F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Centralized Management
  4. BIG-IQ Centralized Management: Access
  5. Federation
Manual Chapter : Federation

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0, 6.1.0, 6.0.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Federation

Configure Access as an OAuth 2.0 authorization server

You can configure a BIG-IQ® Centralized Management with Access to act as an OAuth authorization server. OAuth client applications and resource servers can register to have Access authorize requests.

Register a client application for OAuth services

For a client application to obtain OAuth tokens and OAuth authorization codes from BIG-IQ Centralized Management, you must register it with Access.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click OAuth Authorization Server > Client Application .
  4. Click Create.
    The New Client Application screen opens.
  5. In the Name field, type a name for the object.
  6. In the Application Name field, type the application name.
  7. In the Customization Settings for English area in the Caption field, type a caption.
    Access displays this caption as the name of the application on an Authorization screen if you choose to display one.
  8. In the Security Settings area, for Authentication Type, select one of the options:
    • None - This is typically used in conjunction with the Implicit grant type, which does not use a secret or a certificate. For grant types other than Implicit, the other options provide better security.
    • Secret - This is the default setting. If this is selected, Access generates this secret for the client and you can request that Access regenerate the secret.
    • Certificate - Uses the client certificate. If this is selected, the Client Certificate Distinguished Name field displays.
  9. If the Client Certificate Distinguished Name field displays, leave it blank or type a name.
    If you leave it blank, Access accepts any valid client certificate. If you specify a name, Access accepts only the specific valid client certificate with the specified Distinguished Name.
    This is a sample Distinguished Name for the client certificate: emailAddress=w.smith@f5.com,CN=OAuth AS Project Client2 Cert,OU=Product Development,O=F5 Networks,ST=CA,C=US
  10. For Scope, select one or more and move them to the Selected field.
  11. From Grant Type, select one or more of the options:
    • Authorization Code / Hybrid - The client must authenticate with the authorization server (Access) to get a token.
    • Implicit - The client gets a token from the authorization server (Access) without authenticating to it. (Refresh tokens are not available with this grant type.)
    • Resource Owner Password Credentials - The client goes directly to the authorization server and uses the resource owner credentials to obtain a token.
  12. For Redirect URI(s) (if displayed), type a fully qualified URI, click Add, and repeat as needed.
    Redirect URI(s) form a list of URIs to which the OAuth authorization server can redirect the resource owner’s user agent after authorization is obtained for an authorization code or implicit grant type.
  13. For Support OpenID Connect, select Enabled to select OpenID Connect support.
    Client applications retrieve an ID token and an access token.
  14. To apply the token management settings from an OAuth profile:
    1. In the Token Management Configuration area, retain selection of the Enabled check box.
      The token management configuration settings in an OAuth profile apply to client applications assigned to that profile except when this setting is disabled.
    2. Skip to step 13.
  15. To manage tokens in a manner that is distinct for this client application:
    1. In the Token Management Configuration area, clear the Enabled check box.
      Additional fields display.
    2. Update any of the additional fields.
  16. Click Save.
Access generates a client ID for the application. If the Authentication Type is set to Secret, Access generates a secret. The application displays on the Client Application screen.

Register a resource server for OAuth services

For Access in BIG-IQ Centralized Management as an OAuth authorization server to accept token introspection requests from a resource server for token validation, you must register the resource server with Access.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click OAuth Authorization Server > Resource Server .
  4. Click Create.
    The New Resource Server screen opens.
  5. Click Create.
  6. In the Name field, type a name for the object.
  7. From Device, select the associated BIG-IP device.
  8. For Authentication Type, select one of these:
    • None - This option requires no authentication when the resource server sends a token introspect request to the OAuth authorization server to get the token validated.
    • Secret - For this option, Access generates this secret and you can request that Access regenerate the secret.
    • Certificate - This is the default setting. If this is selected, Resource Server Certificate Distinguished Name field displays.
  9. If Resource Server Certificate Distinguished Name displays, leave it blank or type a name.
    If you leave it blank, Access accepts any valid client certificate. If you specify a name, Access accepts only the specific valid client certificate with the specified Distinguished Name.
    This is a sample Distinguished Name for the client certificate: emailAddress=w.smith@f5.com,CN=OAuth AS Project Client2 Cert,OU=Product Development,O=F5 Networks,ST=CA,C=US
  10. Click Save.
The new resource server displays on the list.

