Manual Chapter :
Single Sign-On
Applies To:
Show VersionsBIG-IQ Centralized Management
- 7.1.0
Single Sign-On
About single sign-on profiles
Access Policy Manager provides a Single Sign-On (SSO) feature that leverages the credential caching and credential proxying technology.
Credential caching and proxying
is a two-phase security approach that asks users to enter their credentials once to access their secured web applications. By leveraging this technology, users request access to the secured back-end web server. After that occurs, Access Policy Manager creates a user session and collects the user identity based on the access policy. When the access policy completes successfully, the user identity is saved (cached) in a session database. Access Policy Manager subsequently reuses the cached identity to seamlessly log the user into the secured web applications, thus providing the user with a single sign-on experience.The Single Sign-On (SSO) feature provides the following benefits:
- Eliminates the need to administer and maintain multiple user logins
- Eliminates the need for users to enter their credentials multiple times.
What are the supported SSO methods?
BIG-IQ Centralized Management supports the following Single Sign-On (SSO) authentication methods.
SSO method | Description |
---|---|
HTTP Basic | BIG-IQ uses the cached user identity and sends the request with the authorization header. This header contains the token Basic and the base64-encoded for the user name, colon, and the password. |
HTTP Forms | Upon detection of the start URL match, BIG-IQ uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user. |
HTTP Forms - Client Initiated | Upon detection of the request for logon page (URI, header, or cookie that is configured for matching the request), BIG-IQ generates JavaScript code, inserts it into the logon page and returns the logon page to the client, where it is automatically submitted by inserted JavaScript. BIG-IQ processes the submission and uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user. |
HTTP NTLM Auth v1 | NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server. |
HTTP NTLM Auth v2 | NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server. This version of NTLM is an updated version from NTLM v1. |
Kerberos | This provides transparent authentication of users to Windows Web application servers (IIS) joined to Active Directory domain. It is used when IIS servers request Kerberos authentication; this SSO mechanism allows the user to get a Kerberos ticket and have BIG-IQ present it transparently to the IIS application. |
OAuth bearer | You can create an OAuth bearer SSO configuration to allow single-sign on using an OAuth token that BIG-IQ has received or validated from an external OAuth authorization server. |
Create an HTTP Basic SSO configuration
With the HTTP Basic method of authentication, the SSO plug-in uses the cached user identity and sends the request with the authorization header. This header contains the Basic token and the base64-encoding of the user name, colon, and the password.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of an Access group.A new screen displays the group's properties.
- ExpandSINGLE SIGN-ONand clickHTTP Basic.
- This screen displays the HTTP Basic SSO configurations in the working configuration for the Access group.
- To create an SSO object, click theCreatebutton.
- To delete an SSO object, select the check box next to the object and click the Delete button.
- ClickCreate.A new SSO configuration screen will open.
- From theGeneral Propertiesdrop down list, selectBasicorAdvanced.
- Enter aNamefor this SSO configuration. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
- Enter aPartition. The default isCommon. You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in theCommonpartition, all users can access it.
- ForHeaders, in theNameandValuefields, type a header name-value pair to send with the SSO method.
- From theLog Settingsdrop down list, select the log setting created from event logs. This field is available for configuration for Access Groups running BIG-IP version 13.0 and later.
- InUsername Source, type user name you want cached for single sign-on.
- InPassword Source, type the password you want cached for single sign-on.
- ForUsername Conversion, click the check box to convert the PREWIN2k/UPN user name input format to the format you want to use for SSO.For example, convertdomain\usernameorusername@domaintousername.
- You can view theEphemeral Authenticationfield for Access Groups managing devices running BIG-IP version 15.1 and later. Select the drop down menu to view theAuthentication Configurationassociated with this HTTP Basic SSO configuration. Please configure Privileged User Access with Ephemeral Authentication (temporary passwords) on a source BIG-IP device, then re-import the changes to BIG-IQ to deploy them to your target devices. Refer to the BIG-IP documentation on support.f5.com to learn more about creating Ephemeral Authentication configurations.
