Manual Chapter :
HTTP and HTTPS Authentication
Applies To:
Show VersionsBIG-IP APM
- 17.1.0
HTTP and HTTPS Authentication
About HTTP AAA server
authentication
An HTTP AAA server directs users to an external web-based server to validate
credentials. Access Policy Manager (APM) supports these HTTP authentication types:
- HTTP basic authentication - Directs users to a URI
- HTTP NTLM authentication - Directs users to a URI
- HTTP form-based authentication - Directs users to a form action URL and provides the specified form parameters
- HTTP custom post - Directs users to a POST URL, a submit URL, or a relative URL and provides the specified content
Use HTTPS
instead of HTTP authentication for improved security, because HTTP authentication passes user
credentials as clear text.
Task summary for HTTP authentication
To set up this configuration, you must first configure one HTTP AAA server that supports the
type of authentication that you want: HTTP Basic/NTLM, form-based, or custom post. After you
configure an HTTP AAA server, you must add an HTTP Auth action to an access policy and specify
the HTTP AAA server that supports the authentication type that you want to use.
Configuring an AAA
server for HTTP Basic/NTLM authentication
You
configure an HTTP AAA server when you want to use Basic/NTLM authentication.
- On the Main tab, click.The HTTP servers screen opens.
- ClickCreate.The New Server properties screen opens.
- In theNamefield, type a unique name for the authentication server.
- ForAuthentication Type, selectBasic/NTLM.
- In theStart URIfield, type the complete URI that returns the logon form.The URI resource must respond with a challenge to a non-authenticated request.
- ClickFinished.The new server displays on the list.
Configuring an HTTP
AAA server for form-based authentication
You
create a form-based HTTP AAA configuration to use HTTP form-based authentication from an access
policy.
- On the Main tab, click.The HTTP servers screen opens.
- ClickCreate.The New Profile screen displays.
- In theNamefield, type a unique name for the authentication server.
- ForAuthentication Type, selectForm Based.
- In theStart URIfield, type a URI, for example,http://plum.tree.lab2.sp.companynet.com/.This resource must respond with a challenge to a non-authenticated request.This field is optional. If you type a URI in this field and you type a relative URL in theForm Actionfield, Access Policy Manager (APM) uses the value of theStart URIas the base URL; APM uses the base URL to resolve the relative URL and produce the final URL for HTTP POST.
- From theForm Methodlist, select eitherGETorPOST.If you specifyGET, the authentication request converts as HTTP GET.
- In theForm Actionfield, type a URL that specifies where to process the form and perform form-based authentication. If you specified aStart URI, you can type a relative URL, otherwise you must type an absolute URL:
- relative URL - When specified, form-based authentication is performed after the URL is resolved using the base URL that is specified in theStart URIfield.
- absolute URL -When specified, form-based authentication is performed at this URL.
- In theForm Parameter For User NameandForm Parameter For Passwordfields, type the parameter name and password used by the form to which you are sending the POST request.
- In theHidden Form Parameters/Valuesfield, type the hidden form parameters required by the authentication server logon form at your location.You must provide hidden form parameters and values if there are any. When present, these values are required by the authentication server logon form at your location.Specify a parameter name, a space, and the parameter value, if any. Start each parameter on a new line. If you use a session variable as a value, format it as shown in this example: %{session.client.platform}.
- In theNumber Of Redirects To Followfield, type how far from the landing page, in pages, the request should travel before failing.
- For theSuccessful Logon Detection Match Typesetting, select the method your authenticating server uses, and type the option definition in theSuccessful Logon Detection Match Valuefield.
- ClickFinished.The new server displays on the list.
Configuring an HTTP
AAA server for custom post authentication
You create a custom post configuration when there is no form and when body encoding is
different from form encoding. (This can happen when POST is generated by JavaScript or
ActiveX.) Using a custom post, you can specify the entire post body and any non-default HTTP
headers.
- On the Main tab, click.The HTTP servers screen opens.
- ClickCreate.The New Profile screen displays.