Configure an artifact resolution service

Before you configure the artifact resolution service (ARS), you need to have configured a virtual server. That virtual server can be the same as the one used for the SAML Identity Provider (IdP), or you can create an additional virtual server.
Note: F5 highly recommends that the virtual server definition include a server SSL profile.
You configure an ARS so that a BIG-IQ system that is configured as a SAML IdP can provide SAML artifacts in place of assertions. With ARS, the BIG-IQ system can receive Artifact Resolve Requests (ARRQ) from service providers, and provide Artifact Resolve Responses (ARRP) for them.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click SAML Identity Provider > Artifact Resolution Services .
  4. Under Artifact Resolution Services (Shared) Artifact Resolution Services (Device-specific), click Create.
    The Create New SAML Artifact Resolution Service popup screen opens, showing general settings.
  5. In the Name field, type a name for the artifact resolution service.
  6. In the Description field, type a new description.
  7. Click Service Settings.
  8. From the Virtual Server list, select the virtual server that you created previously.
    ARS listens on the IP address and port configured on the virtual server.
  9. In the Artifact Validity (Seconds) field, type the number of seconds for which the artifact remains valid. The default is 60 seconds.
    The system deletes the artifact if the number of seconds exceeds the artifact validity number.
  10. For the Send Method setting, select the binding to use to send the artifact, either POST or Redirect.
  11. In the Host field, type the host name defined for the virtual server, for example ars.siterequest.com.
  12. In the Port field, type the port number defined in the virtual server. The default is 443.
  13. Click Security Settings.
  14. To require that artifact resolution messages from an SP be signed, select the Sign Artifact Resolution Request check box.
  15. To use HTTP Basic authentication for artifact resolution request messages, in the User Name field, type a name for the artifact resolution service request and in the Password field, type a password.
    These credentials must be present in all Artifact Resolve Requests sent to this ARS.
  16. Click OK.
    The popup screen closes, leaving the Artifact Resolution Services list screen open.
The Artifact Resolution Service is ready to use.

Configure an OAuth profile

You configure an OAuth profile to specify the client applications, resource servers, token types, and authorization server endpoints that apply to the traffic that goes through a particular virtual server.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click OAuth Authorization Server > OAuth Profile .
  4. Click Create.
  5. In the Name field, type a name for the object.
  6. For Device, select the BIG-IP device attached to this application.
  7. For Application Name, type the name of the client application.
  8. For Website URL, type the URL for the home page of the client application.
  9. For Website Logo URL, type the URL that refers to the logo for the client application.
  10. For Contact, type contact information.
  11. In the Customization Settings for English area, for Caption type the application name to display when prompting the user for authorization. (Defaults to text entered in the Application Name field.)
  12. For Detailed Description, type the description of the application to display when prompting the user for authorization.
  13. In the Security Settings area, for Authentication Type select one:
    • None This is typically used in conjunction with the implicit grant type which does not use a secret or a certificate.
    • Secret The OAuth authorization server (APM) auto-generates a random alphanumerical string, which is cryptographically strong. If you select this option, the Secret field displays.
    • Certificate The OAuth authorization server a requires a client certificate in OAuth requests. If you select this option, the Client Certificate Distinguished Name field displays.
  14. For Client Certificate Distinguished Name (if displayed) if you specify a certificate distinguished name, then only a valid client certificate with the specified certificate distinguished name will be accepted.
  15. For Secret (if displayed), to regenerate the secret click Regenerate.
  16. For Scope, move values between the Selected list, which specifies scopes that are applicable to the client application and the Available list, which specifies other scopes that are defined on the BIG-IP system.
  17. For Grant Type, select one or more:
    • Authorization Code with this type, the client must authenticate with the OAuth authorization server to get a token.
    • Implicit with this type, the client gets a token from the OAuth authorization server without authenticating to it. (Refresh tokens are not available with this grant type.)
    • Resource Owner Password Credentials with this type, the client goes directly to the OAuth authorization server and uses the resource owner credentials to obtain a token.
  18. For Redirect URIs (if displayed), specify a list of fully qualified URIs to which the OAuth authorization server can redirect the resource owner’s user agent after authorization is obtained. A redirect URI is used with the Authorization Code and Implicit grant types.
  19. In the Token Management Configuration area, for the Use Profile Token Management Settings check box:
    • Select to take token management settings from the OAuth profile that is attached to the virtual server. (Additional token management settings are hidden when you select the check box.)
    • Clear to configure token management settings to meet the particular requirements of this client application. (Additional token management settings display when you select the check box.)
  20. If Use Profile Token Management Settings is disabled, you can update these fields:
    1. For Authorization Code Lifetime, type a number.
      This specifies the number of minutes an authorization code is considered valid.
    2. For Access Token Lifetime, type a number.
      This specifies the number of minutes an access token is considered valid.
    3. For Reuse Access Token, select or clear the Enabled check box. If cleared, the server generates a new access token. If selected, the server extends the expiry time of the access token associated with the refresh token.
      Note: For an access token to be reused, the Enabled check box must be selected for Generate Refresh Token.
    4. For Generate Refresh Token, select or clear the Enabled check box. If selected, the OAuth authorization server generates a refresh token in addition to the access token for authorization code and resource owner credential grants.
    5. For Refresh Token Lifetime, type a number.
      This specifies the number of minutes that a refresh token is considered valid after it is generated.
    6. For Reuse Refresh Token select or clear the Enabled check box. When cleared and a new access token is obtained, the OAuth authorization server also generates a new refresh token value.
    7. For Refresh Token Usage Limit, type a number.
      This specifies the number of times an access token can be obtained using the refresh token.
    8. For JWT Access Token Lifetime, type a number.
      This specifies the number of minutes a JWT access token is considered valid. In specifying this lifetime, consider that JWT access tokens cannot be revoked.
    9. For JWT Generate Refresh Token, select Enabled so the OAuth authorization server generates a refresh token in addition to the access token for authorization code and resource owner credential grants.
    10. For JWT Refresh Token Lifetime, type a number.
      This specifies the number of minutes a refresh token is considered valid. In specifying this lifetime, consider that JWT refresh tokens cannot be revoked.
    11. For Audience, add the audience claim for which the JWT access token is intended. This is a list of values. Each value in this list can be a string, URI, or session variable.
    12. For Claim, specify the list of claims that are part of the JWT access token.
  21. To save your changes, click the Save & Close button at the bottom of the screen.

