Applies To:
Show VersionsBIG-IP APM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
What are the supported SSO methods?
Access Policy Manager supports the following SSO authentication methods.
SSO method | Description |
---|---|
HTTP Basic | Access Policy Manager uses the cached user identity and sends the request with the authorization header. This header contains the token Basic and the base64-encoded for the user name, colon, and the password. |
HTTP Forms | Upon detection of the start URL match, Access Policy Manager uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user. |
HTTP Forms - Client Initiated | Upon detection of the request for logon page (URI, header, or cookie that is configured for matching the request), Access Policy Manager generates JavaScript code, inserts it into the logon page and returns the logon page to the client, where it is automatically submitted by inserted JavaScript. APM processes the submission and uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user. |
HTTP NTLM Auth v1 | NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server. |
HTTP NTLM Auth v2 | NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server. This version of NTLM is an updated version from NTLM v1. |
Kerberos | This provides transparent authentication of users to Windows Web application servers (IIS) joined to Active Directory domain. It is used when IIS servers request Kerberos authentication; this SSO mechanism allows the user to get a Kerberos ticket and have Access Policy Manager present it transparently to the IIS application. |
SAML | A SAML IdP service is a type of single sign-on (SSO) authentication service in Access Policy Manager that provides SSO authentication for external SAML service providers (SPs). You configure a SAML IdP service when you use a BIG-IP system as a SAML identity provider (IdP). |
About the Single Sign-On configuration object
Access Policy Manager supports various SSO methods. Each method contains a number of attributes that you need to configure properly to support SSO.
Mis-configuring SSO objects for any of these authentication methods (HTTP Basic, NTLM v1 and v2, and Kerberos) could disable SSO for all authentication methods for a user's session when the user accesses a resource with the mis-configured object. The exceptions are Forms and Forms - Client Initiated, which are the only SSO methods that are not disabled when any other method fails due to a mis-configured SSO object.
Creating an HTTP Basic SSO configuration
HTTP Basic SSO configuration settings
These settings are available when you create an HTTP Basic SSO configuration.
General Properties settings for HTTP Basic SSO configuration
Setting | Value | Additional Information |
---|---|---|
General Properties | Basic or Advanced. Defaults to Basic. | Additional settings are available when you select Advanced. |
Name | Name of the SSO configuration. | The name must begin with a letter, or underscore, and contain only letters, numbers, underscores, dashes, and periods. Avoid using global reserved words in the name, such as all, delete, disable, enable, help, list, none, show, or None. |
Headers | Header name-value pairs to send with the SSO method. | Available when you select Advanced from the General Properties list. |
Credentials Source settings for HTTP Basic SSO configuration
Setting | Value | Additional Information |
---|---|---|
Username Source | Specifies the user name to cache for single sign-on. Defaults to a session variable. | Supported session variable: session.sso.token.last.username |
Password Source | Specifies the password to cache for single sign-on. Defaults to a session variable. | Supported session variable: session.sso.token.last.password |
SSO configuration settings for HTTP Basic SSO configuration
Setting | Value | Additional Information |
---|---|---|
Username Conversion | This check box is clear by default. | Select the check box to convert the PREWIN2k/UPN user name input format to the format you want to use for SSO. For example, convert domain\username or username@domain to username. |
Creating an HTTP forms-based SSO configuration
HTTP Form SSO configuration settings
These settings are available when you create an HTTP form-based SSO configuration.
General Properties settings for HTTP form-based SSO configuration
Setting | Value | Additional Information |
---|---|---|
General Properties | Basic or Advanced. Defaults to Basic. | Additional settings are available when you select Advanced. |
Name | Name of the SSO configuration. | The name must begin with a letter, or underscore, and contain only letters, numbers, underscores, dashes, and periods. Avoid using global reserved words in the name, such as all, delete, disable, enable, help, list, none, show, or None. |
Use SSO Template | If you select None, you must fill in the SSO Method Configuration area. Otherwise, the SSO Method Configuration area is not available; settings are configured with data supplied by the template you select. | |
Headers | Header name-value pairs to send with the SSO method. | Available when you select Advanced from the General Properties list. |
Credentials Source settings for HTTP form-based SSO configuration
Setting | Value | Additional Information |
---|---|---|
Username Source | Specifies the user name to cache for single sign-on. Defaults to a session variable. | Supported session variable: session.sso.token.last.username |
Password Source | Specifies the password to cache for single sign-on. Defaults to a session variable. | Supported session variable: session.sso.token.last.password |
SSO configuration settings for HTTP form-based SSO configuration
Setting | Value | Additional Information |
---|---|---|
Start URI | Defines the start URI value. HTTP form-based authentication executes for SSO if the HTTP request URI matches the start URI value. | Multiple start URI values in multiple lines can be entered for this attribute.
