Federation Items¶
The Federation Items federates user identity and enables single sign-on (SSO) to on-premises and cloud applications, including SaaS.
Refer to Create Access policy for the OpenAPI specification document.
OAuth Client and Resource Server¶
You can set up BIG-IP Next Access as an OAuth Client, a Resource server, or as both Client & Resource Server. To configure Access as an OAuth client and resource server, you must create the OAuth provider, OAuth server, OAuth client item, and OAuth scope item objects.
For instructions on configuring OAuth Client and Resource Server, refer to How To: Configure OAuth Client and Resource Server.
OAuth Server¶
An OAuth server specifies the configuration of an OAuth Authorization server and its mode of operation. It also sets the client IDs, client secret, and SSL certificates that Access requires to communicate with the OAuth provider. You can use the serverType parameter to manage an OAuth Server.
In the BIG-IP Next Access policy, you define OAuth server properties in the externalServers object.
The table below lists the objects for configuring the OAuth server:
| Object | Type | Description |
|---|---|---|
| serverType | string | For the OAuth server, the value is Oauth. This is a required setting. |
| name | string | Specifies the name of the provider. This is a required setting. |
| mode | string | Specifies the mode of operation for the OAuth Server. This is a required setting. The valid values are client, resource-server, and client-and-resource-server. |
| clientId | string | Specifies the client application ID. The client application must be configured before configuring the OAuth Server on the BIG-IP Next Access. |
| clientSecret | string | Specifies the client application secret. The client application must be configured at the authorization server before configuring the OAuth Server on the BIG-IP Next Access. |
| resourceServerId | string | Specifies the Resource Server ID. The Resource Server must be configured before configuring OAuth Server on the BIG-IP Next Access. |
| resourceServerSecret | string | Specifies the Resource Server Secret. The Resource Server must be configured before configuring OAuth Server on the BIG-IP Next Access. |
| tokenValidationInterval | integer | Specifies the number of minutes that the token can remain valid. The token becomes invalid when this interval elapses or at the token expiry that the authentication server specifies, whichever is shorter. When the token expires, the subsession times out. The default value is 60. Note: It is recommended to use short expiry values for the Authorization Code Lifetime setting in the Authorization server to protect against attacks. |
| dnsResolverName | string | Specifies the DNS resolver object to be used by OAuth Server to resolve DNS names for endpoint URIs. This is a required setting. Refer to How to: Manage DNS Resolution for more details. |
| irules | object | Specifies custom irule events. The following parameters are in this object:
|
| clientTls | Specifies TLS properties such as the cipher string and TLS version for server-side SSL communication. | |
|
string | Specifies the cipher string to use for server-side SSL communications. The default value is DEFAULT. |
|
Specifies the TLS versions that need to be enabled. Specify the following parameters in this object:
|
|
| resourceServerTls | Specifies TLS properties for server-side connections for the resource server. | |
|
string | Specifies the cipher string to use for server-side SSL communications. The default value is DEFAULT. |
|
Specifies the TLS versions that need to be enabled. Specify the following parameters in this object:
|
OAuth Provider¶
An OAuth provider configuration allows BIG-IP Next Access to obtain opaque or JSON web tokens (JWTs) from an OAuth authorization server that supports them. It specifies endpoint URIs to retrieve the token and a list of associated scopes.
In the BIG-IP Next Access policy, you define OAuth provider properties in the externalServers object. You can use the serverType parameter to manage an OAuth Provider.
