IBM Security Access Manager (ISAM)

Verify Access (formerly ISAM) is IBM’s self-hosted access management and federation product. It front-ends applications with a reverse proxy (WebSEAL), issues OIDC/OAuth and SAML tokens, and enforces fine-grained web access policies and junctions to back-end apps. IBM rebranded ISAM to Verify Access starting with the 10.0 release.

Key Capabilities

  • Web reverse proxy & junctions: WebSEAL publishes apps behind the proxy, with standard/virtual junctions, health monitoring, and per-request access control.

  • Federation (IdP/SP roles): SAML 2.0/1.1 federations and OpenID Connect/OAuth 2.0 provider for SSO to SaaS and custom apps; step-by-step SAML and OIDC guides are provided.

  • Advanced OAuth security profiles: Built-in support for Pushed Authorization Requests (PAR), DPoP sender-constrained tokens, and mutual-TLS (certificate-bound tokens).

  • Containerized OIDC provider option: A lightweight, containerized OIDC Provider for modern deployment pipelines (Kubernetes/Helm) is available.

Limitations

  • Lifecycle / rename: ISAM → IBM Security Verify Access with release 10.0; verify product names, artifacts, and docs during upgrades.

  • IGA/provisioning scope: Verify Access is access management and federation—not full IGA. IBM references SCIM mainly via adjacent components (e.g., Verify SaaS or Security Verify Directory Integrator with SCIM 1.1).

  • Self-hosted operations: Customers manage appliances/VMs, HA, upgrades, certificates, and reverse-proxy policy design; this differs from the SaaS IBM Security Verify service.

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales