Applies To:

Show Versions Show Versions

Manual Chapter: Introducing SSO with CCP
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

13 
Access Policy Manager provides a single sign-on feature which leverages the credential caching and proxying technology. This feature allows your users to enter their credential once to access their secured web applications.
Leveraging this technology, users request access to the secured back-end web server. Once that occurs, Access Policy Manager creates a user session and collects the user identity based on the access policy. Upon successful completion of the access policy, the user identity is cached in a session database. Lastly, the Websso plugin retrieves the cached user credentials and authenticates the user based on the configured authentication method.
HTTP Basic Auth
With this method, the SSO plugin uses the cached user identity and sends the request with the authorization header. This header contains the token Basic and the base64-encoded of the user name, colon, and the password.
HTTP Form-Based Auth
With this method, upon detection of the start URL match, the SSO plugin uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user.
HTTP NTLM Auth v1
With this method, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server.
HTTP NTLM Auth v2
With this method, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server. This version of NTLM has been updated from version 1.
Access Policy Manager supports four SSO methods. Each method contains a number of attributes that you need to configure properly to support SSO.
Note: If you misconfigure SSO objects for one of the authentication methods, HTTP Basic, NTLMv1 or NTLMv2, SSO is disabled for all authentication methods when you access a resource with the misconfigured SSO object. However, HTTP Form-based method is not affected as a result of the misconfigured object. Additionally, SSO is disabled for the current user session only, while all other users remain unaffected.
These general object attributes apply to all SSO methods. In the navigation pane, expand Access Policy, choose SSO Configuration, and click Create.
SSO method: This defines the authentication method for your SSO configuration object. You can select from the following values: HTTP basic, HTTP Form Based, HTTP NTLMv1, or HTTP NTLMv2.
Username source: This defines the source session variable name of the user name for SSO authentication. By default, it is the user name session variable session.sso.token.last.username.
Password source: This defines the source session variable name of the password for SSO authentication. By default, it is the password session variable session.sso.token.last.password.
These additional object attributes apply to HTTP Form-Based SSO method. In the navigation pane, expand Access Policy, choose SSO Configuration, and click Create. Select Form Based from the SSO Method setting.
Start URI: Defines the start URI value. If the HTTP request URI matched with the start URI value, the HTTP Form-Based authentication is performed for SSO. Multiple start URI values can be specified in multiple lines for this attribute.
You can specify one "*" in the value for wildcard matching.
Form Method: Defines the method of the HTTP Form-Based authentication for SSO. The options are GET or POST. By default, the form method value is set to POST. However, if GET is specified, the SSO authentication is converted as HTTP GET request.
Form Action: Defines the form action URL used for HTTP authentication request for SSO. For example, /access/oblix/apps/webgate/bin/webgate.dll. If you do not specify a value for this attribute, the original request URL is used for SSO authentication.
Form Parameter For User Name: Defines the parameter name of the logon user name. For example, if the HTTP server expects the user name in the form of userid=, then userid is specified as the attribute value.
Form Parameter for Password: Defines the parameter name of the logon password. For example, if the HTTP server expects the password in the form of pass=, then pass is specified as the attribute value.
Hidden Form Parameters/Values: Defines the hidden form parameters required by the authentication server logon form at your location. Hidden parameters must be entered, like this:
Parameters name and value are separated by a space, and not by an equal sign. Each parameter starts on a new line. For more information on hidden parameters, refer to Determining the hidden parameters, on page 11-44
Successful Logon Detection Match Type: Defines the success detection type that your authentication server uses. You can select one of the following:
By Resulting Redirect URL: If selected, specifies that the authentication success condition is determined by examining the redirect URL from the HTTP response.You can specify multiple values for this option.
By Presence Of Specific Cookie: If selected, specifies that the authentication success condition is determined by examining the cookie value from the response. This options only uses one defined value.
Successful Logon Detection Match Value: Defines the value used by the specific success detection type.
