F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Centralized Management
  4. F5 BIG-IQ Centralized Management: Access
  5. Federation
Manual Chapter : Federation

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Configure Access as an OAuth 2.0 authorization server

You can configure a BIG-IQ® Centralized Management with Access to act as an OAuth authorization server. OAuth client applications and resource servers can register to have Access authorize requests.

Registering a client application for OAuth services

For a client application to obtain OAuth tokens and OAuth authorization codes from the BIG-IQ® Centralized Management, you must register it with Access.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. Expand Federation and click OAuth Authorization Server > Client Application .
  5. Click Create.
    The New Client Application screen opens.
  6. In the Name field, type a name for the object.
  7. In the Application Name field, type the application name.
  8. In the Customization Settings for English area in the Caption field, type a caption.
    Access displays this caption as the name of the application on an Authorization screen if you choose to display one.
  9. In the Security Settings area, for Authentication Type, select one of the options:
    • None - This is typically used in conjunction with the Implicit grant type, which does not use a secret or a certificate. For grant types other than Implicit, the other options provide better security.
    • Secret - This is the default setting. If this is selected, Access generates this secret for the client and you can request that Access regenerate the secret.
    • Certificate - Uses the client certificate. If this is selected, the Client Certificate Distinguished Name field displays.
  10. If the Client Certificate Distinguished Name field displays, leave it blank or type a name.
    If you leave it blank, Access accepts any valid client certificate. If you specify a name, Access accepts only the specific valid client certificate with the specified Distinguished Name.
    This is a sample Distinguished Name for the client certificate: emailAddress=w.smith@f5.com,CN=OAuth AS Project Client2 Cert,OU=Product Development,O=F5 Networks,ST=CA,C=US
  11. For Scope, select one or more and move them to the Selected field.
  12. From Grant Type, select one or more of the options:
    • Authorization Code - The client must authenticate with the authorization server (Access) to get a token.
    • Implicit - The client gets a token from the authorization server (Access) without authenticating to it. (Refresh tokens are not available with this grant type.)
    • Resource Owner Password Credentials - The client goes directly to the authorization server and uses the resource owner credentials to obtain a token.
  13. For Redirect URI(s) (if displayed), type a fully qualified URI, click Add, and repeat as needed.
    Redirect URI(s) form a list of URIs to which the OAuth authorization server can redirect the resource owner’s user agent after authorization is obtained for an authorization code or implicit grant type.
  14. To apply the token management settings from an OAuth profile, perform these substeps:
    1. In the Token Management Configuration area, retain selection of the Enabled check box.
      The token management configuration settings in an OAuth profile apply to client applications assigned to that profile except when this setting is disabled.
    2. Skip to step 13.
  15. To manage tokens in a manner that is distinct for this client application, perform these substeps:
    1. In the Token Management Configuration area, clear the Enabled check box.
      Additional fields display.
    2. Update any of the additional fields.
  16. Click Save.
Access generates a client ID for the application. If the Authentication Type is set to Secret, Access generates a secret. The application displays on the Client Application screen.

Registering a resource server for OAuth services

For Access in BIG-IQ® Centralized Management as an OAuth authorization server to accept token introspection requests from a resource server for token validation, you must register the resource server with Access.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. Expand Federation and click OAuth Authorization Server > Resource Server .
  5. Click Create.
    The New Resource Server screen opens.
  6. Click Create.
  7. In the Name field, type a name for the object.
  8. From Device, select the associated BIG-IP device.
  9. For Authentication Type, select one of these:
    • None - This option requires no authentication when the resource server sends a token introspect request to the OAuth authorization server to get the token validated.
    • Secret - For this option, Access generates this secret and you can request that Access regenerate the secret.
    • Certificate - This is the default setting. If this is selected, Resource Server Certificate Distinguished Name field displays.
  10. If Resource Server Certificate Distinguished Name displays, leave it blank or type a name.
    If you leave it blank, Access accepts any valid client certificate. If you specify a name, Access accepts only the specific valid client certificate with the specified Distinguished Name.
    This is a sample Distinguished Name for the client certificate: emailAddress=w.smith@f5.com,CN=OAuth AS Project Client2 Cert,OU=Product Development,O=F5 Networks,ST=CA,C=US
  11. Click Save.
The new resource server displays on the list.

Configure an artifact resolution service

Before you configure the artifact resolution service (ARS), you need to have configured a virtual server. That virtual server can be the same as the one used for the SAML Identity Provider (IdP), or you can create an additional virtual server.
Note: F5® highly recommends that the virtual server definition include a server SSL profile.
You configure an ARS so that a BIG-IQ® system that is configured as a SAML IdP can provide SAML artifacts in place of assertions. With ARS, the BIG-IQ system can receive Artifact Resolve Requests (ARRQ) from service providers, and provide Artifact Resolve Responses (ARRP) for them.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. Expand Federation and click SAML Identity Provider > Artifact Resolution Services .
  5. Under Artifact Resolution Services (Shared) Artifact Resolution Services (Device-specific), click Create.
    The Create New SAML Artifact Resolution Service popup screen opens, showing general settings.
  6. In the Name field, type a name for the artifact resolution service.
  7. In the Description field, type a new description.
  8. Click Service Settings.
  9. From the Virtual Server list, select the virtual server that you created previously.
    ARS listens on the IP address and port configured on the virtual server.
  10. In the Artifact Validity (Seconds) field, type the number of seconds for which the artifact remains valid. The default is 60 seconds.
    The system deletes the artifact if the number of seconds exceeds the artifact validity number.
  11. For the Send Method setting, select the binding to use to send the artifact, either POST or Redirect.
  12. In the Host field, type the host name defined for the virtual server, for example ars.siterequest.com.
  13. In the Port field, type the port number defined in the virtual server. The default is 443.
  14. Click Security Settings.
  15. To require that artifact resolution messages from an SP be signed, select the Sign Artifact Resolution Request check box.
  16. To use HTTP Basic authentication for artifact resolution request messages, in the User Name field, type a name for the artifact resolution service request and in the Password field, type a password.
    These credentials must be present in all Artifact Resolve Requests sent to this ARS.
  17. Click OK.
    The popup screen closes, leaving the Artifact Resolution Services list screen open.
The Artifact Resolution Service is ready to use.

