Manual Chapter : Common Deployment Examples for Single Sign-On

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Common use cases for Single Sign-On deployment

You can deploy Single Sign-On in a variety of ways, depending on the needs within your networking environment. Deployment options include the following choices.

Use case deployment type Description
For local traffic pool members Deploy SSO for local traffic with pool members. The Web Application Access Management for Local Traffic Virtual Servers wizard can be used for this deployment.
For web application access over network access Deploy SSO through a network access tunnel with matching virtual servers enabled on the connectivity interface.
For web applications Deploy SSO so users can access their web applications. You can assign an SSO object as part of the web application resource item, such as a SAML resource or a portal acess resource item, or assign the object at the access profile level instead.

Overview: Configuring SSO for web apps over network access

Without implementing single-sign on (SSO) for web applications, remote clients that try to access web services over a network access connection must supply credentials multiple times.

This implementation to support SSO includes a typical network access configuration with a secure connectivity (tunnel) interface. Additional configuration to support SSO is required for each web service.

The configuration for each web service includes a virtual server that is enabled on the tunnel and that specifies a destination address to match the web server. An SSO access profile type is required on the virtual server. An SSO access profile type specifies an SSO configuration; no access policy is associated with this profile type.

It is possible for a matching virtual server for a web application to match a resource specified in a portal access resource item. (Although not required, portal access resources can be assigned to the webtop in the network access configuration.) In this case, SSO configuration must be specified at the access profile level (in the virtual server) and not in the portal access resource item.

Task summary

Configuring a network access resource

Configure a network access resource to provide secure access to corporate applications and data using a standard web browser, or the BIG-IP Edge Client.
  1. On the Main tab, click Access Policy > Network Access > Network Access List. The Network Access List screen opens.
  2. Click the Create button. The New Resource screen opens.
  3. In the Name field, type a name for the resource.
  4. To automatically start this network access resource when a client reaches a webtop to which the resource is assigned, select the Auto launch check box.
    Note: When multiple network access resources are assigned to a webtop, Auto launch can be enabled for only one network access resource.
  5. In the Customization Settings for English area, in the Caption field, type a caption. The caption appears on the full webtop, and is required.
  6. Click the Finished button. The Network Access configuration screen opens, and you can configure the properties for the network access resource.

Configuring network access properties

Configure properties for a network access resource to specify network settings and the optimized applications, hosts, drives, and applications that a remote user can access through the network access resource.
  1. On the Main tab, click Access Policy > Network Access > Network Access List. The Network Access List screen opens.
  2. Click the name to select a network access resource on the Resource List. The Network Access editing screen opens.
  3. To configure the network settings for the network access resource, click Network Settings on the menu bar.
  4. To configure DNS and hosts settings for the network access resource, click DNS/Hosts on the menu bar.
  5. To configure the drive mappings for the network access resource, click Drive Mappings on the menu bar.
  6. To configure applications to start for clients that establish a network access connection with this resource, click Launch Applications on the menu bar.

Creating a connectivity profile

You create a connectivity profile to configure client connections.
  1. On the Main tab, click Access Policy > Secure Connectivity. A list of connectivity profiles displays.
  2. Click Add. The Create New Connectivity Profile popup screen opens and displays General Settings.
  3. Type a Profile Name for the connectivity profile.
  4. Select a Parent Profile from the list. APM provides a default profile, connectivity.
  5. Click OK. The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile appears in the list.
To provide functionality with a connectivity profile, you must add the connectivity profile to a virtual server.

Creating an access profile for remote access

You create an access profile to specify any access policy configuration for a virtual server that serves network access, portal access, or application access traffic.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and per-request policy names.
  4. From the Profile Type list, select SSL-VPN. Selecting this profile type restricts the access policy items displayed in the visual policy editor to those that contribute to a correct remote access configuration. Additional fields display set to default values.
  5. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished. The Access Profiles list screen displays.
This creates an access profile with a default access policy that contains a Start and a Deny ending.