Introducing BIG-IQ SAML Support

You use BIG-IQ® Centralized Management to set up SAML support for multiple BIG-IP devices. Many of the concepts and steps are the same as setting up SAML support in BIG-IP® Access Policy Manager®.

For more information, see the BIG-IP Access Policy Manager: Authentication and Single Sign-On guide on the AskF5™ Knowledge Base located at support.f5.com/.

About SAML

Security Assertion Markup Language (SAML) defines a common XML framework for creating, requesting, and exchanging authentication and authorization data among entities known as Identity Providers (IdPs) and Service Providers (SPs). This exchange enables single sign-on among such entities.

  • IdP is a system or administrative domain that asserts information about a subject. The information that an IdP asserts pertains to authentication, attributes, and authorization. An assertion is a claim that an IdP makes about a subject.
  • Service Provider is a system or administrative domain that relies on information provided by an IdP. Based on an assertion from an IdP, a service provider grants or denies access to protected services.

In simple terms, an IdP is a claims producer, and a service provider is a claims consumer. An IdP produces assertions about users, attesting to their identities. Service providers consume and validate assertions before providing access to resources.

SAML 2.0 is an OASIS open standard. The SAML core specification defines the structure and content of assertions.

About SAML metadata

SAML metadata specifies how configuration information is defined and shared between two communicating entities: a SAML Identity Provider (IdP) and a SAML service provider. Service provider metadata provides information about service provider requirements, such as whether the service provider requires a signed assertion, the protocol binding support for endpoints (AssertionConsumerService) and which certificates and keys to use for signing and encryption. IdP metadata provides information about IdP requirements, such as the protocol binding support for endpoints (SingleSignOnService), and which certificate to use for signing and encryption.

Configure a custom SAML SP connector

Before you can configure a SAML service provider, you must first obtain an SSL certificate from the SAML service provider (SP) and import it into the certificate store on the BIG-IQ system.
You configure information about a SAML service provider so that BIG-IQ can act as a SAML Identity Provider (IdP) for it.
Note: Configure one SAML SP connector for each external SAML service provider for which this BIG-IQ system provides SSO authentication service.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand FEDERATION and click SAML Identity Provider > External SP Connectors .
  4. Click Create > Custom .
  5. Type the name of the SP connector.
  6. For Required Signed Authentication Request, select the check box to require the user to select a signing certificate.
  7. For Signing Certificate, select the certificate for verifying signed authentication requests.
    This is usually the service provider certificate with public key.
  8. For Response must be signed, select the check box to specify that the service provider requires signed response from the IdP.
  9. For Signing Algorithm, select an RSA public-key encryption algorithm.
  10. For Assertion must be signed, select the check box to specify that the service provider requires signed assertions from the IdP.
  11. For Assertion must be encrypted, select the check box to specify that the service provider requires encrypted assertions from the IdP.
  12. For Encryption Type, select the type of AES encryption that you want.
  13. For Encryption Certificate, select the certificate to use to verify signed authentication requests.
    This is usually the service provider certificate with a public key.
  14. For Single Logout Request URL, type where the system should send a logout request to this service provider when the system initiates a logout request.
  15. For Single Logout Response URL, type where to send a response to the service provider to indicate that single logout is complete.
  16. For Single Logout Binding, select how the system sends a logout request to the service provider.
  17. For Service Provider Location, select whether the SP is located as an external, internal, or internal multi-domain provider.
  18. For Relay State, type a value that the service provider uses to redirect the user after authentication.
  19. For Assertion Consumer Services, specify at least one assertion consumer service.
  20. Click Save & Close.

