Manual Chapter : Creating a per-session policy for the SAML step-up authentication example

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0
Manual Chapter

Creating a per-session policy for the SAML step-up authentication example

Here you create the per-session policy that is used for the SAML step-up authentication example. The per-session policy presents a logon page and uses Active Directory to authenticate users attempting to access resources behind a virtual server.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
  2. Click
    Create
    to create a per-session policy:
    1. Call it
      example_com
      .
    2. Set
      Profile Type
      to
      LTM-APM
      .
    3. Set
      Profile Scope
      to
      Profile
      .
    4. Select the accepted languages.
    5. Click
      Finished
      .
    The policy is listed in the Access Profiles (Per-Session Policies) list.
  3. In the Per-Session Policy column of the example.com policy, click
    Edit
    .
    The visual policy editor opens the per-session policy in a separate screen.
  4. In the policy, click
    (+)
    to add an item.
  5. From the Logon tab, select
    Logon Page
    then
    Add Item
    .
  6. Use default values for the Logon Page or customize it, then click
    Save
    .
    Click
    Help
    for details on the fields.
  7. On the right of the Logon Page, click
    (+)
    and from the Authentication tab, select
    AD Auth
    then
    Add Item
    .
  8. In the popup, for
    Server
    , select the previously configured Active Directory server, use the default values for the rest of the fields, and click
    Save
    .
  9. In the policy, click one of the Deny endings and change it to
    Allow
    .
You created a per-session policy that authenticates users at the edge of the network with a login page and active directory authentication. The per-session policy you created looks like this:
Next, create the per-request policy where the system performs additional, SAML step-up authentication on requests for sensitive information.