Manual Chapter :
Common Elements for authentication for Access Policy Manager
Applies To:
Show VersionsBIG-IP APM
- 14.0.1, 14.0.0
Common Elements for authentication for Access Policy Manager
- On the Main tab, click.The Authentication screen opens.
- On the Main tab, click.The OCSP Responder servers screen opens.
- From the AAA Servers By Type menu, choose the server type you want to create.A screen that lists existing servers of that type opens.
- ClickCreate.The New Server properties screen opens.
- In theNamefield, type a unique name for the authentication server.
- In theTimeoutfield, type a timeout interval (in seconds) for the AAA server.This setting is optional.If you use theTimeoutsetting, you can also use theRetriessetting. If these settings are enabled, the Access Policy Manager attempts to reach the AAA server within the specified time frame, in seconds. If the server does not respond, the Access Policy Manager retries the authentication attempt, depending on how many retries you specify.
- In theRetriesfield, type the number of times the BIG-IP system should try to make a connection to the server after the first attempt fails.This setting is optional.
- In theSecretfield, type the shared secret password of the server.
- In theConfirm Secretfield, re-type the shared secret password of the server.
- In theAuth Service Portfield, type the service port for the authentication server.
- ClickDeleteto delete the server.The confirmation screen appears asking you to confirm deletion.
- ClickCancelto return to the previous screen without saving any changes you may have made on this screen.
- ClickFinished.The new server displays on the list.
- Select.The LDAP servers screen displays.
- In theService Portfield, type the port number of the server.The default is389for LDAP, and636for LDAPS.
- In theAdmin Passwordfield, type the administrative password for the server.
- In theVerify Admin Passwordfield, re-type the administrative password for the server.
- In theAdmin Passwordfield, type the administrator password associated with the Domain Name.
- For theServer Connectionsetting, select one of these options:
- SelectUse Poolto set up high availability for the AAA server.
- SelectDirectto set up the AAA server for standalone functionality.
- If you selectedUse Pool, type a name in theServer Pool Namefield.You create a pool of servers on this screen.
- Provide the addresses required for your server connection:
- If you selectedDirect, type an IP address in theServer Addressfield.
- If you selectedUse Pool, for each pool member you want to add, type an IP address in theServer Addressesfield and clickAdd.When you configure a pool, you have the option to type the server address in route domain format:.IPAddress%RouteDomain
- If you selectedUse Pool, you have the option to select aServer Pool Monitorto track the health of the server pool.
- From theClient Certificatelist, select the option that is applicable to the item you selected when you edited the policy.
- Selectrequestif the Client Cert Inspection agent is used in the policy.
- Selectignoreif the On-Demand Cert Auth agent is used.
- From theTrusted Certificate Authoritieslist, select the Certificate Authority that issues the user certificates.
- From theAdvertised Certificate Authoritieslist, select the advertised Certificate Authority file for client certificate authentication.
- From theAdvertised Certificate Authoritieslist, select the Certificate Authority that issues the user certificates.
- On the Main tab, click.The Local SP Services screen displays.
- On the menu bar, expandSAML Service Providerand clickExternal IdP Connectors.The External IdP Connectors screen displays.
- On the Main tab, click.The External IdP Connectors screen displays.
- Click.The Create New SAML IdP Connector screen opens.
- ClickCreate.The Create New SAML SP Service screen opens.
- In theNamefield, type a unique name for the SAML SP service.
- In theEntity IDfield, type a unique identifier for the service provider.Typically entity ID is a URI that points to the BIG-IP virtual server that is going to act as SAML SP. If the entity ID is not a valid URL, theHostfield is required.For example, typehttps://bigip-sp, wherehttps:/bigip-sppoints to the virtual server you use for BIG-IP system as a SAML service provider.
- If theEntity IDfield does not contain a valid URI, in the SP Name Settings area from theSchemelist, selecthttpsorhttpand in theHostfield, type a host name.For example, typesiterequest.comin theHostfield.
- In theRelay Statefield, type a value.The value can be an absolute path, such ashr/index.htmlor a URI, such ashttps://www.abc.com/index.html. It is where the service provider redirects users after SAML single sign-on completes.