Configure a custom SAML IdP connector

An IdP connector specifies how a BIG-IQ system, configured as a SAML service provider (SP), connects with an external SAML identity provider (IdP). You configure a SAML IdP connector so that BIG-IQ (as a SAML service provider) can send authentication requests to this Identity Provider (IdP), relying on it to authenticate users and to provide access to resources behind BIG-IQ.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click SAML Service Provider > External IdP Connectors .
  4. Click Create > Custom .
  5. Type the name of the IdP connector.
  6. In the IdP Entity ID field, a unique identifier for this SAML Identity Provider.
    Usually, this is a unique URI, representing the IdP.
  7. In the Name Qualifier field, the security or administrative domain of the Identity Provider.
    This value usually matches IdP Entity ID.
  8. In the Description field, type a descriptive text of the IdP connector.
  9. From the Single Sign On Service URL field, type the URL where APM redirects the user for authentication when the user initiates connection through the service provider.
    If the identity provider (IdP) is also a BIG-IP system (in a federation of BIG-IP systems), you can use this URL, https://IP-Address/saml/idp/profile/redirectpost/sso and substitute the IP address or FQDN of the BIG-IP as IdP virtual server for IP-Address.
  10. From the Single Sign On Service Binding list, select how Access Policy Manager is to send an authentication request to the SAML Identity Provider.
  11. For Location URL, type the URL of the artifact resolution service.
  12. For IP Address, type the IP address of the artifact resolution service.
  13. For Port, type the port number of the artifact resolution service.
  14. For Sign Artifact Resolution Request, select the check box to specify that artifact resolution messages from an SP are signed.
  15. For Server SSL Profile, select the name of the Server SSL profile you previously created.
  16. Type the Username and Password of the Server SSL profile.
  17. For Identity Location, select where to find the user ID or name: in the Subject element of the assertion or in one of the Attributes in the attribute statement.
  18. For Identity Location Attribute, type the name of the attribute where the user ID or name can be found.
  19. For Authentication Request sent by this device to IdP, select whether the IdP expects signed authentication requests.
  20. For Signing Algorithm, select the signing algorithm uses to send authentication request to IdP.
  21. For IdP's Assertion Verification Certificate, select the IdP certificate that, with public key, a service provider uses to validate a signed assertion.
  22. For Single Logout Request URL, type an URL at the SAML Identity Provider (IdP) where APM can send the logout request when a service provider initiates a logout.
  23. For Single Logout Response URL, type an URL at the SAML Identity Provider (IdP) where APM can send the logout response when the IdP initiates the logout request.
  24. For Single Logout Binding, select a binding that specifies the method that Access Policy Manager uses to send logout requests and responses to the SAML Identity Provider.
  25. Click Save & Close.

Automate IdP connector creation for BIG-IQ as SP

To create a BIG-IQ Identity Provider (IdP) automation configuration, you need a BIG-IQ system that is configured to function as a SAML service provider (SP) and you need to have SAML SP services defined.
When a BIG-IQ system is configured as a SAML service provider (SP), you can use SAML identity provider (IdP) automation to automatically create new SAML IdP connectors for SP services. BIG-IQ polls a file or files that you supply; the files must contain cumulative IdP metadata. After polling, BIG-IQ creates IdP connectors for any new IdPs and associates them with a specified SP service. BIG-IQ uses matching criteria that you supply to send the user to the correct IdP.

You create a connector automation configuration to automatically create SAML IdP connectors and bind them to an SP service based on cumulative IdP metadata you maintain in a file or files. You specify matching criteria in connector automation for BIG-IQ to use, in order to send a user to the correct IdP.

  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click SAML Service Provider > Connector Automation .
  4. Click Create.
  5. Type a name for the connector automation.
  6. From the SP Service dropdown list, select the SAML SP service that binds the SAML SP connectors that this automation creates.
  7. For Metadata Tag For SP Connector Name, type a value that must be contained in the metadata tag for BIG-IQ to consider it a match.
  8. For Metadata Tag For SP Connector Name, type the name of a metadata tag that contains a value BIG-IQ uses to name an SP connector that it creates.
  9. For Frequency, type the number of minutes after which BIG-IQ polls the SP metadata files and updates the SP connectors and bindings for the service.
  10. For Metadata URLs, type an URL that begins with http or https and specifies an SP metadata file located on a remote system.
  11. From the DNS Resolver dropdown list, select a DNS resolver for the connector automation.
  12. From the SSL Profile (Server)dropdown list, select a server SSL profile for the connector automation.
  13. Click Save & Close.

Create SAML authentication context classes

You create SAML authentication context classes to provide URIs to SAML service providers. These URIs specify authentication methods in SAML authentication requests and authentication statements.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click SAML Service Provider > Connector Automation .
  4. Click Create.
  5. Type a name for the authentication context class.
  6. For Value, select a SAML authentication context class and select a value from the list.
    Each value that you select must be unique.
  7. Click Save & Close.

