Manual Chapter : Ephemeral authentication workflow

Applies To:

Show Versions Show Versions


  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Manual Chapter

Ephemeral authentication workflow

Here is an example of how ephemeral authentication works if you choose to have the BIG-IP system authenticate users using RADIUS and/or LDAP with WebSSH.
  1. User logs into the APM virtual server using a Smartcard or other credential. (The APM virtual server is the one that acts as the Ephemeral Authentication server on which the APM access profile/policy is configured.)
  2. The APM access policy checks provided credentials and retrieves AD/LDAP group membership information and returns a webtop showing backend resources.
  3. When the user clicks on a resource, APM generates an ephemeral password, and saves the username and password.
  4. Using SSO, APM signs the user on to the WebSSH virtual server with their ephemeral authentication credentials. At this point, portal access can be used instead.
  5. WebSSH makes an SSH connection (or HTTPS) to the router/server still using the ephemeral authentication credentials.
  6. The router sends an authentication request to the RADIUS or LDAP virtual server.
  7. The RADIUS or LDAP virtual server verifies the ephemeral password.
  8. The RADIUS or LDAP virtual server returns a Successful or Failure response.
  9. The SSH (or HTTPS) session is established or denied.