Manual Chapter : Common Elements for authentication for Access Policy Manager

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 14.0.1, 14.0.0
Manual Chapter

Common Elements for authentication for Access Policy Manager

  1. On the Main tab, click
    Access
    Authentication
    .
    The Authentication screen opens.
  2. On the Main tab, click
    Access
    Authentication
    OCSP Responder
    .
    The OCSP Responder servers screen opens.
  3. From the AAA Servers By Type menu, choose the server type you want to create.
    A screen that lists existing servers of that type opens.
  4. Click
    Create
    .
    The New Server properties screen opens.
  5. In the
    Name
    field, type a unique name for the authentication server.
  6. In the
    Timeout
    field, type a timeout interval (in seconds) for the AAA server.
    This setting is optional.
    If you use the
    Timeout
    setting, you can also use the
    Retries
    setting. If these settings are enabled, the Access Policy Manager attempts to reach the AAA server within the specified time frame, in seconds. If the server does not respond, the Access Policy Manager retries the authentication attempt, depending on how many retries you specify.
  7. In the
    Retries
    field, type the number of times the BIG-IP system should try to make a connection to the server after the first attempt fails.
    This setting is optional.
  8. In the
    Secret
    field, type the shared secret password of the server.
  9. In the
    Confirm Secret
    field, re-type the shared secret password of the server.
  10. In the
    Auth Service Port
    field, type the service port for the authentication server.
  11. Click
    Delete
    to delete the server.
    The confirmation screen appears asking you to confirm deletion.
  12. Click
    Cancel
    to return to the previous screen without saving any changes you may have made on this screen.
  13. Click
    Finished
    .
    The new server displays on the list.
  14. Select
    Access
    Authentication
    LDAP
    .
    The LDAP servers screen displays.
  15. In the
    Service Port
    field, type the port number of the server.
    The default is
    389
    for LDAP, and
    636
    for LDAPS.
  16. In the
    Admin Password
    field, type the administrative password for the server.
  17. In the
    Verify Admin Password
    field, re-type the administrative password for the server.
  18. In the
    Admin Password
    field, type the administrator password associated with the Domain Name.
  19. For the
    Server Connection
    setting, select one of these options:
    • Select
      Use Pool
      to set up high availability for the AAA server.
    • Select
      Direct
      to set up the AAA server for standalone functionality.
  20. If you selected
    Use Pool
    , type a name in the
    Server Pool Name
    field.
    You create a pool of servers on this screen.
  21. Provide the addresses required for your server connection:
    • If you selected
      Direct
      , type an IP address in the
      Server Address
      field.
    • If you selected
      Use Pool
      , for each pool member you want to add, type an IP address in the
      Server Addresses
      field and click
      Add
      .
      When you configure a pool, you have the option to type the server address in route domain format:
      IPAddress
      %
      RouteDomain
      .
  22. If you selected
    Use Pool
    , you have the option to select a
    Server Pool Monitor
    to track the health of the server pool.
  23. From the
    Client Certificate
    list, select the option that is applicable to the item you selected when you edited the policy.
    • Select
      request
      if the Client Cert Inspection agent is used in the policy.
    • Select
      ignore
      if the On-Demand Cert Auth agent is used.
  24. From the
    Trusted Certificate Authorities
    list, select the Certificate Authority that issues the user certificates.
  25. From the
    Advertised Certificate Authorities
    list, select the advertised Certificate Authority file for client certificate authentication.
  26. From the
    Advertised Certificate Authorities
    list, select the Certificate Authority that issues the user certificates.
  27. On the Main tab, click
    Access
    Federation
    SAML Service Provider
    .
    The Local SP Services screen displays.
  28. On the menu bar, expand
    SAML Service Provider
    and click
    External IdP Connectors
    .
    The External IdP Connectors screen displays.
  29. On the Main tab, click
    Access
    Federation
    SAML Service Provider
    External IdP Connectors
    .
    The External IdP Connectors screen displays.
  30. Click
    Create
    Custom
    .
    The Create New SAML IdP Connector screen opens.
  31. Click
    Create
    .
    The Create New SAML SP Service screen opens.
  32. In the
    Name
    field, type a unique name for the SAML SP service.
  33. In the
    Entity ID
    field, type a unique identifier for the service provider.
    Typically entity ID is a URI that points to the BIG-IP virtual server that is going to act as SAML SP. If the entity ID is not a valid URL, the
    Host
    field is required.
    For example, type
    https://bigip-sp
    , where
    https:/bigip-sp
    points to the virtual server you use for BIG-IP system as a SAML service provider.
  34. If the
    Entity ID
    field does not contain a valid URI, in the SP Name Settings area from the
    Scheme
    list, select
    https
    or
    http
    and in the
    Host
    field, type a host name.
    For example, type
    siterequest.com
    in the
    Host
    field.
  35. In the
    Relay State
    field, type a value.
    The value can be an absolute path, such as
    hr/index.html
    or a URI, such as
    https://www.abc.com/index.html
    . It is where the service provider redirects users after SAML single sign-on completes.
