Manual Chapter :
Common Elements for Single Sign-On for Access Policy Manager
Applies To:
Show VersionsBIG-IP APM
- 15.0.1, 15.0.0
Common Elements for Single Sign-On for Access Policy Manager
Service Providers (SPs) that make artifact
resolution requests to a SAML Identity Provider (IdP) need the host name and port
number for the artifact resolution service (ARS). If you plan to support artifacts
and have not yet configured an ARS and specified it in the IdP service, do so now.
Otherwise, the exported metadata will not contain the necessary information.
- On the Main tab, select.The Single Sign-On screen opens.
- From the SSO Configurations by Type menu, choose an SSO type.A screen appears, displaying SSO configurations of the type you specified.
- On the Main tab, click.The HTTP Basic screen opens.
- On the Main tab, click.The NTLMV` screen opens.
- On the Main tab, click.The NTLMV2 screen opens.
- On the Main tab, select.The Form Based screen opens.
- On the Main tab, click.The Forms - Client Initiated screen opens.
- On the Main tab, click.The Kerberos screen opens.
- In the Available Forms-Client Initiated Configurations area, select a configuration from the list.TheEditandDeletebuttons become available.
- ClickEdit.The Edit Forms-Client Initiated Configuration popup screen opens.
- ClickCreate.The New SSO Configuration screen opens.
- In theNamefield, type a name for the SSO configuration.The maximum length of a single sign-on configuration is 225 characters, including the partition name.
- In the Credentials Source area, specify the credentials that you want cached for Single Sign-On.
- In the SSO Method Configuration area, specify the relevant settings.
- In theKerberos Realmfield, type the name of the realm in uppercase.For example,MY.HOST.LAB.MYNET.COM
- In theAccount Namefield, type the name of the Active Directory account configured for delegation.Type the account name in SPN format.In this exampleHTTP/apm4.my.host.lab.mynet.com@MY.HOST.LAB.MYNET.COM, apm4 is the delegation account, apm4.my.host.lab.mynet.com is its fully qualified domain name, and MY.HOST.LAB.MYNET.COM is the realm.
- In theAccount PasswordandConfirm Account Passwordfields, type the delegation account password.
- On the Access Profiles properties screen in the Configurations area, for theLogout URI Includesetting, type a URI, and clickAddfor each URI you want included in theLogout URI Includelist.This list specifies URIs to include in the access profile for initiating session logout.
- On the menu bar, clickSSO / Auth Domainsand select the applicable SSO configuration from the list.
- On the menu bar, clickSSO/Auth Domains.The screen displays the SSO Across Authentication Domains settings for the access profile you selected.
- ClickUpdate.
- On the menu bar, clickAccessto associate the SSO object with the access profile.The General Properties screen opens.
- From the Assignment tab, selectSSO Credential Mappingand clickAdd Item.A properties screen opens.
- ClickFinished.
- Configure the access profile with the appropriate access policy, for example,SSO Credential Mapping.
- Specify all relevant parameters.
- From theSSO Configurationlist, select the configuration that you created for the web application.
- On the Main tab, click.The SAML Resources list screen opens.
- ClickCreate.The Create New IdP Service popup screen displays.
- In theIdP Service Namefield, type a unique name for the SAML IdP service.The maximum length of a single sign-on configuration, such as the SAML IdP service, is 225 characters, including the partition name.
- In theIdP Entity IDfield, type a unique identifier for the IdP (this BIG-IP system).Typically, the ID is a URI that points to the BIG-IP virtual server that is going to act as a SAML IdP. If the entity ID is not a valid URL, theHostfield is required.For example, typehttps://siterequest.com/idp, where the path points to the virtual server you use for BIG-IP system as a SAML IdP.
- If theIdP Entity IDfield does not contain a valid URI, you must provide one in the IdP Name Settings area:
- From theSchemelist selecthttpsorhttp.
- In theHostfield, type a host name.For example, typesiterequest.comin theHostfield.
- If you selectSAML Profileson the left pane, theWeb Browser SSOcheck box is selected by default.At least one profile must be selected.
- To specify an artifact resolution service for this IdP, on the left pane selectEndpoint Settingsand select, or create and select, a service from theArtifact Resolution Servicelist.
- On the left pane, selectAssertion Settingsand complete the settings that display:
- From theAssertion Subject Typelist, select the type of subject for the IdP to authenticate.