- For this service provider to request an artifact instead of an assertion from the IdP, from the left pane selectEndpoint Settingsand, from theAssertion Consumer Service Bindinglist, selectArtifact.POSTis the default setting.
- Select a SAML SP service from the list.
- ClickBind/Unbind IdP Connectors.A pop-up screen displays a list of any IdP connectors that are associated with this SP service.
- To add an SAML IdP connector to the list, clickAdd New Row.
- To bind only one IdP connector with this SP service, complete the configuration:
- Select a connector from theSAML IdP Connectorslist in the new row.When you bind only one IdP connector to an SP service, you do not need to fill in theMatching SourceandMatching Valuefields.
- Click theUpdatebutton.The configuration is not saved until you clickOK.
- ClickOK.APM saves the configuration. The screen closes.
- To bind multiple IdP connectors with this SP service, complete the configuration:
- Select a connector from theSAML IdP Connectorslist in the new row.
- In theMatching Sourcefield, select or type the name of a session variable.Use a session variable only if it is populated in the policy before the SAML Auth action.For example, select%{session.server.landinguri}or type%{session.logon.username}.
- In theMatching Valuefield, type a value.The value can include the asterisk (*) wild card.For example, type*hibb*orsouth*.
- Click theUpdatebutton.The configuration is not saved until you clickOK.
- To add other IdP connectors, start by clickingAdd New Row, fill the new row, and end by clickingUpdate.
- ClickOK.APM saves the configuration. The screen closes.
- From the left pane, selectSecurity Settings.The screen displays the applicable settings.
- If you want this BIG-IP system to send signed authentication requests to the SAML IdP, selectSigned Authentication Request. Then select a key and a certificate from those in the BIG-IP system store from theMessage Signing Private KeyandMessage Signing Certificatelists.
- If this BIG-IP system requires signed assertions from the SAML IdP, ensure that theWant Signed Assertioncheck box remains selected.
- If this BIG-IP system requires encrypted assertions from the SAML IdP, selectWant Encrypted Assertion. Then select a key and a certificate from those in the BIG-IP system store from theAssertion Decryption Private KeyandAssertion Decryption Certificatelists.The BIG-IP system uses the private key and certificate to decrypt the assertion.
- To configure additional service provider attributes, from the left pane clickAdvanced.The screen displays the applicable settings.
- To force users to authenticate again even when they have an SSO session at the identity provider, select theForce Authenticationcheck box.This setting is for use when the external IdP supports a force authentication flag.
- To allow the external IdP, when processing requests from this BIG-IP system as SP, to create a new identifier to represent the principal, select theAllow Name-Identifier Creationcheck box.
- To specify the type of identifier information to use, select a URI reference from theName-Identifier Policy Formatlist.For example, if a Service Provider (SP) initiates SSO by sending anAuthnRequestto the IdP with formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, then the IdP response should contain the subject identity in email format.
- To specify that the assertion subject's identifier be returned in the namespace of an SP other than the requester, or in the namespace of a SAML affiliation group of SPs, type a value in theSP Name-Identifier Qualifierfield.
- On the Main tab, click.A new Machine Account screen opens.
- On the Main tab, click.A list of Exchange profiles displays.
- ClickCreate.A Create New Exchange Profile popup screen displays general settings.
- In theExchange Namefield, type a name for the Exchange profile.
- From theParent Profilelist, select a profile.The Exchange profile inherits settings from the parent profile that you select.APM supplies a default Exchange profile named exchange.
- From theNTLM Configurationlist, select the NTLM Auth configuration to associate with this Exchange profile.This field is required only if you selectNTLMorBasic-NTLMas the front end authentication in any of the service settings.
- ClickOK.The screen closes.
- ClickOK.The screen closes.
- On the Main tab, click.The HTTP servers screen opens.
- On the Main tab, click.The RADIUS servers screen opens.
- From the Authentication tab, select eitherClient Cert InspectionorOn-Demand Cert Auth, and clickAdd item.Client Cert Inspection checks the result of an SSL handshake request that occurs at the start of an SSL session. On Demand Cert Auth performs an SSL re-handshake and checks the result. The CRLDP and OCSP Auth actions require certificate information made available by one of these policy items.