The table below lists the objects for configuring the OAuth provider:
| Object | Type | Description |
|---|---|---|
| serverType | string | For the OAuth provider, the value is OauthProvider. This is a required setting. |
| name | string | Specifies the name of the provider. This is a required setting. |
| providerType | string | Specifies the OAuth provider type. |
| authenticationUri | string | Specifies the endpoint URI that redirects the user for authentication to get the authorization code. This endpoint is used by the OAuth Client item when the grant type is configured to Authorization Code. |
| tokenUri | string | Specifies the URI to use to retrieve an access token from the provider. The OAuth Client item uses this endpoint. |
| tokenValidationScopeUri | string | Specifies the URI the OAuth Scope item uses to retrieve a list of scopes associated with an access token. The OAuth Scope item uses this endpoint to retrieve a list of scopes associated with an opaque token and validate them. The OAuth Client item uses this endpoint to validate an opaque token. |
| userinfoRequestUri | string | Specifies the endpoint URI that is used to request userinfo information. This endpoint is used by the OAuth Scope item. |
| jwtConfig | Specifies the name of the JWT config. | |
|
string | Specifies the URL for the issuer of the JSON web token. This is a required setting. |
|
array | Specifies the audience for the token. |
|
boolean | Specifies whether the settings configured in the jwt-provider-list of which this JWT config is a part should be used. The default value is true. |
|
integer | Specifies the number of minutes the access token should live. The default value is 0. |
|
array | Specifies the list of allowed signing algorithms for the token. This is a required setting. |
|
array | Specifies the list of blocked signing algorithms for the token. |
|
array | Specifies the list of allowed JSON web keys for the token. To get details of the parameters in this array, refer to Create access policy for the OpenAPI specification document. |
|
array | Specifies the list of blocked JSON web keys for the token. To get details of the parameters in this array, refer to Create access policy for the OpenAPI specification document. |
|
array | Specifies OAuth JWT tokens in the denylist based on the key and the list of values for that key. The following parameters are in this object:
|
| introspect | string | Specifies whether to support token introspection that allows a protected resource to query the authorization server to determine the metadata associated with the token. The valid values are unsupported, supported, and undefined. The default value is undefined. |
| ignoreExpiredCert | boolean | Specifies whether the expired AS certificate enforcement is to be ignored. The default value is false. |
| allowSelfSignedJwkCert | boolean | Specifies whether to create a JWK config with a self-signed certificate. |
OAuth Client Item¶
The OAuth client configuration specifies scope data, authorization and token requests, and UserInfo requests from providers that support OpenID Connect. In addition, it sets the HTTP method, parameters, and headers to use for the specific type of request. Different types of OAuth Requests can be configured for both OAuth Client and OAuth Scope items. You can use the itemType object to manage an OAuth request.
In the BIG-IP Next Access policy, you define OAuth client properties in the policy object.
The table below lists the objects for configuring the OAuth client item:
| Object | Type | Description |
|---|---|---|
| itemType | string | Specifies the BIG-IP Next Access policy item. For the OAuth Client item, the value is oauth-client. This is a required setting. |
| name | string | Specifies the name of the BIG-IP Next Access policy item. |
| caption | string | Specifies a human-readable description of the policy branch. |
| expression | string | Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables. |
| oauthServer | string | Specifies the OAuth server to which this OAuth client directs requests for authorization and authentication. This is a required setting. |
| requestOpenidUserinfo | Specifies an openid-userinfo-request type of request. The OAuth Client item uses this request to access a well-known endpoint for OpenID Connect and get user info. | |
|
string | Specifies the description of the OAuth request. |
|
string | Specifies an ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986. |
|
string | Specifies the OAuth request method. Valid values are get and post. The default value is post. |
|
array | Specifies the OAuth request header name and value. |
|
array | Specifies the OAuth request parameters. You specify the parameter name, value, and type that the external OAuth authorization server supports for the request. |
| grantType | string | Specifies the type of grant that the OAuth client uses. The default value is authorization-code. The valid values are:
|
| openidConnect | boolean | Specifies whether the item uses OpenID Connect for authorization. The default value is false. Note: The OAuth provider (associated with the server) must be configured to support JSON web tokens. |
| openidFlowType | string | Specifies the OpenID connect flow type. Valid values are code and hybrid. The default value is code. |
| openidHybridResponseType | string | Specifies the OpenID connect hybrid response type. The default value is code-idtoken. The valid values are:
|
| requestAuthRedirect | Specifies an auth-redirect-request type of request, which redirects a user to an OAuth server. The OAuth Client item uses this request at the start of a session. This request is applicable when the OAuth Client is configured with the grant type authorization-code. | |
|
string | Specifies the description of the OAuth request. |
|
string | Specifies an ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986. |
|
string | Specifies the OAuth request method. Valid values are get and post. The default value is post. |
|
array | Specifies the OAuth request header name and value. |