- In theNamefield, type a unique name for the authentication server.
- For theAuthentication Typesetting, selectCustom Post.
- In theStart URIfield, type in a URL resource, for example,http://plum.tree.lab2.sp.companynet.com/.If you do not specify a Start URI, Access Policy Manager will likely detect that the absolute URI based on the Form Action parameter should be used for HTTP POST. If you specify a Start URI, Access Policy Manager uses both the Start URI and the Form Action parameters as the final URL for HTTP POST.
- In theForm Actionfield, type the POST URL, the submit URL, or a relative URL.
- For theSuccessful Logon Detection Match Typesetting, select the method that the authenticating server uses.
- For theSuccessful Logon Detection Match Value, type a value depending on theSuccessful Logon Detection Match Typethat you selected:
- By Resulting Redirect URL- Specify a URL if you selected this type.
- By Presence of Specific String in Cookie- Specify a single string if you selected this type.With this option, when APM receives a duplicate cookie, it adds it to the existing cookie list. As a result, multiple cookies with the same name, domain, and path can exist and can be searched.
- By Presence of Cookie That Exactly Matches- Specify the exact key fields (name, path, and domain) that are present in the HTTP response cookie if you select this type. Failure to supply the exact number of keys and the exact values for the HTTP response cookie results in aNo matching cookie founderror.This option supports cookie merge functionality. When APM receives a cookie that has the same name, domain, and path as an existing cookie, it merges it into the existing cookie.
- By Specific String in Response- Specify a string if you select this option.
- In theNumber Of Redirects To Followfield, type how far from the landing page, in pages, the request should travel before failing.
- From theContent Typelist, select an encoding for the HTTP custom post.The default setting isXML UTF-8.If you selectNone, you must add a header in theCustom Headerssetting and you must apply your own encoding through an iRule.
- In theCustom Bodyfield, specify the body for the HTTP custom post.
- ForCustom Headers, specify names and values for header content to insert in the HTTP custom post.
- ClickFinished.The new server displays on the list.
This
creates an HTTP AAA server that provides a custom post for authentication.
To
put this authentication into effect, add this AAA server to an HTTP Auth action in an access
policy.
Create an access profile
You create an access profile to provide the access policy configuration for a
virtual server that establishes a secured session.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- ClickCreate.The New Profile screen displays.
- In theNamefield, type a unique name for the access profile.
- From theProfile Typelist, select one these options:
- ALL: Select to support LTM-APM and SSL-VPN access types.
- LTM-APM: Select for a web access management configuration.
- OAuth-Resource Server: For configuring APM to act as an OAuth resource server that provides an OAuth authorization layer into an API gateway.
- RDG-RAP: Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
- SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
- SSO: Select to configure matching virtual servers for Single Sign-On (SSO).No access policy is associated with this type of access profile
- SWG - Transparent: Select to configure access using Secure Web Gateway transparent forward proxy.
- SWG - Explicit: Select to configure access using Secure Web Gateway explicit forward proxy.
- System Authentication: Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
- Identity Service: Used internally to provide identity service for a supported integration. Only APM creates this type of profile.You can edit Identity Service profile properties.
Depending on licensing, you might not see all of these profile types.Additional settings display. - From theProfile Scopelist, select one these options to define user scope:
- Profile: Access to resources behind the profile.
- Virtual Server: Access to resources behind the virtual server.
- Global: Access to resources behind any access profile with global scope.
- Named: Access for SSL Orchestrator users to resources behind any access profile with global scope.
- Public: Access to resources that are behind the same access profile when the Named scope has configured the session and is checked based on the value and string configured in the Named scope field.
- For theCustomization Type, use the default valueModern.
- In the Language Settings area, add and remove accepted languages, and set the default language.If any browser language does not match with the accepted languages list, the browser uses the default language.
- ClickFinished.
The access
profile displays in the Access Profiles List. Default-log-setting is assigned to the
access profile.
