configure Entitlements
Navigate to the Entitlements tab of the application.
Under Access Type, select:
Select users and groups, and assign individual accessesClick Add users and groups.
Add:
- Individual users
OR
- A group (Recommended approach)
5. Save the changes.
Note:
Users must be assigned here; otherwise, authentication will fail even if they only exist in the IBM verify directory.
Configure OIDC in HCP Boundary
After saving the application, collect the following from IBM Verify application you have created. These values will be used in HCP Boundary configuration.
Client ID
Client Secret
Issuer URL (Example format):
https://<tenant>.verify.ibm.com/oauth2
Once you have noted the above information, log in to your HCP Boundary cluster as an Administrator.
Navigate to desired Scope on which you want to enable OIDC auth method:
Auth Methods > Create Auth MethodSelect:
Type: OIDCConfigure the following:
Name:
IBM Verify
Issuer:
https://<tenant>.verify.ibm.com/oauth2
Client ID:
Enter the Client ID from IBM Security Verify
Client Secret:
Enter the Client Secret from IBM Security Verify
Signing Algorithms:
RS256
API URL Prefix:
https://<your-cluster-id>.boundary.hashicorp.cloud
Copy the Callback URL generated by Boundary. Ensure the same Callback URL is configured in IBM Security Verify under Redirect URI.
4. Save the configuration.
Troubleshooting
If authentication fails, verify the following:
Redirect URI matches exactly in both systems.
Issuer URL is correct and reachable.
Client ID and Client Secret are correct.
User is assigned in Entitlements.
Authorization Code grant type is enabled.
If you receive below error on saving the OIDC settings in your Boundary UI, it is because signing algorithm is not set properly, you need to explicitly click on ADD to get it added. Unable to update auth method: authmethods.(Service).updateInRepo: unable to update auth method: oidc.(Repository).UpdateAuthMethod: update would result in an incomplete auth method: oidc.(AuthMethod).isComplete: missing signing algorithms: parameter violation: error #100.
Configuration is now complete.
References:
IBM Verify Identity Governance - User Access Control