Manual Chapter : Common Deployment Examples for Single Sign-On

Applies To:

Show Versions Show Versions
Manual Chapter

Common Deployment Examples for Single Sign-On

Common use cases for Single Sign-On deployment

You can deploy Single Sign-On in a variety of ways, depending on the needs within your networking environment. Deployment options include the following choices.

Use case deployment type Description
For local traffic pool members Deploy SSO for local traffic with pool members. The Web Application Access Management for Local Traffic Virtual Servers wizard can be used for this deployment.
For web application access over network access Deploy SSO through a network access tunnel with matching virtual servers enabled on the connectivity interface.
For web applications Deploy SSO so users can access their web applications. You can assign an SSO object as part of the web application resource item, such as a SAML resource or a portal acess resource item, or assign the object at the access profile level instead.

Overview: Configuring SSO for web apps over network access

Without implementing single-sign on (SSO) for web applications, remote clients that try to access web services over a network access connection must supply credentials multiple times.

This implementation to support SSO includes a typical network access configuration with a secure connectivity (tunnel) interface. Additional configuration to support SSO is required for each web service.

The configuration for each web service includes a virtual server that is enabled on the tunnel and that specifies a destination address to match the web server. An SSO access profile type is required on the virtual server. An SSO access profile type specifies an SSO configuration; no access policy is associated with this profile type.

It is possible for a matching virtual server for a web application to match a resource specified in a portal access resource item. (Although not required, portal access resources can be assigned to the webtop in the network access configuration.) In this case, SSO configuration must be specified at the access profile level (in the virtual server) and not in the portal access resource item.

Task summary

Configuring a network access resource

Configure a network access resource to provide secure access to corporate applications and data using a standard web browser, or the BIG-IP Edge Client.
  1. On the Main tab, click Access > Connectivity / VPN > Network Access (VPN) > Network Access Lists .
    The Network Access Lists screen opens.
  2. Click the Create button.
    The New Resource screen opens.
  3. In the Name field, type a name for the resource.
  4. To automatically start this network access resource when a client reaches a webtop to which the resource is assigned, select the Auto launch check box.
    Note: When multiple network access resources are assigned to a webtop, Auto launch can be enabled for only one network access resource.
  5. In the Customization Settings for English area, in the Caption field, type a caption.
    The caption appears on the full webtop, and is required.
  6. Click the Finished button.
    The Network Access configuration screen opens, and you can configure the properties for the network access resource.

Configuring network access properties

Configure properties for a network access resource to specify network settings and the optimized applications, hosts, drives, and applications that a remote user can access through the network access resource.
  1. On the Main tab, click Access > Connectivity / VPN > Network Access (VPN) > Network Access Lists .
    The Network Access Lists screen opens.
  2. Click the name to select a network access resource on the Resource List.
    The Network Access editing screen opens.
  3. To configure the network settings for the network access resource, click Network Settings on the menu bar.
  4. To configure DNS and hosts settings for the network access resource, click DNS/Hosts on the menu bar.
  5. To configure the drive mappings for the network access resource, click Drive Mappings on the menu bar.
  6. To configure applications to start for clients that establish a Network Access connection with this resource, click Launch Applications on the menu bar.

Creating a connectivity profile

You create a connectivity profile to configure client connections.
  1. On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles .
    A list of connectivity profiles displays.
  2. Click Add.
    The Create New Connectivity Profile popup screen opens and displays General Settings.
  3. Type a Profile Name for the connectivity profile.
  4. Select a Parent Profile from the list.
    APM provides a default profile, connectivity.
  5. Click OK.
    The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile displays in the list.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

Creating an access profile for remote access

You create an access profile to specify any access policy configuration for a virtual server that serves network access, portal access, or application access traffic.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all per-session profile and per-request policy names.
  4. From the Profile Type list, select SSL-VPN.
    Selecting this profile type restricts the access policy items displayed in the visual policy editor to those that contribute to a correct remote access configuration.
    Additional fields display set to default values.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
    This creates an access profile with a default access policy.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Note: Log settings are configured in the Access > Overview > Event Log > Settings area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click Logs.
    The access profile log settings display.
  4. Move log settings between the Available and Selected lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Note: Logging is disabled when the Selected list is empty.
  5. Click Update.
An access profile is in effect when it is assigned to a virtual server.