Create attribute consuming service

A SAML service provider (SP) endpoint can request certain attributes from a SAML IdP by including a special multi-attribute called an attribute consuming service. An attribute consuming service describes a service and a list of attributes to be used by the service. It is typically used with an AttributeConsumingService index which is used to map to an attribute consuming service. During a SAML SP configuration, the SP can specify attribute consuming service elements, where each element describes a service and a list of requested attributes, ready to use in a service. You can export this in the metadata and share it with the identity provider.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click SAML Service Provider > Attribute Consuming Service .
  4. Click Create.
  5. Type a name for the attribute consuming service object.
  6. From the Service Name list, type the name of the attribute consuming service.
  7. From the Service Description list, type a descriptive text for the attribute consuming service.
  8. For Name in the SAML Attributes section, type the MCP object name for the attribute.
    The name must be unique.
  9. For Attribute Name, type a string that represents the name of the attribute.
    The name must be unique.
  10. For Name Format, type a URI reference that classifies the attribute name.
  11. For Friendly Name, type a string that provides a more readable form of the attribute name.
  12. For Is required, select the check box if the service requires the corresponding SAML attribute in order to function.
    The default value is False.
  13. Click the + button to add another row of SAML attributes.
  14. Click Save & Close.

Configure a SAML IdP service

A SAML IdP service is a type of single sign-on (SSO) authentication service in BIG-IQ. When you use a BIG-IQ system as a SAML identity provider (IdP), a SAML IdP service provides SSO authentication for external SAML service providers (SPs).
You must bind a SAML IdP service to SAML SP connectors, each of which specifies an external SP. APM responds to authentication requests from the service providers and produces assertions for them. Configure a SAML Identity Provider (IdP) service for the BIG-IQ system, configured as a SAML IdP, to provide authentication service for SAML service providers (SPs).
Note: Configure this IdP service to meet the requirements of all SAML service providers that you bind with it.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click SAML Service Provider > Local IdP Services .
  4. Click Create.
  5. Type a name for the IdP service.
  6. In the IdP Entity ID field, type the unique identifier of the IdP (this BIG-IP system).
    This is usually a URI that represents the IdP.
  7. For Name Qualifier, type the security or administrative domain of the IdP (this BIG-IP system).
    This value usually matches IdP Entity ID.
  8. For Description, type a description of the SAML IdP.
  9. From the Log Setting list, select the correct log settings are selected for the access profile to ensure that events are logged as intended.
  10. From the Scheme list, select either http or https.
  11. For Host, type the host destination.
  12. For Web Browser SSO, select the check box to exchange information between the IdP, the SP, and the user on a web browser
  13. For Enhanced Client or Proxy Profile (ECP), select the check box to specify a browser that supports ECP functionality with an HTTP proxy.
    You can enable SSO and this will act as an intermediary when the IdP and SP cannot communicate directly.
  14. From the Artifact Resolution Service list, select the check box to create an artifact resolution service to provide SAML artifacts in place of assertions.
  15. From the Assertion Subject Type list, select where the IdP (this BIG-IP system) can find the subject to be authenticated.
  16. From the Assertion Subject Value list, select the subject value.
    Usually, this is a session variable.
  17. From the Authentication Context Class Reference list, select the URI reference that identifies an authentication context class.
  18. For Assertion Validity, type the number in seconds for which the assertion is valid.
  19. For Enable Encryption of Subject, select the check box to specify the encryption strength.
  20. From the Signing Key list, select the key from the BIQ-IQ store. The default value is None.
  21. From the Signing Certificate list, select the certificate from the BIG-IQ system store.
  22. For Signing Key Session Variable, type a session variable that resolves to a signing key used by the IdP to sign SAML messages.
  23. For Signing Certificate Session Variable, type a session variable that resolves to a signing certificate used by the IdP to sign SAML messages.
  24. Click Save & Close.

Configure a custom SAML SP connector

Before you can configure a SAML service provider, you must first obtain an SSL certificate from the SAML service provider (SP) and import it into the certificate store on the BIG-IQ system.
You configure information about a SAML service provider so that BIG-IQ can act as a SAML Identity Provider (IdP) for it.
Note: Configure one SAML SP connector for each external SAML service provider for which this BIG-IQ system provides SSO authentication service.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand FEDERATION and click SAML Identity Provider > External SP Connectors .
  4. Click Create > Custom .
  5. Type the name of the SP connector.
  6. For Required Signed Authentication Request, select the check box to require the user to select a signing certificate.
  7. For Signing Certificate, select the certificate for verifying signed authentication requests.
    This is usually the service provider certificate with public key.
  8. For Response must be signed, select the check box to specify that the service provider requires signed response from the IdP.
  9. For Signing Algorithm, select an RSA public-key encryption algorithm.
  10. For Assertion must be signed, select the check box to specify that the service provider requires signed assertions from the IdP.
  11. For Assertion must be encrypted, select the check box to specify that the service provider requires encrypted assertions from the IdP.
  12. For Encryption Type, select the type of AES encryption that you want.
  13. For Encryption Certificate, select the certificate to use to verify signed authentication requests.
    This is usually the service provider certificate with a public key.
  14. For Single Logout Request URL, type where the system should send a logout request to this service provider when the system initiates a logout request.
  15. For Single Logout Response URL, type where to send a response to the service provider to indicate that single logout is complete.
  16. For Single Logout Binding, select how the system sends a logout request to the service provider.
  17. For Service Provider Location, select whether the SP is located as an external, internal, or internal multi-domain provider.
  18. For Relay State, type a value that the service provider uses to redirect the user after authentication.
  19. For Assertion Consumer Services, specify at least one assertion consumer service.
  20. Click Save & Close.