|
array | Specifies the OAuth request parameters. You specify the parameter name, value, and type that the external OAuth authorization server supports for the request. |
| requestToken | Specifies a token-request type of request. The OAuth Client item uses this request at the start of a session to access an authorization server to obtain an access token or exchange an authorization code for an access token. | |
|
string | Specifies the description of the OAuth request. |
|
string | Specifies an ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986. |
|
string | Specifies the OAuth request method. Valid values are get and post. The default value is post. |
|
array | Specifies the OAuth request header name and value. |
|
array | Specifies the OAuth request parameters. You specify the parameter name, value, and type that the external OAuth authorization server supports for the request. |
| requestRefreshToken | Specifies a token-refresh-request type of request. The OAuth Client item uses this request to refresh an expired access token. This request is used on a per-request basis. | |
|
string | Specifies the description of the OAuth request. |
|
string | Specifies an ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986. |
|
string | Specifies the OAuth request method. Valid values are get and post. The default value is post. |
|
array | Specifies the OAuth request header name and value. |
|
array | Specifies the OAuth request parameters. You specify the parameter name, value, and type that the external OAuth authorization server supports for the request. |
| scope | string | Specifies one or more scopes. Enter the value as a list of space-delimited, case-sensitive strings. The strings are defined by the OAuth authorization server. Your best source of information for the strings that a particular OAuth authorization server defines could be APIs for OAuth 2.0 scopes on developer sites for OAuth providers. For the authorization-code grant type, an OAuth authorization server prompts the user to grant or deny access to the scopes. For the password grant type, an OAuth authorization server grants permission to the requested scopes based on the user providing resource owner password credentials. |
| redirectionUri | string | Specifies the URI for the OAuth server to redirect back to the client. |
| nextItems | array | Specifies the different branches of the BIG-IP Next Access policy item. This is a required setting. |
OAuth Scope Item¶
The OAuth Scope item requests an OAuth authorization server to get scopes associated with a token and scope data, such as a user’s email address or contact list. It validates JSON web tokens (JWT) or scopes for opaque tokens. In addition, the Scope item uses the provider list to validate tokens issued by multiple OAuth providers.
In the BIG-IP Next Access policy, you define OAuth scope properties in the policy object.
The table below lists the objects for configuring OAuth scope:
| Object | Type | Description |
|---|---|---|
| itemType | string | Specifies the BIG-IP Next Access policy item. For the OAuth Scope item, the value is oauth-scope. This is a required setting. |
| name | string | Specifies the name of the BIG-IP Next Access policy item. |
| caption | string | Specifies a human-readable description of the policy branch. |
| expression | string | Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables. |
| oauthServer | string | Specifies the OAuth server to which this OAuth client directs requests for authorization and authentication. |
| requestOpenidUserinfo | Specifies an openid-userinfo-request type of request. This request is used to access a well-known endpoint for OpenID Connect and get user info. | |
|
string | Specifies the description of the OAuth request. |
|
string | Specifies an ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986. |
|
string | Specifies the OAuth request method. Valid values are get and post. The default value is post. |
|
array | Specifies the OAuth request header name and value. |
|
array | Specifies the OAuth request parameters. You specify the parameter name, value, and type that the external OAuth authorization server supports for the request. |
| tokenValidationMode | string | Specifies the token validation mode. The default value is external. Valid values are:
|
| jwtProviderList | Specifies a list of OAuth providers that support JWT. The item validates JWT from any of these providers when configured. | |
|
string | Specifies the number of minutes that the JSON web token should live. |
|
string | Specifies the name of the JWT provider list. |
|
array | Specifies a list of OAuth Providers. |
| requestValidationScopes | Specifies a validation-scopes-request type of request. | |
|
string | Specifies the description of the OAuth request. |
|
string | Specifies an ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986. |
|
string | Specifies the OAuth request method. Valid values are get and post. The default value is post. |
|
array | Specifies the OAuth request header name and value. |
|
array | Specifies the OAuth request parameters. You specify the parameter name, value, and type that the external OAuth authorization server supports for the request. |
| scopeRequests | array | Specifies a list of scope data requests. |
|
string | Specifies the name of a scope that the OAuth provider supports. This is a required setting. |
|
Specifies a scope-data-request type request. This is a required setting. The following parameters are in this object:
|
|
| nextItems | array | Specifies the different branches of the BIG-IP Next Access policy item. This is a required setting. |
SAML Service Provider¶
When BIG-IP Next Access acts as a SAML SP, the SP service (type of AAA service in Access) identifies the correct IdP and redirects the user to authenticate against that IdP to allow access to resources behind Access. It requests authentication from an external SAML IdP specified on Access in a SAML IdP connector. You can bind a SAML SP service to one or more SAML IdP connectors.