Verify log settings for the access profile
Confirm that the correct log settings are selected
for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
area of the product. They enable and disable logging for access
system and URL request filtering events. Log settings also specify log publishers
that send log messages to specified destinations. - On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- Click the name of the access profile that you want to edit.The properties screen opens.
- On the menu bar, clickLogs.The access profile log settings display.
- Move log settings between theAvailableandSelectedlists.You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.Logging is disabled when theSelectedlist is empty.
- ClickUpdate.
An access profile is in effect when it is assigned to a virtual server.
Using HTTP authentication in an access policy
Before you can set up an access policy to use HTTP authentication, you must have at least
one HTTP AAA server configured.
You configure an access policy with an HTTP Auth action when you want users to
authenticate using one of the HTTP authentication types that Access Policy
Manager (APM) supports: Basic, NTLM, form-based, or custom.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- On the Logon tab, selectLogon Pageand click theAdd Itembutton.The Logon Page Agent properties screen opens.
- Make any changes that you require to the logon page properties and clickSave.The properties screen closes and the policy displays.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- On the Authentication tab, selectHTTP Authand clickAdd item.A properties popup screen opens.
- From theAAA Serverlist, select the AAA HTTP server you want to use for authentication.
- Add any other branches and actions that you need to complete the policy.
- ClickSave.The properties screen closes and the policy displays.
- ClickApply Access Policyto save your configuration.
This adds an HTTP AAA authentication server to the access policy.
To
apply this access policy to network traffic, add the access profile to a virtual
server.
To ensure
that logging is configured to meet your requirements, verify the log settings for
the access profile.
Creating a virtual
server for an access policy
When creating a virtual server for an access policy, specify an IP address for a single
host as the destination address.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield:
- If you want to specify a single service port or all ports, confirm that thePortbutton is selected, and type or select a service port.
- If you want to specify multiple ports other than all ports, select thePort Listbutton, and confirm that the port list that you previously created appears in the box.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for client-side traffic.
- If you use server SSL for this connection, from theSSL Profile (Server)list, select a server SSL profile.
- If you use client SSL for this profile, from theSSL Profile (Client)list, select a client SSL profile.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- From theConnectivity Profilelist, select a connectivity profile.You can select the default connectivity profile,connectivityif you have not defined a specific profile for the traffic that is directed to this virtual server.
- ClickFinished.
Overview: Configuring HTTPS authentication
You can configure HTTP AAA authentication to use server-side SSL (HTTPS). To set up this
configuration, you must first configure one HTTP AAA server that supports the type of
authentication that you want to use: HTTP Basic/NTLM, form-based, or custom post.
HTTP AAA server configuration notes
Configure the HTTP AAA server so that
in the Start URI
or Form Action
field you use: - The http scheme (not https)
- The host name of the external HTTP server (rather than the IP address)
http://plumtree.lab2.sp.companynet.com
. Virtual server configuration notes
Configure the virtual server to use
the host name of the external HTTP server; this is the same host name as used in the HTTP AAA
server configuration.
Set the
Destination
field to use the host name of the external HTTP server. For example:
companynet.com
(and set the Service Port
to
HTTP). DNS configuration notes
The DNS configuration on the BIG-IP system must send traffic to the
virtual server instead of the external HTTP server.
This implementation does not explain how to
configure DNS.
Task summary
Before you start these tasks, configure an HTTP AAA server.
Creating a pool for HTTPS authentication
You create a pool (HTTPS) so that you can assign it to a virtual server (HTTP) that
accepts HTTP traffic and provides server-side SSL using this pool.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- Scroll down to the Resources area.
- In theNew Members Addressfield, type an IP address.
- From theService Portlist, selectHTTPS.
- ClickAdd.
- ClickFinished.
Creating a virtual server for HTTPS authentication
You create a virtual server that accepts HTTP traffic, encrypts it (using a server
SSL profile), and passes it to an HTTPS server to provide secure communication between
the BIG-IP system and an external HTTP authentication server.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Addressfield, type the IP address of the external HTTP server.