- ClickSave & Close.
The HTTP basic SSO object will display in the HTTP Basic SSO list.
Create an NTLMV1 SSO configuration
You configure NTLM authentication to employ a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to a server.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of an Access group.A new screen displays the group's properties.
- ExpandSINGLE SIGN-ONand clickNTLMV1.
- This screen displays the NTLMV1 SSO configurations in the working configuration for the Access group.
- To create an SSO object, click theCreatebutton.
- To delete an SSO object, select the check box next to the object and click the Delete button.
- ClickCreate.A new SSO configuration screen will open.
- From theGeneral Settingslist, selectBasicorAdvanced.
- Enter aNamefor this SSO configuration. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
- Enter aPartition. The default isCommon. You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in theCommonpartition, all users can access it.
- ForHeaders, type a header name-value pair to send with the SSO method.
- ForLog Settings, select the log setting created from event logs.
- ForUsername Source, type the user name you want cached for single sign-on.
- ForPassword Source, type the password you want cached for single sign-on.
- To convert the PREWIN2k/UPN user name input format to the format you want to use for SSO, select theUsername Conversioncheck box.
- Type the location of theNTLM Domainwhere all users and groups are authenticated.
- To save your changes, click theSave & Closebutton at the bottom of the screen.
The NTLMV1 SSO object is created, and displays in the NTLMV1 list.
Create an NTLMV2 SSO configuration
The NTLM authentication method employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to a server.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of an Access group.A new screen displays the group's properties.
- ExpandSINGLE SIGN-ONand clickNTLMV2.
- This screen displays the NTLMV2 SSO configurations in the working configuration for the Access group.
- To create an SSO object, click theCreatebutton.
- To delete an SSO object, select the check box next to the object and click the Delete button.
- ClickCreate.A new SSO configuration screen will open.
- From theGeneral Settingslist, selectBasicorAdvanced.
- Enter aNamefor this SSO configuration. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
- Enter aPartition. The default isCommon. You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in theCommonpartition, all users can access it.
- ForHeaders, type a header name-value pair to send with the SSO method.
- ForLog Settings, select the log setting created from event logs.
- ForUsername Source, type the user name you want cached for single sign-on.
- ForPassword Source, type the password you want cached for single sign-on.
- To convert the PREWIN2k/UPN user name input format to the format you want to use for SSO, select theUsername Conversioncheck box.
- ForNTLM Domain, type the location of the domain where all users and groups are authenticated.
- To save your changes, click theSave & Closebutton at the bottom of the screen.
The NTLMV2 SSO object displays in the NTLMV2 list.
Create a Kerberos SSO configuration
Create a Kerberos single-sign to allow the end-user to obtain a Kerberos ticket and have Access Policy Manager present it transparently to Microsoft's IIS application.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of an Access group.A new screen displays the group's properties.
- ExpandSINGLE SIGN-ONand clickKerberos.
- From theGeneral Settingsdrop down list, selectBasicorAdvanced.
- This screen displays the Kerberos SSO configurations in the working configuration for the Access group.
- To create an SSO object, click theCreatebutton.
- To delete an SSO object, select the check box next to the object and click the Delete button.
- ClickCreate. A new Kerberos SSO Configuration screen will open.
- Enter aNamefor this SSO configuration. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
- Enter aPartition. The default isCommon. You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in theCommonpartition, all users can access it.
- ForHeaders, in theNameandValuefields, type a header name-value pair to send with the SSO method.
- From theLog Settingsdrop down list, select the log setting created from event logs. This field is available for configuration for Access Groups running BIG-IP version 13.0 and later.
- InUsername Source, type user name you want cached for single sign-on.
- InPassword Source, type the password you want cached for single sign-on.
