Manual :
BIG-IP Access Policy Manager: Authentication and Single Sign-On
Applies To:
Show VersionsBIG-IP APM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2
Original Publication Date: 03/11/2019
-
Authentication Concepts
- About AAA server support
- About AAA high availability support
- About AAA and load balancing
- About AAA traffic and route domains
- About APM support for multiple authentication types
- About APM certificate authentication support
- About SSL certificates on the BIG-IP system
- About local user database support
- About guest access (one-time password) support
- About authentication for Microsoft Exchange clients
- Documentation for Access Policy Manager authentication
-
Active Directory Authentication
- About Active Directory authentication
- About Active Directory password management
- About AAA high availability
- About how APM handles binary values in Active Directory attributes
- Task summary for Active Directory authentication
- Testing AAA high availability for supported authentication servers
- Example access policy using Active Directory authentication and query
- Active Directory authentication session variables
- Active Directory cross-domain support rules
- Active Directory authentication and query troubleshooting tips
- Overview: Using Active Directory Trusted Domains
-
Active Directory Query
- About Active Directory queries
- About nested groups in Active Directory and LDAP queries
- About Active Directory password management
- About how APM handles binary values in Active Directory attributes
- Adding an Active Directory query to an access policy
- Using AD query with IPv6
- Active Directory query session variables
- Active Directory authentication and query troubleshooting tips
-
LDAP and LDAPS Authentication
- About LDAP and LDAPS authentication
- About how APM handles binary values in LDAP attributes
- About AAA high availability
- Task summary for configuring for LDAPS authentication
- Testing AAA high availability for supported authentication servers
- Example of LDAP auth and query default rules
- LDAP authentication session variables
- UserDN settings in LDAP
- LDAP authentication and query troubleshooting tips
-
LDAP Query
- About LDAP queries
- About nested groups in Active Directory and LDAP queries
- About how APM handles binary values in LDAP attributes
- Adding an LDAP query to an access policy
- Example of LDAP auth and query default rules
- Session variables in LDAP query properties
- LDAP query session variables
- LDAP authentication and query troubleshooting tips
-
RSA SecurID Authentication
- About RSA SecurID configuration requirements for APM AAA
- About RSA SecurID authentication
- About BIG-IP Edge Client RSA SecurID authentication
- RSA SecurID session variables for access policy rules
- RSA SecurID on Windows using RADIUS configuration troubleshooting tips
-
RADIUS Authentication
- About RADIUS authentication
- About AAA high availability
- Guidelines for setting up RADIUS authentication for AAA high availability
- About how APM handles binary values in RADIUS attributes
- Task summary for RADIUS authentication
- Testing AAA high availability for supported authentication servers
- RADIUS attributes
- RADIUS session variables for access policy rules
- RADIUS authentication and accounting troubleshooting tips
- RADIUS Accounting
- Kerberos Authentication with End-User Logons
- NTLM Authentication for Microsoft Exchange Clients
- HTTP Basic Authentication for Microsoft Exchange Clients
- HTTP and HTTPS Authentication
- Local User Database
- OCSP Authentication
- CRLDP Authentication
- On-Demand Certificate Authentication
- Client Certificate Inspection
- One-Time Password Authentication
-
TACACS+ Authentication and Accounting
- About TACACS+ authentication and accounting
- About AAA high availability
- Task summary for TACACS+ authentication and accounting
- Testing AAA high availability for supported authentication servers
- Example access policy for TACACS+ authentication and accounting
- TACACS+ session variables for access policy rules
- TACACS+ authentication troubleshooting tips
- AAA High Availability and Upgrade
- Configuring Single Sign-On with Access Policy Manager
- Single Sign-On Methods
-
Form-Based Client-Initiated Single Sign-On Method
- About form-based client-initiated SSO authentication
- Configuring form-based client-initiated SSO
-
Form-based client-initiated SSO configuration examples
- DWA form-based client-initiated SSO example
- Bugzilla form-based client-initiated SSO example
- Ceridian form-based client-initiated SSO example
- Citrix 4.5 and 5 form-based client-initiated SSO example
- Devcentral form-based client-initiated SSO example
- Google form-based client-initiated SSO example
- Oracle Application Server form-based client-initiated SSO example
- OWA 2010 and 2007 form-based client-initiated SSO example
- OWA 2003 form-based client-initiated SSO example
- Perforce form-based client-initiated SSO example
- Reviewboard form-based client-initiated SSO example
- SAP form-based client-initiated SSO example
- Salesforce form-based client-initiated SSO example
- Sharepoint 2010 form-based client-initiated SSO example
- Weblogin form-based client-initiated SSO example
- Yahoo form-based client-initiated SSO example
- Kerberos Single Sign-On Method
- Single Sign-On and Multi-Domain Support
-
Common Deployment Examples for Single Sign-On
- Common use cases for Single Sign-On deployment
-
Task summary for configuring web application over network access tunnel for SSO
- Configuring network access for SSO with web applications
- Configuring network access properties
- Configuring and managing the access profile using SSO
- Configuring an HTTP virtual server for the network access
- Configuring a layered virtual server for your web service
- Configuring portal access resources for SSO
- Introducing Access Policy Manager SAML Support
-
Using APM as a SAML IdP (SSO portal)
- Overview: Configuring a BIG-IP system as IdP with an SSO portal
-
Task summary
- Flowchart: Configuration to support a SAML SSO portal
- Creating a virtual server for a BIG-IP (as SAML IdP) system
- Configuring SAML SP connectors
- Configuring a full webtop
- Configuring an access policy for a SAML SSO portal
- Adding the access profile to the virtual server
- Adding IdP metadata from APM to external SAML SPs
-
Using APM as a SAML IdP (no SSO portal)
- Overview: Configuring a BIG-IP system as IdP for SP-initiated connections only
-
Task summary
- Flowchart: Configuration to support SP-initiated connections only
- Creating a virtual server for a BIG-IP (as SAML IdP) system
- Configuring SAML SP connectors
- Configuring a SAML IdP service
- Binding a SAML IdP service to multiple SP connectors
- Exporting SAML IdP metadata from APM
- Creating an access profile associated with the SAML IdP service
- Configuring an access policy to provide authentication from the local IdP
- Adding the access profile to the virtual server
- Adding IdP metadata from APM to external SAML SPs
-
Using APM as a SAML Service Provider
- About configuration requirements for APM as a SAML service provider
-
Task summary
- Flowchart: BIG-IP system as a SAML service provider configuration
- Configuring a custom SAML IdP connector
- Creating a virtual server for a BIG-IP (as SAML SP) system
- Configuring a SAML SP service
- Binding a SAML SP service to SAML IdP connectors
- Exporting SAML SP metadata from APM
- Configuring an access policy to authenticate with an external SAML IdP
- Adding the access profile to the virtual server
- Adding SAML SP metadata from APM to an external SAML IdP
- Using BIG-IP IdP Automation
- BIG-IP System Federation for SP-Initiated Connections
- BIG-IP System Federation for SP- and IdP-Initiated Connections