Adding network access to an access policy

Before you assign a network access resource to an access policy, you must define a network access webtop or a full webtop.
When you assign a network access resource to an access policy branch, a client that successfully completes the branch rule, starts a network access tunnel.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click the name of the access profile for which you want to edit the access policy. The properties screen opens for the profile you want to edit.
  3. On the menu bar, click Access Policy. The Access Policy screen opens.
  4. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate screen.
  5. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  6. Select Advanced Resource Assign and click Add.
  7. Select the resources to add:
    1. On the Resource Assignment screen, click Add New Entry, then click Add/Delete
    2. On the Webtop tab, select one full or network access webtop.
    3. On the Network tab, select one or more network access resources.
    4. If you assigned a full webtop, select any other types of resources that you want to add.
    5. Click Update. If you add a full webtop and multiple network access resources, Auto launch can be enabled for only one network access resource. (With Auto launch enabled, a network access resource starts automatically when the user reaches the webtop.)
  8. Click Save.
  9. Click Apply Access Policy to save your configuration.
A network access tunnel and a webtop are assigned to the access policy. On a full webtop, a user can click the Network Access link to start a network access tunnel; or, if one network access tunnel is configured with Auto launch enabled, the tunnel can start automatically.

Configuring a virtual server for network access

Create a virtual server to which the network access associates your access policy.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address in CIDR format. The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type a port number or select a service name from the Service Port list.
  6. From the Configuration list, select Advanced.
  7. From the HTTP Profile list, select http.
  8. In the Configuration area, specify both SSL Profile (Client) and SSL Profile (Server).
  9. From the Source Address Translation list, select Auto Map.
  10. In the Access Policy area, select the Access Profile you created for remote access.
  11. From the Connectivity Profile list, select the connectivity profile.
  12. Click Finished.

Creating an SSO configuration

Creating an SSO configuration is a necessary first step for supporting single sign-on.
Note: Access Policy Manager (APM) supports several types of SSO configuration. Refer to BIG-IPAccess Policy Manager: Authentication and Single Sign-on in the AskF5 Knowledge Base at http://support.f5.com/kb/en-us.html.
  1. On the Main tab, select Access Policy > SSO Configurations. The SSO Configurations list screen opens.
  2. Click Create. The New SSO Configuration screen opens.
  3. From the SSO Configurations by Type menu, choose an SSO type. A screen appears, displaying SSO configurations of the type you specified.
  4. In the Name field, type a name for the SSO configuration.
  5. Specify all relevant parameters.
  6. Click Finished.

Creating an access profile for web app SSO

Before you start, you must create an SSO configuration for the web application for which you want to support single sign-on.
Configure an access profile of type SSO to provide single sign-on over a network access tunnel for a web application.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select SSO.
  5. From the SSO Configuration list, select the configuration that you created for the web application.
  6. Click Finished.
This creates an access profile for which there is no access policy.

Configuring a virtual server for web app SSO

For each web application, you must have previously created a virtual server with a destination address that matches that of the web server.
Configure settings on the virtual server for each web service that clients access over the network tunnel to eliminate the need for clients to enter credentials multiple times.
Note: The name of the secure connectivity interface on which this virtual server must be enabled is the name of the connectivity profile specified for the virtual server for network access.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Select the virtual server that was previously created for the web service. The General Properties screen opens.
  3. Scroll down to the VLAN and Tunnel Traffic setting and select Enabled on.
  4. For the VLANs and Tunnels setting, move the secure connectivity interface to the Selected list.
  5. From the Configuration list, select Advanced, scroll down, and make sure that the Address Translation and Port Translation check boxes are cleared.
  6. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  7. Click Update. The users are now able to access this web service without entering credentials multiple times.

About SSO for portal access resources

An SSO configuration can be specified in a portal access resource item or in the access profile through which the portal access resource is assigned in the access policy.

If a portal access resource item and a virtual server that matches the resource populate the same session, an SSO configuration must be specified only once and at the access profile level. The SSO configuration must be specified in the access profile for the matching virtual server and not in the portal access resource item.

Configuring SSO for a portal access resource item

You must have created a portal access resource and added one or more resource items to it. You must have created an SSO configuration.
Add an SSO configuration to a portal access resource item to support SSO at the resource level instead of supporting SSO at the access profile level.
  1. On the Main tab, click Access Policy > Portal Access > Portal Access List. The Portal Access List screen opens.
  2. In the Resource Items column, click the link for a resource item. A Properties screen for that resource item opens.
  3. In the Resource Item Properties area from the SSO Configuration list, select an SSO configuration. The default value is None.
  4. Click Update. The Properties screen refreshes.
To add SSO configurations to additional portal access resource items, repeat these steps.