- From theAssertion Subject Valuelist, select the name of a session variable.This variable,%{session.logon.last.username}, is generally applicable. Some session variables are applicable depending on the type of authentication that you use for your site.
- In theAuthentication Context Class Referencefield, select a URI reference.The URI reference identifies an authentication context class that describes an authentication context declaration.
- In theAssertion Validity (in seconds)field, type the number of seconds for which the assertion is valid.
- To encrypt the subject, select theEnable encryption of Subjectcheck box.TheEncryption Strengthlist becomes available.
- From theEncryption Strengthlist, select a value.Supported values are AES128, AES192, and AES256.
- On the left pane, selectSAML Attributes, and for each attribute that you want to include in the attribute statement, repeat these substeps.
- ClickAdd.A Create New SAML Attribute popup screen displays.
- In theNamefield, type a unique name for the attribute.Usually, the name is a fixed string, but it can be a session variable.
- To add a value to the attribute, clickAdd, type a value in theValue(s)field, and clickUpdateto complete the addition.You can use a session variable for the value.This example shows using a fixed string for the name and a session variable for the value. Name:user_telephonenumberand value:%{session.ad.last.attr.telephoneNumber}.You can repeat this step to add multiple values for an attribute.
- To encrypt the values, select theEncryptcheck box and select a value from theTypelist.Supported values for type are AES128, AES192, and AES256.
- ClickOK.The Create New SAML Attribute popup screen closes.
- On the left pane, selectSecurity Settings.
- From theSigning Keylist, select the key from the BIG-IP system store.Noneis selected by default.
- From theSigning Certificatelist, select the certificate from the BIG-IP system store.When selected, the IdP (the BIG-IP system) publishes this certificate to the service provider so that the service provider can verify the assertion.Noneis selected by default.
- This is a placeholder for substeps.
- ClickAdd.An entry field displays in the Values table.
- From theAssertion Subject Typelist, selectPersistent Identifier.
- ClickOK.The popup screen closes. The new IdP service appears on the list.
- Select a SAML IdP service from the table and clickExport Metadata.A popup screen opens, withNoselected on theSign Metadatalist.
- Select a SAML IdP service from the list.A SAML IdP service provides authentication service.
- Select a SAML IdP service from the list.Select an IdP service that you configured for use with one particular SP connector only.
- For APM to sign the metadata, perform these steps:
- From theSign Metadatalist, selectYes.
- From theSigning Keylist, select a key.APM uses the key to sign the metadata.
- From theSignature Verification Certificatelist, select a certificate.APM exports the certificate to the metadata file. The system on which you import the metadata file can use the certificate to verify the metadata signature.
- SelectOK.APM downloads an XML file.
- On the Main tab, click.The Local IdP Services screen opens.
- On the menu bar, expandSAML Identity Providerand clickExternal SP Connectors.A list of SAML SP connectors displays.
- On the Main tab, click.A list of SAML SP connectors displays.
- On the menu bar, expandSAML Identity Providerand clickLocal IdP Services.A list of SAML IdP services displays.
- ClickBind/Unbind SP Connectors.The screen displays a list of available SAML SP connectors.
- To add a new SAML SP connector to the list, click theCreate SP Connectorlist and select the way you want to create the connector.
- Custom: Select this option if you do not have a metadata file, or if a template is not available for the service provider. It requires that you obtain data from the service provider and type it in. If the service provider signs authentication requests, you must obtain and import the certificate into the store on the BIG-IP system.
- From Metadata: Select this option if you obtained a metadata file from the service provider.
- From Template: Select this option if you do not have a metadata file for the service provider but the list of templates includes one for the service provider. This method requires that you obtain a small amount of data (detailed in the template) and type it, with the template providing the remainder except for a certificate. If the service provider signs authentication requests, you must obtain the certificate and import it into the BIG-IP system.
After you select an option, a popup screen displays where you can complete the configuration. The SAML SP connector appears on the list. - ClickCreate.The Create New SAML SP Connector screen opens.
- ClickOK.The popup screen closes.
- ClickOK.The screen closes.
- To specify that this IdP use an artifact resolution service, clickEndpoint Settingson the left pane and select a service from theArtifact Resolution Servicelist.
- From theLog Settinglist, select one of the following options:
- Select an existing APM log setting.
- ClickCreateto create a new log setting.