Supported session variable: start_uri |
Pass Through | If you select the Enable check box, cookies presented in the form propagate to the client browser. Defaults to cleared. | |
Form Method | Defines the SSO authentication method : GET or POST. Defaults to POST. | If you specify GET, the SSO authentication method is an HTTP GET request. |
Form Action | Defines the form action URL used for HTTP authentication request for SSO. | For example,
/access/oblix/apps/webgate/bin/webgate.dll. If left
blank, the original request URL is used for SSO authentication. Supported session variable: form_action |
Form Parameter For User Name | Defines the parameter name of the logon user name. | For example, the user ID is specified as the attribute value if the HTTP server
expects the user name in the form of userid=. Supported session variable: form_parameter |
Form Parameter for Password | Defines the name of the logon password. | For example, Pass is specified as the attribute value if the HTTP server expects the password in the form of Pass. |
Hidden Form Parameters/Values | Defines the hidden form parameters required by the authentication server logon form at your location. | Hidden parameters must be formatted as shown in this example:
param1 value1
|
Successful Logon Detection Match Type | Defines how Access Policy Manager detects whether the user was successfully authenticated by the server. Defaults to None. You can select one option. |
|
Successful Logon Detection Match Value | Defines the value for the specific success detection type: the redirect URL or cookie name. |
Creating an NTLMV1 SSO configuration
NTLMV1 SSO configuration settings
These configuration settings are available when you configure an NTLMV1 SSO method.
General Properties settings for NTLMV1 SSO configuration
Setting | Value | Additional Information |
---|---|---|
General Properties | Basic or Advanced. Defaults to Basic. | Additional settings are available when you select Advanced. |
Name | Name of the SSO configuration. | The name must begin with a letter, or underscore, and contain only letters, numbers, underscores, dashes, and periods. Avoid using global reserved words in the name, such as all, delete, disable, enable, help, list, none, show, or None. |
Headers | Header name-value pairs to send with the SSO method. | Displayed when you select Advanced from the General Properties list. |
Credentials Source settings for NTLMV1 SSO configuration
Setting | Value | Additional Information |
---|---|---|
Username Source | Specifies the user name to cache for single sign-on. Defaults to a session variable. | Supported session variable: session.sso.token.last.username |
Password Source | Specifies the password to cache for single sign-on. Defaults to a session variable. | Supported session variable: session.sso.token.last.password |
Domain Source | Specifies the domain to cache for single sign-on. Defaults to a session variable. | Supported session variable: session.logon.last.domain |
SSO configuration settings for NTLMV1 SSO configuration
Setting | Value | Additional Information |
---|---|---|
Username Conversion | Check box is cleared by default. | Select the check box to convert the PREWIN2k/UPN user name input format to the format you want to use for SSO. For example, convert domain\username or username@domain to username. |
NTLM Domain | Specifies the location of the domain where all users and groups are authenticated. Defaults to a session variable. | Supported session variable: session.logon.last.domain |
Creating an NTLMV2 SSO configuration
NTLMV2 SSO configuration settings
These configuration settings are available when you configure an NTLMV2 SSO method.
General Properties settings for NTLMV2 SSO configuration
Setting | Value | Additional Information |
---|---|---|
General Properties | Basic or Advanced. Defaults to Basic. | Additional settings are available when you select Advanced. |
Name | Name of the SSO configuration. | The name must begin with a letter, or underscore, and contain only letters, numbers, underscores, dashes, and periods. Avoid using global reserved words in the name, such as all, delete, disable, enable, help, list, none, show, or None. |
Headers | Header name-value pairs to send with the SSO method. | Displayed when you select Advanced from the General Properties list. |
Credentials Source settings for NTLMV2 SSO configuration
Setting | Value | Additional Information |
---|---|---|
Username Source | Specifies the user name to cache for single sign-on. Defaults to a session variable. | Supported session variable: session.sso.token.last.username |
Password Source | Specifies the password to cache for single sign-on. Defaults to a session variable. | Supported session variable: session.sso.token.last.password |
Domain Source | Specifies the domain to cache for single sign-on. Defaults to a session variable. | Supported session variable: session.logon.last.domain |
SSO configuration settings for NTLMV2 SSO configuration
Setting | Value | Additional Information |
---|---|---|
Username Conversion | Check box is cleared by default. | Select the check box to convert the PREWIN2k/UPN user name input format to the format you want to use for SSO. For example, convert domain\username or username@domain to username. |
NTLM Domain | Specifies the location of the domain where all users and groups are authenticated. Defaults to a session variable. | Supported session variable: session.logon.last.domain |