There is only one additional attribute that applies to HTTP NTLMv1 method. In the navigation pane, expand Access Policy, choose SSO Configuration, and click Create. Select NTLMV1 from the SSO Method setting.
NTLM Domain: Defines the domain name used for NTLMv1.
There is only one additional attribute that applies to HTTP NTLMv2 method. In the navigation pane, expand Access Policy, choose SSO Configuration, and click Create. Select NTLMV2 from the SSO Method setting.
NTLM Domain: Defines the domain name used for NTLMv2.
Once you create an SSO object, you must apply the object to an access profile or a web application object in order to successfully deploy SSO in your configuration.
1.
In the navigation pane, expand Access Policy, and click Access Profiles.
3.
On the access profiles properties page, under Configurations, select your SSO object from the SSO Configuration list.
4.
Click Update.
5.
On the same screen, select Access Policy to associate your SSO object to your access profile.
The General Properties screen opens.
6.
Click Edit Access Policy for Profile "name of your profile.
The visual policy editor opens in a separate browser.
7.
On the access policy, click the + sign after your authentication server object(s), to open the Predefined Actions screen.
8.
Under General Purpose, select SSO Credential Mapping, and click Add Item.
You can configure single sign-on for users to access their web applications and eliminate the need for them to enter their credential multiple times. You can add, modify, or delete your SSO configuration object at any time.
You can assign an SSO object as part of the web application resource item. If you do not configure an SSO object at that level, you can use the SSO object at the access profile level instead.
1.
In the navigation pane, expand Access Policy and click SSO Configurations.
The New SSO Configuration screen opens.
2.
From the SSO Method list, select an SSO method.
Additional fields may appear depending on your selection.
4.
Under Configuration, configure the settings. For detailed information about each setting, refer to the online help.
5.
Click Finished.
The SSO object is now added to the SSO list.Please note that these objects come in the form of session variables.
6.
In the navigation pane, expand Access Profiles, and select an access profile you want the SSO configuration object assigned to.
7.
Click the Properties tab.
The General Properties screen opens.
9.
Click Finished.
The SSO configuration object is now assigned to your access profile.
1.
In the navigation pane, expand Access Policy and click Web Application.
The Resource List opens.
2.
Click the name of your Web Application.
The Properties page opens.
3.
Under Resource Item, add your web application resource item or click an existing one.
The Properties Page opens.
4.
Under Resource Item Properties, from the SSO Configuration list,
select your SSO configuration.
5.
Click Update.
Once you create an SSO configuration object and associate it with your access policy, you must add the SSO credential mapping agent to an access profile. This step ensures that your access policy includes the mapping agent element to authenticate and authorize your users using single sign-on.
1.
In the navigation pane, click Access Policy, and select Access Profiles.
The Profile List screen opens.
4.
Click Update.
6.
Click Edit Access Policy for Profile <name of your profile>.
The visual policy editor screen opens in a different browser window.
7.
Click the small plus sign where you want to add the new access policy action item.
A properties screen opens.
8.
Under General Purpose, select SSO Credential Mapping, and click Add Item.
The Variable Assign: SSO Credential Mapping screen opens.
9.
For the SSO Token Username and SSO Token Password settings, select where you want to retrieve user name and password from, and click Save. Otherwise, select Custom to enter a different user name and password.
The SSO Credential Mapping agent is added to your access policy as part of the overall authentication process.
You can configure your network access to support SSO through a layered virtual server. This allows your users full network access to multiple web services without requiring them to enter their credential multiple times.
One or more HTTP layered virtual servers corresponding to the backend protected web services that requires authentication and SSO support.
Note: To ensure that traffic is handled only by the network access for each layered virtual server, you need to select the network access tunnel option from the VLANs list. For more information, refer to the steps in Configuring a layered virtual server for your web service.
1.
On the Main tab of the navigation pane, expand Access Policy, and click Network Access.