Automate SP connector creation for BIG-IQ as IdP

To create a BIG-IQ Service Provider (SP) automation configuration, you need a BIG-IQ system that is configured to function as a SAML identity provider (IdP) and you need to have SAML IdP services defined.
When a BIG-IQ system is configured as a SAML identity provider (IdP), you can use SAML service provider (SP) automation to automatically create new SAML SP connectors for IdP services. BIG-IQ polls a file or files that you supply; the files must contain cumulative IdP metadata. After polling, BIG-IQ creates SP connectors for any new SPs and associates them with a specified IdP service. BIG-IQ uses matching criteria that you supply to send the user to the correct SP.

You create a connector automation configuration to automatically create SAML IdP connectors and bind them to an IdP service based on cumulative IdP metadata you maintain in a file or files. You specify matching criteria in connector automation for BIG-IQ to use, in order to send a user to the correct IdP.

  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click SAML Identity Provider > Connector Automation .
  4. Click Create.
  5. Type a name for the connector automation.
  6. From the IdP Service list, select the SAML IdP service that binds the SAML IdP connectors that this automation creates.
  7. For Metadata Tag For SP Connector Name, type the name of a metadata tag that contains a value BIG-IQ uses to name an SP connector that it creates.
  8. For Frequency, type the number of minutes after which BIG-IQ polls the SP metadata files and updates the SP connectors and bindings for the service.
  9. For Metadata URLs, type an URL that begins with http or https and specifies an SP metadata file located on a remote system.
  10. From the DNS Resolver list, select a DNS resolver for the connector automation.
  11. From the SSL Profile (Server) list, select a server SSL profile for the connector automation.
  12. Click Save & Close.

Configure an artifact resolution service

Before you configure the artifact resolution service (ARS), you need to have configured a virtual server. That virtual server can be the same as the one used for the SAML Identity Provider (IdP), or you can create an additional virtual server.
Note: F5 highly recommends that the virtual server definition include a server SSL profile.
You configure an ARS so that a BIG-IQ system that is configured as a SAML IdP can provide SAML artifacts in place of assertions. With ARS, the BIG-IQ system can receive Artifact Resolve Requests (ARRQ) from service providers, and provide Artifact Resolve Responses (ARRP) for them.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click SAML Identity Provider > Artifact Resolution Services .
  4. Under Artifact Resolution Services (Shared) Artifact Resolution Services (Device-specific), click Create.
    The Create New SAML Artifact Resolution Service popup screen opens, showing general settings.
  5. In the Name field, type a name for the artifact resolution service.
  6. In the Description field, type a new description.
  7. Click Service Settings.
  8. From the Virtual Server list, select the virtual server that you created previously.
    ARS listens on the IP address and port configured on the virtual server.
  9. In the Artifact Validity (Seconds) field, type the number of seconds for which the artifact remains valid. The default is 60 seconds.
    The system deletes the artifact if the number of seconds exceeds the artifact validity number.
  10. For the Send Method setting, select the binding to use to send the artifact, either POST or Redirect.
  11. In the Host field, type the host name defined for the virtual server, for example ars.siterequest.com.
  12. In the Port field, type the port number defined in the virtual server. The default is 443.
  13. Click Security Settings.
  14. To require that artifact resolution messages from an SP be signed, select the Sign Artifact Resolution Request check box.
  15. To use HTTP Basic authentication for artifact resolution request messages, in the User Name field, type a name for the artifact resolution service request and in the Password field, type a password.
    These credentials must be present in all Artifact Resolve Requests sent to this ARS.
  16. Click OK.
    The popup screen closes, leaving the Artifact Resolution Services list screen open.
The Artifact Resolution Service is ready to use.

OAuth Authorization Server

About OAuth token types

As an OAuth authorization server, BIG-IQ® Centralized Management supports bearer access tokens, and refresh tokens. For use as bearer access tokens and refresh tokens, BIG-IQ supports opaque tokens and JSON web tokens.

About access tokens

As defined in the OAuth 2.0 specification (RFC 6749), an access token is a credential used to access protected resources. An access token is a string that represents an authorization issued to the client. A token represents specific scopes and durations of access granted by the resource owner. The resource server and the authorization server enforce the scopes and durations of access.

