Manual Chapter : Common Deployment Examples for Single Sign-On

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Common Deployment Examples for Single Sign-On

Common use cases for Single Sign-On deployment

You can deploy Single Sign-On in a variety of ways, depending on the needs within your networking environment. Deployment options include the following choices.
Use case deployment type
Description
For local traffic pool members
Deploy SSO for local traffic with pool members. The Web Application Access Management for Local Traffic Virtual Servers wizard can be used for this deployment.
For web application access over network access
Deploy SSO through a network access tunnel with matching virtual servers enabled on the connectivity interface.
For web applications
Deploy SSO so users can access their web applications. You can assign an SSO object as part of the web application resource item, such as a SAML resource or a portal acess resource item, or assign the object at the access profile level instead.

Overview: Configuring SSO for web apps over network access

Without implementing single-sign on (SSO) for web applications, remote clients that try to access web services over a network access connection must supply credentials multiple times.
This implementation to support SSO includes a typical network access configuration with a secure connectivity (tunnel) interface. Additional configuration to support SSO is required for each web service.
The configuration for each web service includes a virtual server that is enabled on the tunnel and that specifies a destination address to match the web server. An SSO access profile type is required on the virtual server. An
SSO access profile type
specifies an SSO configuration; no access policy is associated with this profile type.
It is possible for a matching virtual server for a web application to match a resource specified in a portal access resource item. (Although not required, portal access resources can be assigned to the webtop in the network access configuration.) In this case, SSO configuration must be specified at the access profile level (in the virtual server) and not in the portal access resource item.

Task summary

Configuring a network access resource

Configure a network access resource to provide secure access to corporate applications and data using a standard web browser, or the BIG-IP Edge Client.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Network Access (VPN)
    Network Access Lists
    .
    The Network Access Lists screen opens.
  2. Click the
    Create
    button.
    The New Resource screen opens.
  3. In the
    Name
    field, type a name for the resource.
  4. To automatically start this network access resource when a client reaches a webtop to which the resource is assigned, select the
    Auto launch
    check box.
    When multiple network access resources are assigned to a webtop, Auto launch can be enabled for only one network access resource.
  5. In the Customization Settings for English area, in the
    Caption
    field, type a caption.
    The caption appears on the full webtop, and is required.
  6. Click the
    Finished
    button.
    The Network Access configuration screen opens, and you can configure the properties for the network access resource.

Configuring network access properties

Configure properties for a network access resource to specify network settings and the optimized applications, hosts, drives, and applications that a remote user can access through the network access resource.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Network Access (VPN)
    Network Access Lists
    .
    The Network Access Lists screen opens.
  2. Click the name to select a network access resource on the Resource List.
    The Network Access editing screen opens.
  3. To configure the network settings for the network access resource, click
    Network Settings
    on the menu bar.
  4. To configure DNS and hosts settings for the network access resource, click
    DNS/Hosts
    on the menu bar.
  5. To configure the drive mappings for the network access resource, click
    Drive Mappings
    on the menu bar.
  6. To configure applications to start for clients that establish a Network Access connection with this resource, click
    Launch Applications
    on the menu bar.

Creating a connectivity profile

You create a connectivity profile to configure client connections.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Click
    Add
    .
    The Create New Connectivity Profile popup screen opens and displays General Settings.
  3. Type a
    Profile Name
    for the connectivity profile.
  4. Select a
    Parent Profile
    from the list.
    APM provides a default profile,
    connectivity
    .
  5. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile displays in the list.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

Creating an access profile for remote access

You create an access profile to specify any access policy configuration for a virtual server that serves network access, portal access, or application access traffic.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
    field, type a name for the access profile.
    An access profile name must be unique among all per-session profile and per-request policy names.
  4. From the
    Profile Type
    list, select
    SSL-VPN
    .
    Selecting this profile type restricts the access policy items displayed in the visual policy editor to those that contribute to a correct remote access configuration.
    Additional fields display set to default values.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click
    Finished
    .
    This creates an access profile with a default access policy.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
Access
Overview
Event Log
Settings
area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click
    Logs
    .
    The access profile log settings display.
  4. Move log settings between the
    Available
    and
    Selected
    lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Logging is disabled when the
    Selected
    list is empty.
  5. Click
    Update
    .
An access profile is in effect when it is assigned to a virtual server.

Adding network access to an access policy

Before you assign a network access resource to an access policy, you must:
  • Create a network access resource.
  • Create an access profile.
  • Define a network access webtop or a full webtop.
When you assign a network access resource to an access policy branch, a user who successfully completed the branch rule (which includes that access policy item) starts a network access tunnel.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  3. On the menu bar, click
    Access Policy
    .
  4. In the General Properties area, click the
    Edit Access Policy for Profile
    profile_name
    link.
    The visual policy editor opens the access policy in a separate screen.
  5. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  6. Select one of the following resource assignment actions and click
    Add
    .
    Resource Assign
    Select the
    Resource Assign
    action to add a network access resource only.
    Resource Assign
    does not allow you to add a webtop or ACLs. If you want to add ACLs, a webtop, or webtop links after you add a Resource Assign action, you can add them with the individual actions
    ACL Assign
    and
    Webtop, Links and Sections Assign
    .
    Webtop sections are for use with a full webtop only.
    Advanced Resource Assign
    Select the
    Advanced Resource Assign
    action to add network access resources, and optionally add a webtop, webtop links, webtop sections, and one or more ACLs.
  7. Select the resource or resources to add.
    • If you added an
      Advanced Resource Assign
      action, on the Resource Assignment screen, click
      Add New Entry
      , then click
      Add/Delete
      , and select and add resources from the tabs, then click
      Update
      .
    • If you added a
      Resource Assign
      action, next to Network Access Resources, click
      Add/Delete
      .
    If you add a full webtop and multiple network access resources, Auto launch can be enabled for only one network access resource. (With Auto launch enabled, a network access resource starts automatically when the user reaches the webtop.)
  8. Click
    Save
    .
  9. Click
    Apply Access Policy
    to save your configuration.
A network access tunnel is assigned to the access policy. You may also assign a network access or full webtop. On the full webtop, users can click the link for a network access resource to start the network access tunnel, or a network access tunnel (that is configured with Auto launch enabled) can start automatically.
After you complete the access policy, you must define a connectivity profile. In the virtual server definition, you must select the access policy and connectivity profile.

