Manual Chapter : Common Elements for Single Sign-On for Access Policy Manager

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Common Elements for Single Sign-On for Access Policy Manager

Service Providers (SPs) that make artifact resolution requests to a SAML Identity Provider (IdP) need the host name and port number for the artifact resolution service (ARS). If you plan to support artifacts and have not yet configured an ARS and specified it in the IdP service, do so now. Otherwise, the exported metadata will not contain the necessary information.
  1. On the Main tab, select
    Access
    Single Sign-On
    .
    The Single Sign-On screen opens.
  2. From the SSO Configurations by Type menu, choose an SSO type.
    A screen appears, displaying SSO configurations of the type you specified.
  3. On the Main tab, click
    Access
    Single Sign-On
    HTTP Basic
    .
    The HTTP Basic screen opens.
  4. On the Main tab, click
    Access
    Single Sign-On
    NTLMV1
    .
    The NTLMV` screen opens.
  5. On the Main tab, click
    Access
    Single Sign-On
    NTLMV2
    .
    The NTLMV2 screen opens.
  6. On the Main tab, select
    Access
    Single Sign-On
    Form Based
    .
    The Form Based screen opens.
  7. On the Main tab, click
    Access
    Single Sign-On
    Forms - Client Initiated
    .
    The Forms - Client Initiated screen opens.
  8. On the Main tab, click
    Access
    Single Sign-On
    Kerberos
    .
    The Kerberos screen opens.
  9. In the Available Forms-Client Initiated Configurations area, select a configuration from the list.
    The
    Edit
    and
    Delete
    buttons become available.
  10. Click
    Edit
    .
    The Edit Forms-Client Initiated Configuration popup screen opens.
  11. Click
    Create
    .
    The New SSO Configuration screen opens.
  12. In the
    Name
    field, type a name for the SSO configuration.
    The maximum length of a single sign-on configuration is 225 characters, including the partition name.
  13. In the Credentials Source area, specify the credentials that you want cached for Single Sign-On.
  14. In the SSO Method Configuration area, specify the relevant settings.
  15. In the
    Kerberos Realm
    field, type the name of the realm in uppercase.
    For example,
    MY.HOST.LAB.MYNET.COM
  16. In the
    Account Name
    field, type the name of the Active Directory account configured for delegation.
    Type the account name in SPN format.
    In this example
    HTTP/apm4.my.host.lab.mynet.com@MY.HOST.LAB.MYNET.COM
    , apm4 is the delegation account, apm4.my.host.lab.mynet.com is its fully qualified domain name, and MY.HOST.LAB.MYNET.COM is the realm.
  17. In the
    Account Password
    and
    Confirm Account Password
    fields, type the delegation account password.
  18. On the Access Profiles properties screen in the Configurations area, for the
    Logout URI Include
    setting, type a URI, and click
    Add
    for each URI you want included in the
    Logout URI Include
    list.
    This list specifies URIs to include in the access profile for initiating session logout.
  19. On the menu bar, click
    SSO / Auth Domains
    and select the applicable SSO configuration from the list.
  20. On the menu bar, click
    SSO/Auth Domains
    .
    The screen displays the SSO Across Authentication Domains settings for the access profile you selected.
  21. Click
    Update
    .
  22. On the menu bar, click
    Access
    to associate the SSO object with the access profile.
    The General Properties screen opens.
  23. From the Assignment tab, select
    SSO Credential Mapping
    and click
    Add Item
    .
    A properties screen opens.
  24. Click
    Finished
    .
  25. Configure the access profile with the appropriate access policy, for example,
    SSO Credential Mapping
    .
  26. Specify all relevant parameters.
  27. From the
    SSO Configuration
    list, select the configuration that you created for the web application.
  28. On the Main tab, click
    Access
    Federation
    SAML Resources
    .
    The SAML Resources list screen opens.
  29. Click
    Create
    .
    The Create New IdP Service popup screen displays.
  30. In the
    IdP Service Name
    field, type a unique name for the SAML IdP service.
    The maximum length of a single sign-on configuration, such as the SAML IdP service, is 225 characters, including the partition name.
  31. In the
    IdP Entity ID
    field, type a unique identifier for the IdP (this BIG-IP system).
    Typically, the ID is a URI that points to the BIG-IP virtual server that is going to act as a SAML IdP. If the entity ID is not a valid URL, the
    Host
    field is required.
    For example, type
    https://siterequest.com/idp
    , where the path points to the virtual server you use for BIG-IP system as a SAML IdP.
  32. If the
    IdP Entity ID
    field does not contain a valid URI, you must provide one in the IdP Name Settings area:
    1. From the
      Scheme
      list select
      https
      or
      http
      .
    2. In the
      Host
      field, type a host name.
      For example, type
      siterequest.com
      in the
      Host
      field.
  33. If you select
    SAML Profiles
    on the left pane, the
    Web Browser SSO
    check box is selected by default.
    At least one profile must be selected.
  34. To specify an artifact resolution service for this IdP, on the left pane select
    Endpoint Settings
    and select, or create and select, a service from the
    Artifact Resolution Service
    list.
  35. On the left pane, select
    Assertion Settings
    and complete the settings that display:
    1. From the
      Assertion Subject Type
      list, select the type of subject for the IdP to authenticate.