Configure an OAuth profile

You configure an OAuth profile to specify the client applications, resource servers, token types, and authorization server endpoints that apply to the traffic that goes through a particular virtual server.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. Expand Federation and click OAuth Authorization Server > OAuth Profile .
  5. Click Create.
  6. In the Name field, type a name for the object.
  7. For Device, select the BIG-IP device attached to this application.
  8. For Client Application, select the applications from the Available list and move them to the Active list.
  9. For Resource Server, select the resource servers associated with this OAuth profile from the Available list and move them to the Active list.
  10. UnderToken Management Configuration, configure the following steps:
    1. For Authorization Code Lifetime, type a number.
      This specifies the number of minutes an authorization code is considered valid.
    2. For Support Opaque Token, select whether APM can issue opaque access tokens through this profile. The default setting is Enabled.
    3. From the Database Instance list, select a database instance to store the opaque access tokens that APM issues.
    4. For Access Token Lifetime, type a number.
      This specifies the number of minutes an access token is considered valid.
    5. For Reuse Access Token, select or clear the Enabled check box. If cleared, the server generates a new access token. If selected, the server extends the expiry time of the access token associated with the refresh token.
      Note: For an access token to be reused, the Enabled check box must be selected for Generate Refresh Token.
    6. From the Access Token Limit Per User field, type the maximum number of active opaque access tokens the OAuth authorization server provides to client applications on behalf of this user.
    7. For Generate Refresh Token, select or clear the Enabled check box. If selected, the OAuth authorization server generates a refresh token in addition to the access token for authorization code and resource owner credential grants.
    8. For Refresh Token Lifetime, type a number.
      This specifies the number of minutes that a refresh token is considered valid after it is generated.
    9. For Reuse Refresh Token select or clear the Enabled check box. When cleared and a new access token is obtained, the OAuth authorization server also generates a new refresh token value.
    10. For Refresh Token Usage Limit, type a number.
      This specifies the number of times an access token can be obtained using the refresh token.
    11. For Support JWT Token, select whether BIG-IQ can issue JSON web tokens (JWTs) through this profile. Enabled is cleared by default.
    12. From the Issuer field, type the issuer of the JWT.
      This must be a URI.
    13. From the Subject field, type the subject of the JWT.
      This value can be a string, URI, or session variable.
    14. From the Trusted Certificate Authorities list, select a certificate authority file stored on the BIG-IP device.
    15. For Ignore Expired Certificate Validation, enable to use the certificate for signing JWT access token even if it is expired.
    16. From the Primary Key list, select the primary signing key for the JWT.
    17. For Rotation Keys, select one or more JWK configurations that contain public keys used as rotation keys.
    18. For Audience, select the audience claim for which the JWT access token is intended.
    19. For Claim, select the list of claims that are part of the JWT access token.
    20. For JWT Access Token Lifetime, type a number.
      This specifies the number of minutes a JWT access token is considered valid. In specifying this lifetime, consider that JWT access tokens cannot be revoked.
    21. For JWT Generate Refresh Token, select Enabled so the OAuth authorization server generates a refresh token in addition to the access token for authorization code and resource owner credential grants.
    22. For JWT Refresh Token Lifetime, type a number.
      This specifies the number of minutes a refresh token is considered valid. In specifying this lifetime, consider that JWT refresh tokens cannot be revoked.
    23. For the JWT Refresh Token Encryption Secret field, select the JWT refresh token encryption secret that is used to generate an encryption key.
      BIG-IQ cannot import the JWT refresh token encryption from the BIG-IP device. After importing the BIG-IP device, reconfigure the encryption secret.
  11. UnderAuthorization Server Endpoints, configure the following steps:
    1. For Authorization Endpoint, type the endpoint that the OAuth authorization server uses to authenticate the resource owner and obtain authorization.
    2. For Token Issuance Endpoint, type the endpoint that the client uses to obtain an access token or a refresh token.
    3. For Token Revocation Endpoint, type the endpoint for the client to use to revoke a previously obtained opaque access token or refresh token.
    4. For OpenID Connect Configuration Endpoint, type the path of the OpenID Connect endpoint that returns OpenID Connect configuration.
    5. For JWKS Endpoint, type the path of the JSON Web Key Set (JWKS) endpoint that returns public signing keys.
  12. To save your changes, click the Save & Close button at the bottom of the screen.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information