> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pads4.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Ibm security

<Warning>
  From PADS4 2025.2 onward, this feature is part of PADS4 CTRL Center. For more information, see CTRL Center > Administration > Identity.
</Warning>

This guide walks you through setting up **SAML 2.0 Single Sign-On (SSO)** using **IBM Security Verify** as the Identity Provider (IdP) for **PADS4 Workspace**.

***

## Prerequisites

Ensure the following items are ready:

* Access to [IBM Security Verify Console](https://www.ibm.com/security/identity-access-management/verify)
* Signing Certificate (.pem or .cer) from IBM Verify
* PFX Certificate with Private Key for PADS4 (.pfx)
* Federation Metadata URL (optional if importing manually)
* PADS4 server URL (e.g., `https://pads4serverurl/crystal/domainone`)

***

## Step 1: IBM Security Verify – Application Configuration

### Navigate to:

**Directory > Applications > Add Application > Custom Application**

### Under the **Sign-on** tab:

| Field                              | Value                                                 |
| ---------------------------------- | ----------------------------------------------------- |
| **Sign-on method**                 | `SAML 2.0`                                            |
| **Provider ID**                    | `https://pads4serverurl/crystal/domainone/Saml2`      |
| **Assertion Consumer Service URL** | `https://dpads4serverurl/crystal/domainone/Saml2/ACS` |
| **Service Provider SSO URL**       | `https://pads4serverurl/crystal/domainone/Saml2/ACS`  |
| **SessionNotOnOrAfter**            | `7200` (2 hours)                                      |

<Warning>
  Do NOT select “Use Identity provider-initiated single sign-on
</Warning>

***

### Signature Settings

| Field                                  | Value                               |
| -------------------------------------- | ----------------------------------- |
| **Sign authentication response**       | Enabled                             |
| **Signature Algorithm**                | RSA-SHA256                          |
| **Signing Certificate**                | Choose Default personal certificate |
| **Validate SAML request signature**    | Enabled                             |
| **Validate logout request signature**  | Enabled                             |
| **Validate logout response signature** | Enabled                             |

Leave **Service Provider Certificate** and **Encryption Options** blank unless encryption is required by your org.

***

### SAML Subject

| Field               | Value                |
| ------------------- | -------------------- |
| **NameID Format**   | `Unspecified`        |
| **Name Identifier** | `preferred_username` |

***

### Attribute Mapping

Enable: ☑ **Send all known user attributes in the SAML assertion**

| **Attribute name**                                                                                                                        | **Attribute Name format (URN)**                            | **Format** | **Attribute source** |
| :---------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------- | :--------- | :------------------- |
| [**http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress**](http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email)     | `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified`  | email      | `email`              |
| [**http://schemas.xmlsoap.org/ws/2005/05/identity/claims/**](http://schemas.xmlsoap.org/ws/2005/05/identity/claims/familyname)**surname** | `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified ` | text       | `family_name`        |
| [**http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname**](http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)    | `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified ` | text       | `given_name`         |
| [**http://schemas.microsoft.com/identity/claims/**](http://schemas.microsoft.com/identity/claims/uid)**objectidentifier**                 | `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified ` | text       | `uid`                |
| [**http://schemas.xmlsoap.org/claims/group**](http://schemas.xmlsoap.org/claims/group)                                                    | `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified ` | text       | `groupIDs`           |

> These attributes will be mapped in PADS4 to assign roles/groups.

***

### Access Policy

* Set to: ☑ **Use default policy**
* Allow from: `All devices`

***

## Step 2: PADS4 Workspace – SSO Configuration

In the **PADS4 Administration Portal**, configure the SSO Plugin as follows:

| Field                                        | Value                                                         |
| -------------------------------------------- | ------------------------------------------------------------- |
| **Type**                                     | `Azure AD` (or `Custom` / `SAML` as applicable)               |
| **Federation Service Identifier**            | `https://pads4.verify.ibm.com/saml/sps/saml20ip/saml20`       |
| **SAML SSO URL**                             | `https://pads4.verify.ibm.com/saml/sps/saml20ip/saml20/login` |
| **Federation Metadata URL** (optional)       | `https://pads4.verify.ibm.com/v1.0/saml/federations/saml2`    |
| **Certificate of Federation Server**         | Upload the **IBM Verify signing certificate (.cer)**          |
| **URL of Relying Party**                     | `https://pads4serverurl/crystal/domainone`                    |
| **Relying Party Signing Certificate (.pfx)** | Upload your `.pfx` file with private key                      |
| **Private Key Password**                     | Enter password for `.pfx`                                     |

***

## Step 3: Mapping Groups in PADS4

Go to the **Relation Table** section of the SSO plugin and map incoming `groupIDs` from IBM to PADS4 profiles:

| Active Directory Group ID | Profile        |
| ------------------------- | -------------- |
| `admin`                   | Administration |
| `admin`                   | Default        |
| `developer`               | Default        |

***

## Final Checks

* Test login via PADS4 using an IBM-verified user.
* Ensure claims are successfully received and parsed in PADS4.
* Adjust attribute mapping or claim rules if users are not being assigned correctly.