    2. From the
      Assertion Subject Value
      list, select the name of a session variable.
      This variable,
      %{session.logon.last.username}
      , is generally applicable. Some session variables are applicable depending on the type of authentication that you use for your site.
    3. In the
      Authentication Context Class Reference
      field, select a URI reference.
      The URI reference identifies an authentication context class that describes an authentication context declaration.
    4. In the
      Assertion Validity (in seconds)
      field, type the number of seconds for which the assertion is valid.
    5. To encrypt the subject, select the
      Enable encryption of Subject
      check box.
      The
      Encryption Strength
      list becomes available.
    6. From the
      Encryption Strength
      list, select a value.
      Supported values are AES128, AES192, and AES256.
  36. On the left pane, select
    SAML Attributes
    , and for each attribute that you want to include in the attribute statement, repeat these substeps.
    1. Click
      Add
      .
      A Create New SAML Attribute popup screen displays.
    2. In the
      Name
      field, type a unique name for the attribute.
      Usually, the name is a fixed string, but it can be a session variable.
    3. To add a value to the attribute, click
      Add
      , type a value in the
      Value(s)
      field, and click
      Update
      to complete the addition.
      You can use a session variable for the value.
      This example shows using a fixed string for the name and a session variable for the value. Name:
      user_telephonenumber
      and value:
      %{session.ad.last.attr.telephoneNumber}
      .
      You can repeat this step to add multiple values for an attribute.
    4. To encrypt the values, select the
      Encrypt
      check box and select a value from the
      Type
      list.
      Supported values for type are AES128, AES192, and AES256.
    5. Click
      OK
      .
      The Create New SAML Attribute popup screen closes.
  37. On the left pane, select
    Security Settings
    .
    1. From the
      Signing Key
      list, select the key from the BIG-IP system store.
      None
      is selected by default.
    2. From the
      Signing Certificate
      list, select the certificate from the BIG-IP system store.
      When selected, the IdP (the BIG-IP system) publishes this certificate to the service provider so that the service provider can verify the assertion.
      None
      is selected by default.
  38. This is a placeholder for substeps.
    1. Click
      Add
      .
      An entry field displays in the Values table.
    2. From the
      Assertion Subject Type
      list, select
      Persistent Identifier
      .
  39. Click
    OK
    .
    The popup screen closes. The new IdP service appears on the list.
  40. Select a SAML IdP service from the table and click
    Export Metadata
    .
    A popup screen opens, with
    No
    selected on the
    Sign Metadata
    list.
  41. Select a SAML IdP service from the list.
    A SAML IdP service provides authentication service.
  42. Select a SAML IdP service from the list.
    Select an IdP service that you configured for use with one particular SP connector only.
  43. For APM to sign the metadata, perform these steps:
    1. From the
      Sign Metadata
      list, select
      Yes
      .
    2. From the
      Signing Key
      list, select a key.
      APM uses the key to sign the metadata.
    3. From the
      Signature Verification Certificate
      list, select a certificate.
      APM exports the certificate to the metadata file. The system on which you import the metadata file can use the certificate to verify the metadata signature.
  44. Select
    OK
    .
    APM downloads an XML file.
  45. On the Main tab, click
    Access
    Federation
    SAML Identity Provider
    .
    The Local IdP Services screen opens.
  46. On the menu bar, expand
    SAML Identity Provider
    and click
    External SP Connectors
    .
    A list of SAML SP connectors displays.
  47. On the Main tab, click
    Access
    Federation
    SAML Identity Provider
    External SP Connectors
    .
    A list of SAML SP connectors displays.
  48. On the menu bar, expand
    SAML Identity Provider
    and click
    Local IdP Services
    .
    A list of SAML IdP services displays.
  49. Click
    Bind/Unbind SP Connectors
    .
    The screen displays a list of available SAML SP connectors.
  50. To add a new SAML SP connector to the list, click the
    Create SP Connector
    list and select the way you want to create the connector.
    • Custom
      : Select this option if you do not have a metadata file, or if a template is not available for the service provider. It requires that you obtain data from the service provider and type it in. If the service provider signs authentication requests, you must obtain and import the certificate into the store on the BIG-IP system.
    • From Metadata
      : Select this option if you obtained a metadata file from the service provider.
    • From Template
      : Select this option if you do not have a metadata file for the service provider but the list of templates includes one for the service provider. This method requires that you obtain a small amount of data (detailed in the template) and type it, with the template providing the remainder except for a certificate. If the service provider signs authentication requests, you must obtain the certificate and import it into the BIG-IP system.
    After you select an option, a popup screen displays where you can complete the configuration. The SAML SP connector appears on the list.
  51. Click
    Create
    .
    The Create New SAML SP Connector screen opens.
  52. Click
    OK
    .
    The popup screen closes.
  53. Click
    OK
    .
    The screen closes.
  54. To specify that this IdP use an artifact resolution service, click
    Endpoint Settings
    on the left pane and select a service from the
    Artifact Resolution Service
    list.
  55. From the
    Log Setting
    list, select one of the following options:
    • Select an existing APM log setting.
    • Click
      Create
      to create a new log setting.