Applies To:

Show Versions Show Versions

Manual Chapter: Introducing Single Sign-On
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

13 
Access Policy Manager provides a Single Sign-On (SSO) feature which leverages the credential caching and credential proxying technology. Credential caching and proxying is a two-phase security approach that allows your users to enter their credential once to access their secured web applications.
By leveraging this technology, users request access to the secured back-end web server. Once that occurs, Access Policy Manager creates a user session and collects the user identity based on the access policy. Upon successful completion of the access policy, the user identity is saved (cached), in a session database. Lastly, the WebSSO plugin retrieves (proxies) the cached user credentials and authenticates the user based on the configured authentication method.
Access Policy Manager supports four SSO methods. Each method contains a number of attributes that you need to configure properly to support SSO.
Note: If you misconfigure SSO objects for one of the authentication methods, HTTP Basic, NTLMv1, NTLMv2, or OAM, SSO is disabled for all authentication methods when you access a resource with the misconfigured SSO object. However, HTTP Form-based method is not affected as a result of the misconfigured object. Additionally, SSO is disabled for the current user session only, while all other users remain unaffected.
These general object attributes apply to all SSO methods. In the navigation pane, expand Access Policy, choose SSO Configuration, and click Create.
SSO method: This defines the authentication method for your SSO configuration object. You can select from the following values: HTTP basic, HTTP Form Based, HTTP NTLMv1, HTTP NTLMv2,or OAM.
Username Source: This defines the source session variable name of the user name for SSO authentication. By default, it is the user name session variable session.sso.token.last.username.
Password Source: This defines the source session variable name of the password for SSO authentication. By default, it is the password session variable session.sso.token.last.password.
Username Conversion: This converts PREWIN2k/UPN username input format to the format you want to use for SSO. For example, convert domain\username or username@domain to username.
For HTTP Basic. NTLM v1, NTLM v2, and OAM authentication methods, there are no additional attributes required.
These additional object attributes apply specifically to HTTP Form-Based SSO method. In the navigation pane, expand Access Policy, choose SSO Configuration, and click Create. Select Form Based from the SSO Method setting.
Start URI: Defines the start URI value. If the HTTP request URI matched with the start URI value, the HTTP Form-Based authentication is performed for SSO. Multiple start URI values can be specified in multiple lines for this attribute.
You can specify one "*" in the value for wildcard matching.
Pass Through: Enable this check box to authenticate successfully for OAM form based authentication. By checking this box, the authentication request is passed through to the back end server and WebSSO retrieves the cookies from the response. WebSSO will then attach this cookie to the POST request with credentials and completes the authentication process. This is a required field.
Form Method: Defines the method of the HTTP Form-Based authentication for SSO. The options are GET or POST. By default, the form method value is set to POST. However, if GET is specified, the SSO authentication is converted as HTTP GET request.
Form Action: Defines the form action URL used for HTTP authentication request for SSO. For example, /access/oblix/apps/webgate/bin/webgate.dll. If you do not specify a value for this attribute, the original request URL is used for SSO authentication.
Form Parameter For User Name: Defines the parameter name of the logon user name. For example, if the HTTP server expects the user name in the form of userid=, then userid is specified as the attribute value.
Form Parameter for Password: Defines the parameter name of the logon password. For example, if the HTTP server expects the password in the form of pass=, then pass is specified as the attribute value.
Hidden Form Parameters/Values: Defines the hidden form parameters required by the authentication server logon form at your location. Hidden parameters must be entered, like this:
Parameters name and value are separated by a space, and not by an equal sign. Each parameter starts on a new line. For more information on hidden parameters, refer to Determining the hidden parameters
Successful Logon Detection Match Type: Defines the success detection type that your authentication server uses. You can select one of the following:
By Resulting Redirect URL: If selected, specifies that the authentication success condition is determined by examining the redirect URL from the HTTP response.You can specify multiple values for this option.
By Presence Of Specific Cookie: If selected, specifies that the authentication success condition is determined by examining the cookie value from the response. This options only uses one defined value.
Successful Logon Detection Match Value: Defines the value used by the specific success detection type.
Once you create an SSO object, you must apply the object to an access profile or a web application object in order to successfully deploy SSO in your configuration.
1.
In the navigation pane, expand Access Policy, and click Access Profiles.
3.
On the access profiles properties page, under Configurations, select your SSO object from the SSO Configuration list.
4.
Click Update.
5.
On the same screen, select Access Policy to associate your SSO object to your access profile.
The General Properties screen opens.
6.
Click Edit Access Policy for Profile name of your profile.
The visual policy editor opens in a separate browser.
7.
On the access policy, click the [+] sign after your authentication server object(s), to open the Predefined Actions screen.
8.
Under General Purpose, select SSO Credential Mapping, and click Add Item.