The Network Access Resource List screen opens.
2.
Click Create.
The New Resource screen opens.
3.
In the Name box, type a name for the network access resource.
6.
Click Finished to save the network access resource.
The Network Access configuration screen opens, and you can configure the properties for the network access resource.
1.
On the Main tab of the navigation pane, expand Access Policy, and click Network Access.
The Network Access Resource List screen opens.
2.
Click a network access resource on the Resource List.
The Network Access editing screen opens. This screen also opens immediately after you create a new network access resource.
4.
Configure the DNS and hosts for the network access resource on the DNS/Hosts tab.
See Setting DNS and hosts options, for more information, or refer to the online help.
5.
Configure drive mappings for the network access resource on the Drive Mappings tab.
See Mapping drives with network access, for more information, or refer to the online help.
6.
Configure applications to launch for the network access resource on the Launch Applications tab.
See Launching applications with network access connections, for more information, or refer to the online help.
Note: If you use split tunneling for network traffic, you must properly configure LAN address space setting so that traffic for the web services passes to the network access tunnel. For more information on how to configure LAN address space, see To configure network access properties.
Once you configure for network access, the next step is to configure an access policy profile to manage your network access.
1.
On the Main tab of the navigation pane, expand Access Policy, and click Access Profiles.
The Access Profiles List screen opens.
2.
Click Create.
The New Profile screen opens.
4.
Leave all other settings as the default. Ensure that the SSO Configuration field specifies None.
5.
Click Finished.
The new access policy is now added to the Access Profile list.
8.
Click Edit Access Policy for Profile <"name">.
The visual policy editor opens.
Once you have created and configured your access policy profile to manager your network access, the next step is to create a virtual server with which the network access associates your access policy.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Server List screen opens.
2.
Click Create.
The New Virtual Server screen opens.
3.
Specify the Name, Destination, and Service port.
4.
Specify both SSL (Client) and SSL Profile (Server).
5.
For SNAT Pool, change the default from None to Auto Map.
7.
Click Finished.
After you have configured your network access, created an access policy profile, and created an HTTP virtual server for your network access, the user is able to logon to Access Policy Manager and has full access to all of their web services. However, in order to eliminate the need for users to enter credentials multiple times to access each web service, you must follow the additional steps below.
Important: Before you proceed to create a layered virtual server for your web service, make sure to create an SSO object and select a preferred SSO method for your object. For more information on how to create an SSO object, refer to Understanding SSO object attributes, on page 13-2.
1.
In the navigation pane, expand Access Policy, and click Access Profiles.
The Access Profile screen opens.
3.
From the Access Profiles list screen for your access profile, make sure to select the SSO object that you created and want to associate with this access profile in SSO Configuration.
4.
Click Update.
Now, you need to associate a layered HTTP virtual server for your web service to the virtual server for network access.
5.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Server List screen opens.
7.
From VLAN and Tunnel Traffic, select network access tunnel to ensure that the layered virtual server sends traffic from the network traffic to the network access tunnel interface.
Important: Make sure that both Address Translation and Port Translation settings remain cleared. You can find these settings by selecting the Advanced option for Configuration.
9.
Click Update.
For every web service you want to add, you must follow the steps in creating an HTTP virtual server for network access, and configuring a layered virtual server for your web service.
Before you proceed, you should have a virtual server already configured for Local Traffic Manager. For more information on how to set this up, refer to the Configuration Guide for BIG-IP® Local Traffic Manager available on https://support.f5.com.
1.
In the navigation pane, expand Access Policy, and click Access Profiles.
The Access Profiles List screen opens.
2.
Click Create.
The New Profile screen opens.
5.
Click Finished.
The system adds the new access policy to the Access Profile list.
8.
Click Edit Access Policy for Profile <"name">.
The visual policy editor opens.
10.
Once you added your SSO object to your access policy, bind your access policy to your Local Traffic Manager virtual server.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)