- ForUsername Conversion, click the check box to convert the PREWIN2k/UPN user name input format to the format you want to use for SSO. This field is available for configuration for Access Groups running BIG-IP version 13.1 and later.For example, convertdomain\usernameorusername@domaintousername.
- ForKDC, IP Address or host name of the Kerberos Key Distribution Center (KDC) for the server's realm.This is normally an Active Directory domain controller. If you leave this empty, the KDC must be discoverable through DNS.
- ForUPN Support, click the check box to enable the UPN suffix support for Kerberos SSO when integrating into Microsoft Active Directory infrastructure.
- ForAccount Name, type the name of the Active Directory account configured for delegation.This account must be configured in the server's Kerberos realm (AD Domain).
- ForAccount Password, type the password for the delegation account specified in the previous field.
- ForConfirm Account Password, re-type the password for the delegation account specified in the previous field.
- ForSPN Pattern, you can use this optional field to modify how the Service Principal Name (SPN) for the servers is constructed. Leave this field empty unless you need a non-standard SPN format. To make modifications, you can create entries from the choices below.
- HTTP/%h@REALMwithREALMreplaced by the actual realm name as specified in the Kerberos Realm field. The%hoption takes the hostname from the HTTP request Host header.
- HTTP/%s@REALMwithREALMreplaced by the actual realm name as specified in the Kerberos Realm field. The%soption takes the hostname discovered through reverse DNS lookup using the server IP address.
- ForTicket Lifetime, type in minutes (for example, 600 minutes equates to 10 hours), the lifetime of Kerberos tickets obtained for the user.The value represents the maximum ticket lifetime, and the actual lifetime may be less by up to 1 hour.
- From theTicket Lifetimedrop down list, select when specify when to submit a Kerberos ticket to the application server. Choose from the following options.
- Always. The Authorization header with a Kerberos ticket is inserted into every HTTP request whether it requires authentication or not.
- On 401 Status Code. The system first forwards the user's HTTP request to the web server without inserting a new Authorization header (but any browser's Authorization header will be deleted).
- ClickSave & Close.
Create an HTTP form-based SSO configuration
With the HTTP forms method of authentication, upon detection of the start URL match, the SSO plug-in uses the cached user identity to construct and send the HTTP form-based POST request on behalf of the user.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of an Access group.A new screen displays the group's properties.
- ExpandSINGLE SIGN-ONand clickForm Based.
- This screen displays the HTTP Form Based SSO configurations in the working configuration for the Access group.
- To create an SSO object, click theCreatebutton.
- To delete an SSO object, select the check box next to the object and click the Delete button.
- ClickCreate.A new HTTP form-based SSO configuration will open.
- From theGeneral Settingslist, selectAdvanced.
- Enter aNamefor this SSO configuration. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
- Enter aPartition. The default isCommon. You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in theCommonpartition, all users can access it.
- From theUse SSO Templatelist, select from the available templates, or selectNoneto create a configuration without relying on a template.After selectingNoneor another template, fill in the SSO Method configuration form.
- In theNameandValuefields forHeaders, type a header name-value pair to send with the SSO method.Select+to add additional header name-value pair fields.
- ForLog Settings, select the log setting you want to use. This field is available for configuration for Access Groups running BIG-IP version 13.0 and later.
- In theUsername SourceandPassword Sourcefields, type the user name you want cached for single sign-on.
- ForPassword Source, type the password you want cached for single sign-on.
- ForDestination (IP or Hostname), type the IP address or fully qualified domain name for the OWA server.Displays when you select an OWA SSO template.
- ForStart URI, type a URL resource.For example, for OWA, it would be/owa/auth/logon.aspx*. For Citrix,it would be/Citrix/XenApp/auth/logon.aspx. This resource must respond with a challenge to a non-authenticated request.
- Select thePass Throughcheck box to propagate cookies present in this form to the client browser.
- Select theForm Methodyou want to use for the form-based HTTP authentication.