Configuring a virtual server for network access

Create a virtual server to which the network access associates your access policy.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. For the
    Destination Address/Mask
    setting, confirm that the
    Host
    button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  5. In the
    Service Port
    field:
    • If you want to specify a single service port or all ports, confirm that the
      Port
      button is selected, and type or select a service port.
    • If you want to specify multiple ports other than all ports, select the
      Port List
      button, and confirm that the port list that you previously created appears in the box.
  6. From the
    Configuration
    list, select
    Advanced
    .
  7. From the
    HTTP Profile (Client)
    list, select a previously-created HTTP/2 profile for client-side traffic.
  8. In the Configuration area, specify both
    SSL Profile (Client)
    and
    SSL Profile (Server).
  9. From the
    Source Address Translation
    list, select
    Auto Map
    .
  10. In the Access Policy area, select the
    Access Profile
    you created for remote access.
  11. From the
    Connectivity Profile
    list, select the connectivity profile.
  12. Click
    Finished
    .

Creating an SSO configuration

Creating an SSO configuration is a necessary first step for supporting single sign-on.
Access Policy Manager (APM) supports several types of SSO configuration. Refer to
BIG-IP Access Policy Manager: Single Sign-On Concepts and Configuration
in the AskF5 Knowledge Base at
http://support.f5.com/kb/en-us.html
.
  1. On the Main tab, select
    Access
    Single Sign-On
    .
    The Single Sign-On screen opens.
  2. Click
    Create
    .
    The New SSO Configuration screen opens.
  3. From the SSO Configurations by Type menu, choose an SSO type.
    A screen appears, displaying SSO configurations of the type you specified.
  4. In the
    Name
    field, type a name for the SSO configuration.
    The maximum length of a single sign-on configuration is 225 characters, including the partition name.
  5. Specify all relevant parameters.
  6. Click
    Finished
    .

Creating an access profile for web app SSO

Before you start, you must create an SSO configuration for the web application for which you want to support single sign-on.
Configure an access profile of type SSO to provide single sign-on over a network access tunnel for a web application.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
    field, type a name for the access profile.
    A access profile name must be unique among all access profile and any per-request policy names.
  4. From the
    Profile Type
    list, select
    SSO
    .
  5. From the
    SSO Configuration
    list, select the configuration that you created for the web application.
  6. Click
    Finished
    .
This creates an access profile for which there is no access policy.

Configuring a virtual server for web app SSO

For each web application, you must have previously created a virtual server with a destination address that matches that of the web server.
Configure settings on the virtual server for each web service that clients access over the network tunnel to eliminate the need for clients to enter credentials multiple times.
The name of the secure connectivity interface on which this virtual server must be enabled is the name of the connectivity profile specified for the virtual server for network access.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Select the virtual server that was previously created for the web service.
    The General Properties screen opens.
  3. Scroll down to the
    VLAN and Tunnel Traffic
    setting and select
    Enabled on
    .
  4. For the
    VLANs and Tunnels
    setting, move the secure connectivity interface to the
    Selected
    list.
  5. From the Configuration list, select
    Advanced
    , scroll down, and make sure that the
    Address Translation
    and
    Port Translation
    check boxes are cleared.
  6. In the Access Policy area, from the
    Access Profile
    list, select the access profile that you configured earlier.
  7. Click
    Update
    .
    The users are now able to access this web service without entering credentials multiple times.

About SSO for portal access resources

An SSO configuration can be specified in a portal access resource item or in the access profile through which the portal access resource is assigned in the access policy.
If a portal access resource item and a virtual server that matches the resource populate the same session, an SSO configuration must be specified only once and at the access profile level. The SSO configuration must be specified in the access profile for the matching virtual server and not in the portal access resource item.

Configuring SSO for a portal access resource item

You must have created a portal access resource and added one or more resource items to it. You must have created an SSO configuration.
Add an SSO configuration to a portal access resource item to support SSO at the resource level instead of supporting SSO at the access profile level.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Portal Access
    Portal Access Lists
    .
    The Portal Access List screen opens.
  2. In the
    Resource Items
    column, click the link for a resource item.
    A Properties screen for that resource item opens.
  3. In the
    Resource Item Properties
    area from the
    SSO Configuration
    list, select an SSO configuration.
    The default value is
    None
    .
  4. Click
    Update
    .
    The Properties screen refreshes.
To add SSO configurations to additional portal access resource items, repeat these steps.