Adding network access to an access policy

Before you assign a network access resource to an access policy, you must:
  • Create a network access resource.
  • Create an access profile.
  • Define a network access webtop or a full webtop.
When you assign a network access resource to an access policy branch, a user who successfully completed the branch rule (which includes that access policy item) starts a network access tunnel.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  3. On the menu bar, click Access Policy.
  4. In the General Properties area, click the Edit Access Policy for Profile profile_name link.
    The visual policy editor opens the access policy in a separate screen.
  5. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  6. Select one of the following resource assignment actions and click Add.
    Option Description
    Resource Assign Select the Resource Assign action to add a network access resource only. Resource Assign does not allow you to add a webtop or ACLs. If you want to add ACLs, a webtop, or webtop links after you add a Resource Assign action, you can add them with the individual actions ACL Assign and Webtop, Links and Sections Assign.
    Note: Webtop sections are for use with a full webtop only.
    Advanced Resource Assign Select the Advanced Resource Assign action to add network access resources, and optionally add a webtop, webtop links, webtop sections, and one or more ACLs.
  7. Select the resource or resources to add.
    • If you added an Advanced Resource Assign action, on the Resource Assignment screen, click Add New Entry, then click Add/Delete, and select and add resources from the tabs, then click Update.
    • If you added a Resource Assign action, next to Network Access Resources, click Add/Delete.
    If you add a full webtop and multiple network access resources, Auto launch can be enabled for only one network access resource. (With Auto launch enabled, a network access resource starts automatically when the user reaches the webtop.)
  8. Click Save.
  9. Click Apply Access Policy to save your configuration.
A network access tunnel is assigned to the access policy. You may also assign a network access or full webtop. On the full webtop, users can click the link for a network access resource to start the network access tunnel, or a network access tunnel (that is configured with Auto launch enabled) can start automatically.
After you complete the access policy, you must define a connectivity profile. In the virtual server definition, you must select the access policy and connectivity profile.

Configuring a virtual server for network access

Create a virtual server to which the network access associates your access policy.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click Create.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination Address/Mask setting, confirm that the Host button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  5. In the Service Port field:
    • If you want to specify a single service port or all ports, confirm that the Port button is selected, and type or select a service port.
    • If you want to specify multiple ports other than all ports, select the Port List button, and confirm that the port list that you previously created appears in the box.
  6. From the Configuration list, select Advanced.
  7. From the HTTP Profile (Client) list, select a previously-created HTTP/2 profile for client-side traffic.
  8. In the Configuration area, specify both SSL Profile (Client) and SSL Profile (Server).
  9. From the Source Address Translation list, select Auto Map.
  10. In the Access Policy area, select the Access Profile you created for remote access.
  11. From the Connectivity Profile list, select the connectivity profile.
  12. Click Finished.

Creating an SSO configuration

Creating an SSO configuration is a necessary first step for supporting single sign-on.
Note: Access Policy Manager (APM) supports several types of SSO configuration. Refer to BIG-IP Access Policy Manager: Single Sign-On Concepts and Configuration in the AskF5 Knowledge Base at http://support.f5.com/kb/en-us.html.
  1. On the Main tab, select Access > Single Sign-On .
    The Single Sign-On screen opens.
  2. Click Create.
    The New SSO Configuration screen opens.
  3. From the SSO Configurations by Type menu, choose an SSO type.
    A screen appears, displaying SSO configurations of the type you specified.
  4. In the Name field, type a name for the SSO configuration.
    The maximum length of a single sign-on configuration is 225 characters, including the partition name.
  5. Specify all relevant parameters.
  6. Click Finished.

Creating an access profile for web app SSO

Before you start, you must create an SSO configuration for the web application for which you want to support single sign-on.
Configure an access profile of type SSO to provide single sign-on over a network access tunnel for a web application.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: A access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select SSO.
  5. From the SSO Configuration list, select the configuration that you created for the web application.
  6. Click Finished.
This creates an access profile for which there is no access policy.

Configuring a virtual server for web app SSO

For each web application, you must have previously created a virtual server with a destination address that matches that of the web server.
Configure settings on the virtual server for each web service that clients access over the network tunnel to eliminate the need for clients to enter credentials multiple times.
Note: The name of the secure connectivity interface on which this virtual server must be enabled is the name of the connectivity profile specified for the virtual server for network access.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Select the virtual server that was previously created for the web service.
    The General Properties screen opens.
  3. Scroll down to the VLAN and Tunnel Traffic setting and select Enabled on.
  4. For the VLANs and Tunnels setting, move the secure connectivity interface to the Selected list.
  5. From the Configuration list, select Advanced, scroll down, and make sure that the Address Translation and Port Translation check boxes are cleared.
  6. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  7. Click Update.
    The users are now able to access this web service without entering credentials multiple times.

About SSO for portal access resources

An SSO configuration can be specified in a portal access resource item or in the access profile through which the portal access resource is assigned in the access policy.

If a portal access resource item and a virtual server that matches the resource populate the same session, an SSO configuration must be specified only once and at the access profile level. The SSO configuration must be specified in the access profile for the matching virtual server and not in the portal access resource item.

Configuring SSO for a portal access resource item

You must have created a portal access resource and added one or more resource items to it. You must have created an SSO configuration.
Add an SSO configuration to a portal access resource item to support SSO at the resource level instead of supporting SSO at the access profile level.
  1. On the Main tab, click Access > Connectivity / VPN > Portal Access > Portal Access Lists .
    The Portal Access List screen opens.
  2. In the Resource Items column, click the link for a resource item.
    A Properties screen for that resource item opens.
  3. In the Resource Item Properties area from the SSO Configuration list, select an SSO configuration.
    The default value is None.
  4. Click Update.
    The Properties screen refreshes.
To add SSO configurations to additional portal access resource items, repeat these steps.