In the BIG-IP Next Access policy, you define SAML Auth properties in the policy object.
For instructions on configuring SAML SP, refer to How to: Configure SAML SP policy workflows using BIG-IP Next instances.
The table below lists the SAML SP objects used for creating the policy.
| Object | Type | Description |
|---|---|---|
| itemType | string | Specifies the BIG-IP Next Access policy item. For the SAML SP item, the value is saml. This is a required setting. |
| name | string | Specifies the name of the BIG-IP Next Access policy item. |
| caption | string | Specifies a human-readable description of the policy branch. |
| expression | string | Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables. |
| service | object | Specifies the SAML SP service configuration that defines metadata required by an external SAML IdP to communicate with the SAML SP. |
|
string | Specifies the name of the SAML SP service. This is a required setting. |
|
string | Specifies a unique identifier for the SAML SP entity. It is recommended that the entity ID is a URL that contains the FQDN of the SP virtual server. This is a required setting. |
|
boolean | Specifies whether to send signed authentication requests. Set this property to true to send signed authentication requests. The default value is false. |
|
boolean | Specifies whether the SP requires signed assertions. The default value is true. |
|
boolean | Specifies whether the SP requires encrypted assertions. The default value is false. |
| acsBinding | any or null | Specifies the method BIG-IP Next as SP uses to receive assertions. The default value is http-post. The valid values are http-post, http-redirect, http-artifact, soap, and paos. |
| relayState | string | Specifies an absolute path or a URI where the BIG-IP as SP redirects users after they are successfully authenticated. |
| forceAuthn | boolean | Specifies if the users are forced to authenticate again even when they have an SSO session at the identity provider. To use this property, the external IdP should support a force authentication flag. The default value is false. |
| allowNameIdentifierCreation | boolean | Specifies whether to allow allows the external IdP, when processing requests from BIG-IP Next to create a new identifier to represent the principal. The default value is true. |
| nameIdFormat | any or null | Specifies the type of identifier information to use. For example, if a Service Provider initiates SSO by sending an AuthnRequest to the IdP with format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, then the IdP response should contain the subject identity in email format. The default value is unspecified. The valid values are federated, provider, emailAddress, WindowsDomainQualifiedName, X509SubjectName, and unspecified. |
| nameIdSpNameQualifier | string | Specifies that the assertion subject's identifier be returned in the namespace of an SP other than the requester, or in the namespace of a SAML affiliation group of SPs. This property can be a session variable. |
| providerName | string | Specifies a human-readable name of the SAML SP for use by the IdP. |
| authCtxMethods | array | Specifies an array of authentication context classes that BIG-IP Next will request from an IdP. |
| authCtxComparisonType | string | Specifies the comparison method that the IdP must use to compare the authentication context to the authentication class of the user session. The default value is exact. The valid values are exact, minimum, better, and maximum. |
| signingCertificate | string | Specifies the name of the signing certificate file you used to upload a signing certificate. This property should be configured if isAuthnRequestSigned is set to true. |
| signingPrivateKey | string | Specifies the name of the signing private key file you used to upload a signing private key. This property should be configured if isAuthnRequestSigned is set to true. |
| decryptionKey | string | Specifies the private key that the SAML SP uses to decrypt encrypted assertions from the IdP. This property should be configured if wantAssertionEncrypted is set to true. |
| decryptionCertificate | string | Specifies the SAML SP certificate that the IdP uses to encrypt assertions send to SP. This property should be configured if wantAssertionEncrypted is set to true. |
| idpConnectors | array | Specifies an array of IdP connectors. To configure multiple IdP connectors, define the following properties in all the IdP connector objects:
|
| attributeConsumingServices | array | Specifies an array of objects that describes a service and the list of attributes to be used by the service. It is typically used with attributeConsumingServiceIndex in the SAML Authentication request used to map to an attribute-consuming service. To configure attribute-consuming services, define the following properties in all the attribute-consuming service objects:
|
| authCtxClasses | array | Specifies an array of authentication context classes. BIG-IP Next uses this list to validate the authentication context from an IdP against locally configured context methods (authCtxMethods) using the specified comparison type (authCtxComparisonType). This property is required if you use a comparison type (authCtxComparisonType) other than the default (exact). |
| nextItems | array | Specifies the different branches of the BIG-IP Next Access Policy item. This is a required setting. |
SAML IDP Connector¶
The SAML IdP Connector item allows you to configure one or more IdP connectors. You may bind multiple IdP connectors to an SP service when you provide services to different businesses and universities, each specifying an IdP to identify its users. When the user’s information arrives at the SP service on BIG-IP Next, the SP service identifies the correct IdP. Then, it redirects the user to authenticate against that IdP before the SP service provides access to the service. The BIG-IP Next Access chooses the correct IdP connector at run time through a filtering and matching process called IdP discovery.