About refresh tokens

As defined in the OAuth 2.0 specification (RFC 6749), a refresh token is a credential used to obtain an access token. The client uses a refresh token to get a new access token from the authorization server when the current access token expires. If refresh tokens are enabled in the configuration, the OAuth authorization server issues a refresh token to the client when it issues an access token.

A refresh token is a string. It represents the authorization that the resource owner grants to the client. Unlike access tokens, a refresh token is for use with authorization servers only, and is never sent to a resource server.

About opaque tokens

Opaque tokens are issued in a proprietary format. Only the OAuth authorization server that issues the token can read it and validate it. The OAuth authorization server stores an opaque token for its lifetime and offers the ability to revoke the token. Use of opaque tokens forces client apps to communicate with the authorization server.

About JSON web tokens

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information in a JSON object between OAuth entities. This information can be verified and trusted because it is digitally signed. JSON tokens are not stored on an OAuth authorization server and they cannot be revoked.

Configuring APM as an OAuth 2.0 authorization server

You can configure BIG-IQ® Centralized Management to act as an OAuth authorization server. OAuth client applications and resource servers can register to have BIG-IQ authorize requests.

Register a client application for OAuth services

For a client application to obtain OAuth tokens and OAuth authorization codes from BIG-IQ Centralized Management, you must register it with Access.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click OAuth Authorization Server > Client Application .
  4. Click Create.
    The New Client Application screen opens.
  5. In the Name field, type a name for the object.
  6. In the Application Name field, type the application name.
  7. In the Customization Settings for English area in the Caption field, type a caption.
    Access displays this caption as the name of the application on an Authorization screen if you choose to display one.
  8. In the Security Settings area, for Authentication Type, select one of the options:
    • None - This is typically used in conjunction with the Implicit grant type, which does not use a secret or a certificate. For grant types other than Implicit, the other options provide better security.
    • Secret - This is the default setting. If this is selected, Access generates this secret for the client and you can request that Access regenerate the secret.
    • Certificate - Uses the client certificate. If this is selected, the Client Certificate Distinguished Name field displays.
  9. If the Client Certificate Distinguished Name field displays, leave it blank or type a name.
    If you leave it blank, Access accepts any valid client certificate. If you specify a name, Access accepts only the specific valid client certificate with the specified Distinguished Name.
    This is a sample Distinguished Name for the client certificate: emailAddress=w.smith@f5.com,CN=OAuth AS Project Client2 Cert,OU=Product Development,O=F5 Networks,ST=CA,C=US
  10. For Scope, select one or more and move them to the Selected field.
  11. From Grant Type, select one or more of the options:
    • Authorization Code / Hybrid - The client must authenticate with the authorization server (Access) to get a token.
    • Implicit - The client gets a token from the authorization server (Access) without authenticating to it. (Refresh tokens are not available with this grant type.)
    • Resource Owner Password Credentials - The client goes directly to the authorization server and uses the resource owner credentials to obtain a token.
  12. For Redirect URI(s) (if displayed), type a fully qualified URI, click Add, and repeat as needed.
    Redirect URI(s) form a list of URIs to which the OAuth authorization server can redirect the resource owner’s user agent after authorization is obtained for an authorization code or implicit grant type.
  13. For Support OpenID Connect, select Enabled to select OpenID Connect support.
    Client applications retrieve an ID token and an access token.
  14. To apply the token management settings from an OAuth profile:
    1. In the Token Management Configuration area, retain selection of the Enabled check box.
      The token management configuration settings in an OAuth profile apply to client applications assigned to that profile except when this setting is disabled.
    2. Skip to step 13.
  15. To manage tokens in a manner that is distinct for this client application:
    1. In the Token Management Configuration area, clear the Enabled check box.
      Additional fields display.
    2. Update any of the additional fields.
  16. Click Save.
Access generates a client ID for the application. If the Authentication Type is set to Secret, Access generates a secret. The application displays on the Client Application screen.

Register a resource server for OAuth services

For Access in BIG-IQ Centralized Management as an OAuth authorization server to accept token introspection requests from a resource server for token validation, you must register the resource server with Access.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click OAuth Authorization Server > Resource Server .
  4. Click Create.
    The New Resource Server screen opens.
  5. Click Create.
  6. In the Name field, type a name for the object.
  7. From Device, select the associated BIG-IP device.
  8. For Authentication Type, select one of these:
    • None - This option requires no authentication when the resource server sends a token introspect request to the OAuth authorization server to get the token validated.
    • Secret - For this option, Access generates this secret and you can request that Access regenerate the secret.
    • Certificate - This is the default setting. If this is selected, Resource Server Certificate Distinguished Name field displays.
  9. If Resource Server Certificate Distinguished Name displays, leave it blank or type a name.
    If you leave it blank, Access accepts any valid client certificate. If you specify a name, Access accepts only the specific valid client certificate with the specified Distinguished Name.
    This is a sample Distinguished Name for the client certificate: emailAddress=w.smith@f5.com,CN=OAuth AS Project Client2 Cert,OU=Product Development,O=F5 Networks,ST=CA,C=US
  10. Click Save.
The new resource server displays on the list.