- Type the complete destination URL to process the form in theForm Actionfield.This specifies the form action URL that is used for HTTP form-based authentication.
- ForForm Parameter For User Name, type the parameter name used by the form to which you are sending the POST request.
- ForForm Parameter For Password, type the parameter name used by the form to which you are sending the POST request.
- ForHidden Form Parameters/Values, type the hidden form parameters required by the authentication server logon form at your location.Each parameter must start on a new line. Type a parameter name, a space, and the parameter value, if any.
- ForTicket Lifetime, type, in minutes (for example, 600 minutes equates to 10 hours), the lifetime of Kerberos tickets obtained for the user.
- You can view theEphemeral Authenticationfield for Access Groups managing devices running BIG-IP version 15.1 and later. Select the drop down menu to view theAuthentication Configurationassociated with this form-based SSO configuration. Please configure Priviledged User Access with Ephemeral Authentication (temporary passwords) on a source BIG-IP device, then reimport the changes to BIG-IQ to deploy them to your target devices. Refer to the BIG-IP documentation on support.f5.com to learn more about creating Ephemeral Authentication configurations.
- To save your changes, click theSave & Closebutton at the bottom of the screen.
The HTTP form-based SSO object will display in the Form Based list.
Create an HTTP forms client-initiated SSO configuration
The HTTP forms client-initiated authentication method supports web applications that run JavaScript in the browser and need to maintain application state during the logon process, and supports web applications that present multiple logon screens.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of an Access group.A new screen displays the group's properties.
- ExpandSINGLE SIGN-ONand clickForms - Client Initiated.
- This screen displays the HTTP forms client-initiated SSO configurations in the working configuration for the Access group.
- To create an SSO object, click theCreatebutton.
- To delete an SSO object, select the check box next to the object and click the Delete button.
- ClickCreate.A new SSO configuration screen will open.
- ClickGENERAL SETTINGS.
- Type anSSO Configuration Name. You cannot change the name of an existing profile. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None.
- Enter aPartition. The default isCommon. You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in theCommonpartition, all users can access it.
- Type an optionalSSO Configuration Description.
- Select theLog Settingyou want to use.
- ClickFORM SETTINGS.
- ForPassthrough Configuration, select whether the SSO object does not require any form configuration when passthrough is selected. If passthrough is off, configure at least one form.
- Type theForm Nameand optionalForm Description.
- ForDetect request for form by, select which element of the HTTP request headers to use to identify the application request for logon page:Cookie,Header, orURI.
- ForRequest URI, type a URI that the system identifies as the form by a successful match (default) or failed match (configurable with Advanced Properties) against one or multiple URIs.
- ForRequest Method, select whether the request method isGETorPOST.
- Select theRequest Negativecheck box to specify that the system detects the form that fails to match the criteria specified for Form Detection.
- Select theRequest Prefixcheck box to specify that the system matches on a partial string.
- ForIdentity Form by, select how to find the HTML logon form in the HTML body of the logon page.
- ForForm Parameters Settings, specify that the form parameters that have already been defined are used to find the form.
- ForDisable Auto detect submit, the default isNo.
- TheSchemeoption is available whenDisable Auto detectsubmit is set toYes. Select how to detect a submit.
- ForSubmit Request Negative, click the check box to specify that the system detects the form that fails to match the criteria specified for Form Detection.
- ForSubmit Request Prefix, click the check box to specify that the system detects the form that fails to match the criteria specified for Form Detection.
- ForDetect Login By, select whether and how to detect a successful logon.
- ForInjection Method, select whether to use the default JavaScript that the system creates.
- ClickHEADER SETTINGS.
- ForHeaders in the SSO Configuration, add a header by typing a header name and header value. Form headers are optional.
The HTTP form client-initiated object will display in the HTTP Form Client-Initiated list.
