In 12.6.3 it is protected out of the box. In the Configuration guide of 12.6.3 you can read page 258
I believe this was started in 12.6 GA.
Three options are:
1. Use Siteminder
2. Configure J2EE security in your application server
or
3.Upgrade IDM to a version that supports this out of the box and configure this post upgrade. Automatic configuration for this is only done during the install.
Please reply to this thread with whichever you choose.
Thanks,
Scott Owens