Configure an OAuth profile

You configure an OAuth profile to specify the client applications, resource servers, token types, and authorization server endpoints that apply to the traffic that goes through a particular virtual server.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. Expand Federation and click OAuth Authorization Server > OAuth Profile .
  4. Click Create.
  5. In the Name field, type a name for the object.
  6. For Device, select the BIG-IP device attached to this application.
  7. For Application Name, type the name of the client application.
  8. For Website URL, type the URL for the home page of the client application.
  9. For Website Logo URL, type the URL that refers to the logo for the client application.
  10. For Contact, type contact information.
  11. In the Customization Settings for English area, for Caption type the application name to display when prompting the user for authorization. (Defaults to text entered in the Application Name field.)
  12. For Detailed Description, type the description of the application to display when prompting the user for authorization.
  13. In the Security Settings area, for Authentication Type select one:
    • None This is typically used in conjunction with the implicit grant type which does not use a secret or a certificate.
    • Secret The OAuth authorization server (APM) auto-generates a random alphanumerical string, which is cryptographically strong. If you select this option, the Secret field displays.
    • Certificate The OAuth authorization server a requires a client certificate in OAuth requests. If you select this option, the Client Certificate Distinguished Name field displays.
  14. For Client Certificate Distinguished Name (if displayed) if you specify a certificate distinguished name, then only a valid client certificate with the specified certificate distinguished name will be accepted.
  15. For Secret (if displayed), to regenerate the secret click Regenerate.
  16. For Scope, move values between the Selected list, which specifies scopes that are applicable to the client application and the Available list, which specifies other scopes that are defined on the BIG-IP system.
  17. For Grant Type, select one or more:
    • Authorization Code with this type, the client must authenticate with the OAuth authorization server to get a token.
    • Implicit with this type, the client gets a token from the OAuth authorization server without authenticating to it. (Refresh tokens are not available with this grant type.)
    • Resource Owner Password Credentials with this type, the client goes directly to the OAuth authorization server and uses the resource owner credentials to obtain a token.
  18. For Redirect URIs (if displayed), specify a list of fully qualified URIs to which the OAuth authorization server can redirect the resource owner’s user agent after authorization is obtained. A redirect URI is used with the Authorization Code and Implicit grant types.
  19. In the Token Management Configuration area, for the Use Profile Token Management Settings check box:
    • Select to take token management settings from the OAuth profile that is attached to the virtual server. (Additional token management settings are hidden when you select the check box.)
    • Clear to configure token management settings to meet the particular requirements of this client application. (Additional token management settings display when you select the check box.)
  20. If Use Profile Token Management Settings is disabled, you can update these fields:
    1. For Authorization Code Lifetime, type a number.
      This specifies the number of minutes an authorization code is considered valid.
    2. For Access Token Lifetime, type a number.
      This specifies the number of minutes an access token is considered valid.
    3. For Reuse Access Token, select or clear the Enabled check box. If cleared, the server generates a new access token. If selected, the server extends the expiry time of the access token associated with the refresh token.
      Note: For an access token to be reused, the Enabled check box must be selected for Generate Refresh Token.
    4. For Generate Refresh Token, select or clear the Enabled check box. If selected, the OAuth authorization server generates a refresh token in addition to the access token for authorization code and resource owner credential grants.
    5. For Refresh Token Lifetime, type a number.
      This specifies the number of minutes that a refresh token is considered valid after it is generated.
    6. For Reuse Refresh Token select or clear the Enabled check box. When cleared and a new access token is obtained, the OAuth authorization server also generates a new refresh token value.
    7. For Refresh Token Usage Limit, type a number.
      This specifies the number of times an access token can be obtained using the refresh token.
    8. For JWT Access Token Lifetime, type a number.
      This specifies the number of minutes a JWT access token is considered valid. In specifying this lifetime, consider that JWT access tokens cannot be revoked.
    9. For JWT Generate Refresh Token, select Enabled so the OAuth authorization server generates a refresh token in addition to the access token for authorization code and resource owner credential grants.
    10. For JWT Refresh Token Lifetime, type a number.
      This specifies the number of minutes a refresh token is considered valid. In specifying this lifetime, consider that JWT refresh tokens cannot be revoked.
    11. For Audience, add the audience claim for which the JWT access token is intended. This is a list of values. Each value in this list can be a string, URI, or session variable.
    12. For Claim, specify the list of claims that are part of the JWT access token.
  21. To save your changes, click the Save & Close button at the bottom of the screen.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information