Applies To:
Show VersionsBIG-IQ Centralized Management
- 7.0.0, 6.1.0, 6.0.1
Federation
Configure Access as an OAuth 2.0 authorization server
You can configure a BIG-IQ® Centralized Management with Access to act as an OAuth authorization server. OAuth client applications and resource servers can register to have Access authorize requests.
Register a client application for OAuth services
Register a resource server for OAuth services
Configure an artifact resolution service
Configure an OAuth profile
Introducing BIG-IQ SAML Support
You use BIG-IQ® Centralized Management to set up SAML support for multiple BIG-IP devices. Many of the concepts and steps are the same as setting up SAML support in BIG-IP® Access Policy Manager®.
For more information, see the BIG-IP Access Policy Manager: Authentication and Single Sign-On guide on the AskF5™ Knowledge Base located at support.f5.com/.
About SAML
Security Assertion Markup Language (SAML) defines a common XML framework for creating, requesting, and exchanging authentication and authorization data among entities known as Identity Providers (IdPs) and Service Providers (SPs). This exchange enables single sign-on among such entities.
- IdP is a system or administrative domain that asserts information about a subject. The information that an IdP asserts pertains to authentication, attributes, and authorization. An assertion is a claim that an IdP makes about a subject.
- Service Provider is a system or administrative domain that relies on information provided by an IdP. Based on an assertion from an IdP, a service provider grants or denies access to protected services.
In simple terms, an IdP is a claims producer, and a service provider is a claims consumer. An IdP produces assertions about users, attesting to their identities. Service providers consume and validate assertions before providing access to resources.
SAML 2.0 is an OASIS open standard. The SAML core specification defines the structure and content of assertions.
About SAML metadata
SAML metadata specifies how configuration information is defined and shared between two communicating entities: a SAML Identity Provider (IdP) and a SAML service provider. Service provider metadata provides information about service provider requirements, such as whether the service provider requires a signed assertion, the protocol binding support for endpoints (AssertionConsumerService) and which certificates and keys to use for signing and encryption. IdP metadata provides information about IdP requirements, such as the protocol binding support for endpoints (SingleSignOnService), and which certificate to use for signing and encryption.
Configure a custom SAML SP connector
Configure a custom SAML IdP connector
Automate IdP connector creation for BIG-IQ as SP
You create a connector automation configuration to automatically create SAML IdP connectors and bind them to an SP service based on cumulative IdP metadata you maintain in a file or files. You specify matching criteria in connector automation for BIG-IQ to use, in order to send a user to the correct IdP.
Create SAML authentication context classes
Create attribute consuming service
Configure a SAML IdP service
Configure a custom SAML SP connector
Automate SP connector creation for BIG-IQ as IdP
You create a connector automation configuration to automatically create SAML IdP connectors and bind them to an IdP service based on cumulative IdP metadata you maintain in a file or files. You specify matching criteria in connector automation for BIG-IQ to use, in order to send a user to the correct IdP.
Configure an artifact resolution service
OAuth Authorization Server
About OAuth token types
As an OAuth authorization server, BIG-IQ® Centralized Management supports bearer access tokens, and refresh tokens. For use as bearer access tokens and refresh tokens, BIG-IQ supports opaque tokens and JSON web tokens.
About access tokens
As defined in the OAuth 2.0 specification (RFC 6749), an access token is a credential used to access protected resources. An access token is a string that represents an authorization issued to the client. A token represents specific scopes and durations of access granted by the resource owner. The resource server and the authorization server enforce the scopes and durations of access.
About refresh tokens
As defined in the OAuth 2.0 specification (RFC 6749), a refresh token is a credential used to obtain an access token. The client uses a refresh token to get a new access token from the authorization server when the current access token expires. If refresh tokens are enabled in the configuration, the OAuth authorization server issues a refresh token to the client when it issues an access token.
A refresh token is a string. It represents the authorization that the resource owner grants to the client. Unlike access tokens, a refresh token is for use with authorization servers only, and is never sent to a resource server.
About opaque tokens
Opaque tokens are issued in a proprietary format. Only the OAuth authorization server that issues the token can read it and validate it. The OAuth authorization server stores an opaque token for its lifetime and offers the ability to revoke the token. Use of opaque tokens forces client apps to communicate with the authorization server.
About JSON web tokens
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information in a JSON object between OAuth entities. This information can be verified and trusted because it is digitally signed. JSON tokens are not stored on an OAuth authorization server and they cannot be revoked.
Configuring APM as an OAuth 2.0 authorization server
You can configure BIG-IQ® Centralized Management to act as an OAuth authorization server. OAuth client applications and resource servers can register to have BIG-IQ authorize requests.