Note: Access Policy Manager supports the following formats from the username field on the logon page in order to authenticate to the back-end server: domain\username and username@domain.
HTTP Basic Auth
With this method, the SSO plugin uses the cached user identity and sends the request with the authorization header. This header contains the token Basic and the base64-encoded of the user name, colon, and the password.
HTTP Form-Based Auth
With this method, upon detection of the start URL match, the SSO plugin uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user.
HTTP NTLM Auth v1
With this method, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server.
HTTP NTLM Auth v2
With this method, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server. This version of NTLM has been updated from version 1.
Oracle Access Manager (OAM)
With this method, the SSO plug-in integrates a custom Access Gate for web access. The Access Policy Manager acts as an OAM Policy Enforcement Point (PEP).
Once you create an SSO configuration object and associate it with your access policy as described in the section Assigning SSO configuration objects, you must add the SSO credential mapping agent to an access profile. This step ensures that your access policy includes the mapping agent element to authenticate and authorize your users using single sign-on.
1.
In the navigation pane, click Access Policy, and select Access Profiles.
The Profile List screen opens.
4.
Click Update.
6.
Click Edit Access Policy for Profile <name of your profile>.
The visual policy editor screen opens in a different browser window.
7.
Click the small plus sign where you want to add the new access policy action item.
A properties screen opens.
8.
Under General Purpose, select SSO Credential Mapping, and click Add Item.
The Variable Assign: SSO Credential Mapping screen opens.
9.
For the SSO Token Username and SSO Token Password settings, select where you want to retrieve user name and password from, and click Save. Otherwise, select Custom to enter a different user name and password.
The SSO Credential Mapping agent is added to your access policy as part of the overall authentication process.
Access Policy Manager creates a user session and collects the user identity based on the access policy. Upon successful completion of the access policy, the user identity is cached in a session database. Then, the WebSSO plugin retrieves the cached user credentials and authenticates the user based on the configured authentication method
With this method, the SSO plugin uses the cached user identity and sends the request with the authorization header. This header contains the token Basic and the base64-encoded of the user name, colon, and the password.
1.
In the navigation pane, expand Access Policy, and select SSO Configurations.
The SSO Config list screen opens.
2.
Click Create.
The General Properties screen opens.
5.
Click Finished.
You are now ready to configure your access profile with the appropriate access policy.
1.
In the navigation pane, expand Access Policy.
The Profile List screen opens.
2.
Select an access profile by clicking on Edit to launch the visual policy editor.
4.
Click Apply Access Policy.
You are now ready to associate the SSO object to your access profile. Refer to Assigning SSO configuration objects for instructions.
With this method, upon detection of the start URL match, the SSO plugin uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user.
1.
In the navigation pane, expand Access Policy, and select SSO Configurations.
The SSO Config list screen opens.
2.
Click Create.
The General Properties screen opens.
3.
4.
Under Configuration, specify all your parameters. Refer to the section HTTP form-based SSO object attributes for more information on the parameters specific to HTTP Form Based.
1.
Click Finished.
You are now ready to configure your access profile with the appropriate access policy.
1.
In the navigation pane, expand Access Policy.
The Profile List screen opens.
2.
Select an access profile by clicking on Edit to launch the visual policy editor.
4.
Click Apply Access Policy.
You are now ready to associate the SSO object to your access profile. Refer to Assigning SSO configuration objects for instructions.
With this method, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server.
1.
In the navigation pane, expand Access Policy, and select SSO Configurations.
The SSO Config list screen opens.
2.
Click Create.
The General Properties screen opens.
4.
Under Configuration, specify all your parameters. Refer to the online help for specific information on each parameter.
1.
Click Finished.
You are now ready to configure your access profile with the appropriate access policy.
1.
In the navigation pane, expand Access Policy.
The Profile List screen opens.
2.
Select an access profile by clicking on Edit to launch the visual policy editor.
4.
Click Apply Access Policy.
You are now ready to associate the SSO object to your access profile. Refer to Assigning SSO configuration objects for instructions.
With this method, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server. This version of NTLM has been updated from version 1.
1.
In the navigation pane, expand Access Policy, and select SSO Configurations.
The SSO Config list screen opens.
2.
Click Create.
The General Properties screen opens.
4.
Under Configuration, specify all your parameters. Refer to the online help for specific information on each parameter.
1.
Click Finished.
You are now ready to configure your access profile with the appropriate access policy.
1.
In the navigation pane, expand Access Policy.
The Profile List screen opens.
2.
Select an access profile by clicking on Edit to launch the visual policy editor.
4.
Click Apply Access Policy.
You are now ready to associate the SSO object to your access profile. Refer to Assigning SSO configuration objects for instructions.
Various enterprises have existing web access management systems to provide access management and SSO to their various web applications, such as Oracle Access Manager (OAM).
