Manual Chapter : Common Deployment Examples for Single Sign-On

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.5.1
Manual Chapter

Common use cases for Single Sign-On deployment

You can deploy Single Sign-On in a variety of ways, depending on the needs within your networking environment. Deployment options include the following choices.

Use case deployment type Description
For local traffic pool members Deploy SSO for local traffic with pool members.
For web application access over network access Deploy SSO through a network access with layered virtual servers.
For web applications Deploy SSO so users can access their web applications. You can assign an SSO object as part of the web application resource item, or assign the object at the access profile level instead.

Task summary for configuring web application over network access tunnel for SSO

Using Access Policy Manager, you can configure Single Sign-On for web applications access over a network access tunnel.

To set up this configuration, follow the procedures in the task list.

Task List

Configuring network access for SSO with web applications

  1. On the Main tab, click Access Policy > Network Access > Network Access List. The Network Access List screen opens.
  2. Click the Create button. The New Resource screen opens.
  3. In the Name field, type a name for the resource.
  4. To configure the general properties for the network resource, click Properties on the menu bar.
  5. Configure your network client settings.
  6. Click the Finished button. The Network Access configuration screen opens, and you can configure the properties for the network access resource.

Configuring network access properties

  1. On the Main tab, click Access Policy > Network Access > Network Access List. The Network Access List screen opens.
  2. Click the name to select a network access resource on the Resource List. The Network Access editing screen opens.
  3. To configure the general properties for the network resource, click Properties on the menu bar.
  4. To configure DNS and hosts settings for the network access resource, click DNS/Hosts on the menu bar.
  5. To configure the drive mappings for the network access resource, click Drive Mappings on the menu bar.
  6. To configure applications to start for clients that establish a network access connection with this resource, click Launch Applications on the menu bar.

Configuring and managing the access profile using SSO

  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
  4. Ensure that the SSO Configuration setting specifies None, and leave all the other settings at their default values.
  5. Click Finished.
  6. Click the name of the access profile for which you want to edit the access policy. The properties screen opens for the profile you want to edit.
  7. On the menu bar, click Access Policy. The Access Policy screen opens.
  8. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate screen.
  9. Add your objects to the access policy.

Configuring an HTTP virtual server for the network access

Create a virtual server to which the network access associates your access policy.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, in the Address field, type the IP address you want to use for the virtual server. The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type a port number or select a service name from the Service Port list.
  6. From the Configuration list, select Advanced.
  7. From the HTTP Profile list, select http.
  8. In the Configuration area, specify both SSL Profile (Client) and SSL Profile (Server).
  9. From the Source Address Translation list, select Auto Map.
  10. In the Access Policy area, select the Access Profile you created.
  11. Click Finished.
Your user is now able to log on to Access Policy Manager and have full access to all their web services.
If you want to eliminate the need for users to enter their credential multiple times to access each web service, you now need to configure a layered virtual server for each of your web service.

Configuring a layered virtual server for your web service

Create a layered virtual server for every web service that the users access to eliminate the need for them to enter credential multiple times.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Create an access profile with a dummy default access policy.
  3. Configure the access profile with the appropriate access policy, for example, SSO Credential Mapping.
  4. Click Update.
  5. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  6. Select the layered virtual server you created for your web service. The General Properties screen opens.
  7. In the Configuration area for the VLAN and Tunnel Traffic setting, select All VLANS and Tunnels to ensure that the layered virtual server sends traffic from the network traffic to the network access tunnel interface.
  8. Associate the dummy access profile you created by selecting it from the Access Profile list.
  9. From the Configuration list, select Advanced, scroll down, and make sure that both Address Translationand Port Translation settings remained cleared.
  10. Click Update. The users are now able to access multiple web services without having to enter their credential multiple times.

Configuring portal access resources for SSO

You can assign an SSO object as part of the portal access resource item. If you do not configure an SSO object at that level, you can use the SSO object at the access profile level instead.
  1. On the Main tab, select Access Policy > SSO Configurations. The SSO Configurations list screen opens.
  2. Click Create. The New SSO Configuration screen opens.
  3. From the SSO Configurations by Type menu, choose an SSO type. A screen appears, displaying SSO configurations of the type you specified.
  4. In the Name field, type a name for the SSO configuration.
  5. Specify all relevant parameters.
  6. Click Finished.
  7. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  8. Click the name of the access profile for which you want to edit the access policy. The properties screen opens for the profile you want to edit.
  9. From the SSO Configurations list, select an SSO configuration.
  10. Click Finished.