- From theService Portlist, selectHTTP.
- From theSSL Profile (Server)list, select a profile.This ensures that there is an SSL connection between the HTTP virtual server and the external HTTPS server.
- From theVLAN and Tunnel Trafficlist, selectEnabled on...
- From theSource Address Translationlist, selectAuto Map.
- Scroll all the way down to the Resources area and from theDefault Poollist, select the pool you configured previously.The pool must contain a member configured for HTTPS.
- ClickFinished.
Create an access profile
You create an access profile to provide the access policy configuration for a
virtual server that establishes a secured session.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- ClickCreate.The New Profile screen displays.
- In theNamefield, type a unique name for the access profile.
- From theProfile Typelist, select one these options:
- ALL: Select to support LTM-APM and SSL-VPN access types.
- LTM-APM: Select for a web access management configuration.
- OAuth-Resource Server: For configuring APM to act as an OAuth resource server that provides an OAuth authorization layer into an API gateway.
- RDG-RAP: Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
- SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
- SSO: Select to configure matching virtual servers for Single Sign-On (SSO).No access policy is associated with this type of access profile
- SWG - Transparent: Select to configure access using Secure Web Gateway transparent forward proxy.
- SWG - Explicit: Select to configure access using Secure Web Gateway explicit forward proxy.
- System Authentication: Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
- Identity Service: Used internally to provide identity service for a supported integration. Only APM creates this type of profile.You can edit Identity Service profile properties.
Depending on licensing, you might not see all of these profile types.Additional settings display. - From theProfile Scopelist, select one these options to define user scope:
- Profile: Access to resources behind the profile.
- Virtual Server: Access to resources behind the virtual server.
- Global: Access to resources behind any access profile with global scope.
- Named: Access for SSL Orchestrator users to resources behind any access profile with global scope.
- Public: Access to resources that are behind the same access profile when the Named scope has configured the session and is checked based on the value and string configured in the Named scope field.
- For theCustomization Type, use the default valueModern.
- In the Language Settings area, add and remove accepted languages, and set the default language.If any browser language does not match with the accepted languages list, the browser uses the default language.
- ClickFinished.
The access
profile displays in the Access Profiles List. Default-log-setting is assigned to the
access profile.
Verify log settings for the access profile
Confirm that the correct log settings are selected
for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
area of the product. They enable and disable logging for access
system and URL request filtering events. Log settings also specify log publishers
that send log messages to specified destinations. - On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- Click the name of the access profile that you want to edit.The properties screen opens.
- On the menu bar, clickLogs.The access profile log settings display.
- Move log settings between theAvailableandSelectedlists.You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.Logging is disabled when theSelectedlist is empty.
- ClickUpdate.
An access profile is in effect when it is assigned to a virtual server.
Using HTTP authentication in an access policy
Before you can set up an access policy to use HTTP authentication, you must have at least
one HTTP AAA server configured.
You configure an access policy with an HTTP Auth action when you want users to
authenticate using one of the HTTP authentication types that Access Policy
Manager (APM) supports: Basic, NTLM, form-based, or custom.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- On the Logon tab, selectLogon Pageand click theAdd Itembutton.The Logon Page Agent properties screen opens.
- Make any changes that you require to the logon page properties and clickSave.The properties screen closes and the policy displays.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- On the Authentication tab, selectHTTP Authand clickAdd item.A properties popup screen opens.
- From theAAA Serverlist, select the AAA HTTP server you want to use for authentication.
- Add any other branches and actions that you need to complete the policy.
- ClickSave.The properties screen closes and the policy displays.
- ClickApply Access Policyto save your configuration.
This adds an HTTP AAA authentication server to the access policy.
To
apply this access policy to network traffic, add the access profile to a virtual
server.
To ensure
that logging is configured to meet your requirements, verify the log settings for
the access profile.
Adding the access
profile to the virtual server
You associate the access profile with the virtual
server so that the system can apply the profile to incoming traffic.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- ClickUpdateto save the changes.