Create an OAuth bearer SSO configuration
Create an OAuth bearer SSO configuration when you want to allow single-sign on using an OAuth token that BIG-IQ has gotten or validated from an external OAuth authorization server.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of an Access group.A new screen displays the group's properties.
- ExpandSINGLE SIGN-ONand clickOAuth Bearer.
- This screen displays the OAuth Bearer SSO configurations in the working configuration for the Access group.
- To create an SSO object, click theCreatebutton.
- To delete an SSO object, select the check box next to the object and click the Delete button.
- ClickCreate.The new SSO Configuration screen will open.
- From theGeneral Settingslist, selectBasicorAdvanced.
- Enter aNamefor this SSO configuration. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
- Enter aPartition. The default isCommon. You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in theCommonpartition, all users can access it.
- ForHeaders, type a header name-value pair to send with the SSO method.
- ForLog Settings, select the log setting created from event logs.By default, BIG-IQ uses the log settings specified in the access profile. You can also create custom log settings or use thedefault-log-settingfor this SSO configuration. Click+to create custom settings.
- Send Tokenis available for configuration for Access Groups running BIG-IP version 14.1 and later. Select when to send the token:
- To always send the token, selectAlways.
- To send the token when you receive a 4xx response from the server, selectOn 4xx Responseand choose one or more 4xx responses.
- ForLog Settings, select the log settings to use for the access event logs.By default, the log settings specified in the access profile are used. You can also create custom log settings or use thedefault-log-settingfor this SSO configuration. Click+to create custom settings.
- If you selectPassthrough, select a previously createdOAuth server.
- To generate a token, selectGenerate JWTforToken Source. This option is available for configuration for Access Groups running BIG-IP version 14.1 and later.
- ForIssuer, type the URL for the JWT issuer.For example,https://jwt-issuer.com.
- InSubject, retain the default value, %{session.assigned.uuid}, or type a subject for the JWT.
- ClickEnable Token Cacheto increase performance until the cached JWT expires.
- ForAccess Token Lifetime, type the number of minutes you want the JWT access token to be considered valid.
- ForSigning Key, select the JWK key configuration previously created for signing the token.
- ForAudience, add the audience claim or claims for which the JWT access token is intended. Each value in this list can be a string, URI, or session variable.
- ForScope, type one or more space-separated scope strings (using the ASCII character set) or session variables.
- If you created claims for the token, forJWT Claims, move the previously created claims you want to use to theSelectedlist.
- ClickSave & Close.
The OAuth bearer object will display in the OAuth Bearer list.
Configure an SSO profile
Configure an SSO profile to set up the BIG-IQ system for single sign-on. A SSO profile may be attached to a virtual server, and may be assigned to an SSO configuration during creation.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of an Access group.A new screen displays the group's properties.
- On the left, expandSINGLE SIGN-ONand clickSSO Profiles.
- This screen displays the SSO profiles in the working configuration for the Access group.
- To configure the properties of an SSO profile, click its name in the table.
- To locate an SSO profile, search for it by name; otherwise, look for it on theNamelist.
- Selecting an SSO profile from the list displays theRelated Itemssection. ClickShowto display related items such as lease pools, network access, or webtops.
- To create a new SSO profile, click theCreatebutton.
- To delete one or more SSO profiles, select the check box next to each profile and click theDeletebutton.
- To configure a new SSO profile, clickCreate.A new SSO profile screen will open.
- Type aNamefor this profile. (You cannot change the name of an existing profile.) Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None.
- Enter aPartition. The default isCommon. You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in theCommonpartition, all users can access it.
- From theScopelist, select the scope that is applicable for this SSO profile.
- If you want to add an SSO configuration, from theSSO Configurationlist, select an existing SSO configuration.
- For theLog Settings, move the log settings you want to use from theAvailablelist to theActivelist.
- To save your changes, clickSave & Closeat the bottom of the screen.
The new SSO profile will display in the SSO Profiles list.