  36. For this service provider to request an artifact instead of an assertion from the IdP, from the left pane select
    Endpoint Settings
    and, from the
    Assertion Consumer Service Binding
    list, select
    Artifact
    .
    POST
    is the default setting.
  37. Select a SAML SP service from the list.
  38. Click
    Bind/Unbind IdP Connectors
    .
    A pop-up screen displays a list of any IdP connectors that are associated with this SP service.
  39. To add an SAML IdP connector to the list, click
    Add New Row
    .
  40. To bind only one IdP connector with this SP service, complete the configuration:
    1. Select a connector from the
      SAML IdP Connectors
      list in the new row.
      When you bind only one IdP connector to an SP service, you do not need to fill in the
      Matching Source
      and
      Matching Value
      fields.
    2. Click the
      Update
      button.
      The configuration is not saved until you click
      OK
      .
    3. Click
      OK
      .
      APM saves the configuration. The screen closes.
  41. To bind multiple IdP connectors with this SP service, complete the configuration:
    1. Select a connector from the
      SAML IdP Connectors
      list in the new row.
    2. In the
      Matching Source
      field, select or type the name of a session variable.
      Use a session variable only if it is populated in the policy before the SAML Auth action.
      For example, select
      %{session.server.landinguri}
      or type
      %{session.logon.username}
      .
    3. In the
      Matching Value
      field, type a value.
      The value can include the asterisk (*) wild card.
      For example, type
      *hibb*
      or
      south*
      .
    4. Click the
      Update
      button.
      The configuration is not saved until you click
      OK
      .
    5. To add other IdP connectors, start by clicking
      Add New Row
      , fill the new row, and end by clicking
      Update
      .
    6. Click
      OK
      .
      APM saves the configuration. The screen closes.
  42. From the left pane, select
    Security Settings
    .
    The screen displays the applicable settings.
  43. If you want this BIG-IP system to send signed authentication requests to the SAML IdP, select
    Signed Authentication Request
    . Then select a key and a certificate from those in the BIG-IP system store from the
    Message Signing Private Key
    and
    Message Signing Certificate
    lists.
  44. If this BIG-IP system requires signed assertions from the SAML IdP, ensure that the
    Want Signed Assertion
    check box remains selected.
  45. If this BIG-IP system requires encrypted assertions from the SAML IdP, select
    Want Encrypted Assertion
    . Then select a key and a certificate from those in the BIG-IP system store from the
    Assertion Decryption Private Key
    and
    Assertion Decryption Certificate
    lists.
    The BIG-IP system uses the private key and certificate to decrypt the assertion.
  46. To configure additional service provider attributes, from the left pane click
    Advanced
    .
    The screen displays the applicable settings.
  47. To force users to authenticate again even when they have an SSO session at the identity provider, select the
    Force Authentication
    check box.
    This setting is for use when the external IdP supports a force authentication flag.
  48. To allow the external IdP, when processing requests from this BIG-IP system as SP, to create a new identifier to represent the principal, select the
    Allow Name-Identifier Creation
    check box.
  49. To specify the type of identifier information to use, select a URI reference from the
    Name-Identifier Policy Format
    list.
    For example, if a Service Provider (SP) initiates SSO by sending an
    AuthnRequest
    to the IdP with format
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    , then the IdP response should contain the subject identity in email format.
  50. To specify that the assertion subject's identifier be returned in the namespace of an SP other than the requester, or in the namespace of a SAML affiliation group of SPs, type a value in the
    SP Name-Identifier Qualifier
    field.
  51. On the Main tab, click
    Access
    Authentication
    NTLM
    Machine Account
    .
    A new Machine Account screen opens.
  52. On the Main tab, click
    Access
    Connectivity / VPN
    Microsoft Exchange
    .
    A list of Exchange profiles displays.
  53. Click
    Create
    .
    A Create New Exchange Profile popup screen displays general settings.
  54. In the
    Exchange Name
    field, type a name for the Exchange profile.
  55. From the
    Parent Profile
    list, select a profile.
    The Exchange profile inherits settings from the parent profile that you select.
    APM supplies a default Exchange profile named exchange.
  56. From the
    NTLM Configuration
    list, select the NTLM Auth configuration to associate with this Exchange profile.
    This field is required only if you select
    NTLM
    or
    Basic-NTLM
    as the front end authentication in any of the service settings.
  57. Click
    OK
    .
    The screen closes.
  58. Click
    OK
    .
    The screen closes.
  59. On the Main tab, click
    Access
    Authentication
    HTTP
    .
    The HTTP servers screen opens.
  60. On the Main tab, click
    Access
    Authentication
    RADIUS
    .
    The RADIUS servers screen opens.
  61. From the Authentication tab, select either
    Client Cert Inspection
    or
    On-Demand Cert Auth
    , and click
    Add item
    .
    Client Cert Inspection checks the result of an SSL handshake request that occurs at the start of an SSL session. On Demand Cert Auth performs an SSL re-handshake and checks the result. The CRLDP and OCSP Auth actions require certificate information made available by one of these policy items.