Access Policy Manager provides native integration with the OAM server for authentication and authorization to eliminate the need to deploy a WebGate proxy in front of each web application, or agent on each web application. In addition, you can acheive SSO functionality with OAM for HTTP/HTTPS requests passing through a virtual to the web application.
This integration between Access Policy Manager and OAM simplifies deployment and improves performance for existing web application access management infrastructures.
The example in Figure 13.1 shows the integration between Access Policy Manager and the OAM server, where Access Policy Manager is deployed in front of protected web applications and integrates with the OAM Access Gate SDK. The OAM server is where you store and evaluate policies for users access requests, and acts as the decision point for authorization while the Access Gate on Access Policy Manager is responsible for enforcing OAM policies for web access management.
You can achieve SSO functionality for OAM with HTTP/HTTPS requests passing through a virtual to a backend web application. Specifying the OAM as the SSO method eliminates the need to deploy Oracles WebGate proxies in front of application servers, and the result is an increase in performance.
Note: For information on integration between Access Policy Manager and Oracle Access Manager, refer to the Deployment Guide available on AskF5.com at https://support.AskF5.com.
1.
Configure the Access Server and Access Gate through the Oracle Access administrative user interface.
For detailed steps, refer to the Oracle Access Manager Access Administration Guide provided when you purchased your Oracle Access Manager.
1.
In the navigation pane, expand Local Traffic, and select Nodes.
The Node List screen opens.
3.
Click Finished.
The new node is now added to the Node List.
1.
In the navigation pane, expand Local Traffic, and select Pools.
The Pool List screen opens.
2.
Click Create.
The New Pool screen opens.
3.
In the Name box, type a name for our pool, and click Finished.
The new pool is now added to the Pool List.
1.
In the navigation pane, expand Access Policy, and click the [+] sign next to the AAA Servers to add a new server.
The New Server General Properties screen opens.
2.
Type a name for your AAA server and select Oracle Access Manager from the Type list.
The screen refreshes to provide additional settings specific to the OAM Type.
3.
Under Configuration, for Access Server Name, type in the access server name.
This is the name of the access server that was added to the OAM server using Oracles administration user interface.
4.
For Access Server Hostname, type in the access server machines host name.
5.
For Access Server Port, type in the port number. This is an optional field.
6.
For Access Gate Name, type in the name for the Access Gate.
This is the name of the access server added to the OAM server.
7.
In the Password box, type in the password for the Access Gate.
8.
Click Finished.
This adds the new OAM server to the AAA Server List.
1.
In the navigation pane, expand Access Policy, and select SSO Configurations.
The SSO Config list screen opens.
2.
Click Create.
The General Properties screen opens.
4.
Under SSO Method Configuration, specify the username and password you want cached for single sign-on.
5.
Under External Access Management, select the Oracle Access Management to specify the Access Management Method.
6.
For Oracle Access Management Server, select the Oracle Access Management server you created previously.
7.
Click Finished.
You are now ready to configure your access profile with the appropriate access policy.
1.
In the navigation pane, expand Access Policy.
The Profile List screen opens.
2.
Select an access profile by clicking on Edit to launch the visual policy editor.
4.
Click Apply Access Policy.
You are now ready to associate the SSO object to your access profile.
1.
In the navigation pane, expand Local Traffic, and select Virtual Servers.
The Virtual Server List screen opens.
2.
From the Access Profile under Access Policy, select your access profile you want to associate to your virtual server.
3.
Click Update.
You access profile is now associated to your virtual server.
1.
In the navigation pane, expand Local Traffic, and select Virtual Servers.
The Virtual Server List screen opens.
3.
Select the Resources menu.
4.
From the Default Pool box, assign the pool you created for OAM.
5.
Click Update
You successfully configured Access Policy Manager for OAM as the SSO method.
You have the flexibility to deploy Single Sign-On in a variety of ways, depending on your needs within your networking environment. This section provides common uses cases in which you can deploy Single Sign-On.
Before you proceed, you should have a virtual server already configured for Local Traffic Manager. For more information on how to set this up, refer to the Configuration Guide for BIG-IP® Local Traffic Manager available on https://support.f5.com.
1.
In the navigation pane, expand Access Policy, and click Access Profiles.
The Access Profiles List screen opens.
2.
Click Create.
The New Profile screen opens.
5.
Click Finished.
The system adds the new access policy to the Access Profile list.
8.
Click Edit Access Policy for Profile <"name">.
The visual policy editor opens.
Once you added your SSO object to your access policy, bind your access policy to your Local Traffic Manager virtual server.
You can configure your network access to support SSO through a layered virtual server. This allows your users full network access to multiple web services without requiring them to enter their credential multiple times.
One or more HTTP layered virtual servers corresponding to the backend protected web services that requires authentication and SSO support.
Note: To ensure that traffic is handled only by the network access for each layered virtual server, you need to select the network access tunnel option from the VLANs list. For more information, refer to the steps in To configure a layered virtual server for your web service.
1.
In the navigation pane, expand Access Policy, and click Network Access.
The Network Access Resource List screen opens.
2.
Click Create.
The New Resource screen opens.
3.
In the Name box, type a name for the network access resource.
6.
Click Finished to save the network access resource.
The Network Access configuration screen opens, and you can configure the properties for the network access resource.
1.
On the Main tab of the navigation pane, expand Access Policy, and click Network Access.
The Network Access Resource List screen opens.
2.
Click a network access resource on the Resource List.
The Network Access editing screen opens. This screen also opens immediately after you create a new network access resource.
4.
Configure the DNS and hosts for the network access resource on the DNS/Hosts tab.
See Setting DNS and hosts options, for more information, or refer to the online help.
5.
Configure drive mappings for the network access resource on the Drive Mappings tab.
See Mapping drives with network access, for more information, or refer to the online help.
6.
Configure applications to launch for the network access resource on the Launch Applications tab.
See Launching applications with network access connections, for more information, or refer to the online help.
Note: If you use split tunneling for network traffic, you must properly configure LAN address space setting so that traffic for the web services passes to the network access tunnel. For more information on how to configure LAN address space, see To configure network access properties.
Once you configure for network access, the next step is to configure an access policy profile to manage your network access.
1.
In the navigation pane, expand Access Policy, and click Access Profiles.
The Access Profiles List screen opens.
2.
Click Create.
The New Profile screen opens.
4.
Leave all other settings as the default. Ensure that the SSO Configuration field specifies None.
5.
Click Finished.
The new access policy is now added to the Access Profile list.
8.
Click Edit Access Policy for Profile <"name">.
The visual policy editor opens.
Once you have created and configured your access policy profile to manager your network access, the next step is to create a virtual server with which the network access associates your access policy.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Server List screen opens.
2.
Click Create.
The New Virtual Server screen opens.
3.
Specify the Name, Destination, and Service port.
4.
Specify both SSL (Client) and SSL Profile (Server).
5.
For SNAT Pool, change the default from None to Auto Map.
7.
Click Finished.
After you have configured your network access, created an access policy profile, and created an HTTP virtual server for your network access, the user is able to logon to Access Policy Manager and has full access to all of their web services. However, in order to eliminate the need for users to enter credentials multiple times to access each web service, you must follow the additional steps below.
Important: Before you proceed to create a layered virtual server for your web service, make sure to create an SSO object and select a preferred SSO method for your object. For more information on how to create an SSO object, refer to General SSO object attributes, on page 13-2.
1.
In the navigation pane, expand Access Policy, and click Access Profiles.
The Access Profile screen opens.
3.
From the Access Profiles list screen for your access profile, make sure to select the SSO object that you created and want to associate with this access profile in SSO Configuration.
4.
Click Update.
Now, you need to associate a layered HTTP virtual server for your web service to the virtual server for network access.
5.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Server List screen opens.
7.
From VLAN and Tunnel Traffic, select network access tunnel to ensure that the layered virtual server sends traffic from the network traffic to the network access tunnel interface.
Important: Make sure that both Address Translation and Port Translation settings remain cleared. You can find these settings by selecting the Advanced option for Configuration.
9.
Click Update.
For every web service you want to add, you must follow the steps in creating an HTTP virtual server for network access, and configuring a layered virtual server for your web service.
You can configure single sign-on for users to access their web applications and eliminate the need for them to enter their credential multiple times. You can add, modify, or delete your SSO configuration object at any time.
You can assign an SSO object as part of the web application resource item. If you do not configure an SSO object at that level, you can use the SSO object at the access profile level instead.
1.
In the navigation pane, expand Access Policy and click SSO Configurations.
The New SSO Configuration screen opens.
2.
From the SSO Method list, select an SSO method.
Additional fields may appear depending on your selection.
4.
Under Configuration, configure the settings. For detailed information about each setting, refer to the online help.
5.
Click Finished.
The SSO object is now added to the SSO list.Please note that these objects come in the form of session variables.
6.
In the navigation pane, expand Access Profiles, and select an access profile you want the SSO configuration object assigned to.
7.
Click the Properties tab.
The General Properties screen opens.
9.
Click Finished.
The SSO configuration object is now assigned to your access profile.
1.
In the navigation pane, expand Access Policy and click Web Application.
The Resource List opens.
2.
Click the name of your Web Application.
The Properties page opens.
3.
Under Resource Item, add your web application resource item or click an existing one.
The Properties Page opens.
4.
Under Resource Item Properties, from the SSO Configuration list,
select your SSO configuration.
5.
Click Update.
To view log messages for OAM generated by the system, on the Navigation pane, expand Access Policy, select Reports, and click Current Sessions.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)