In the BIG-IP Next Access policy, you define SAML IDP Connector properties in the externalServers object.
Example: The following example shows an externalServers object with a SAML IdP Connector item.
"externalServers": [
{
"name": "First_IDP_Connector",
"serverType": "SamlIdPConnector",
"entityId": "https://www.idp.com",
"ssoUri": "https://www.idp.com/sso",
"ssoBinding": "http-post",
"nameQualifier": "https://www.idp.com",
"samlArtifactResolutionService": {
"username": "f5",
"password": "f5",
"artifactResolutionServiceUrl": "https://www.idp.com/ars",
"dnsResolverName": "dns",
"clientTls": {
"cipherstring": "RSA",
"tlsVersions": {
"enableTLS1.3": false,
"enableTLS1.2": true
}
},
"signArtifactResolutionRequest": true
},
"wantAuthnRequestSigned": true,
"wantDetachedSignature": false,
"signatureType": "sha256",
"certificate": "idp_cert",
"errorReportingUrl": "https://www.idp.com/post/error",
"identityLocation": "attribute",
"identityLocationAttribute": "Name",
"singleLogoutUri": "https://www.idp.com/post/slr",
"singleLogoutResponseUri": "https://www.idp.com/post/sls",
"singleLogoutBinding": "http-post"
}
]
The table below lists the external IDP Connector objects used for authentication:
| Object | Type | Description |
|---|---|---|
| name | string | Specifies the name of the IdP connector. This is a required setting. |
| serverType | string | Specifies the external server type. For example, SamlIdPConnector. This is a required setting. |
| entityId | string | Specifies a unique identifier for the SAML Identity Provider. This is a required setting. |
| nameQualifier | string | Specifies the security or administrative domain of the Identity Provider. |
| wantAuthnRequestSigned | boolean | Specifies whether the IdP expects signed authentication requests. The default value is false. |
| wantDetachedSignature | boolean | Specifies whether to detach signature when using redirect binding. The default value is false. |
| signatureType | string | Specifies the signing algorithm used to send authentication request to IdP. The default value is sha256. The valid values are sha1, sha256, sha384, and sha512. |
| errorReportingUrl | string | Specifies a reporting URL which receives errors, if any. |
| identityLocation | string | Specifies where to find the user ID or name: in the subject element of the assertion or in one of the attribute in the attribute statement. The default value is subject. |
| identityLocationAttribute | string | If identityLocation is specified as attribute then specify the attribute name where the user ID or name can be found. |
| certificate | string | Specifies the IdP certificate that, with public key, a service provider uses to validate a signed assertion. |
| samlArtifactResolutionService | object | Specifies objects for the SAML artifact resolution service for HTTP or HTTPS scheme. |
|
string | Specifies a name for the artifact resolution service request. |
|
string | Specifies a password for the artifact resolution service request. |
|
boolean | Specifies whether the IdP requires artifact resolve requests from a SAML SP to be signed. The default value is false. |
|
string | Specifies the name of the configured DNS Resolver, which can resolve the artifact resolution service hostname. The default value is global_f5_internal_net_resolver. Refer to How to: Manage DNS Resolution for more details. |
|
string | Specifies the URL where the SP can send an artifact resolve request to the identity provider. IP addresses and hostname are supported. This is a required setting. |
| clientTls | Specifies TLS properties such as the cipher string and TLS version to use for server-side SSL communication. Specify the following parameters in this object:
|
|
| singleLogoutUri | string | Specifies the URL at the SAML IdP where BIG-IP Next Access can send the logout request when a service provider initiates a logout. |
| singleLogoutResponseUri | string | Specifies the URL at the SAML IdP where BIG-IP Next Access can send the logout response when the IdP initiates the logout request. |
| singleLogoutBinding | string | Specifies the method that BIG-IP Next Access uses to send logout requests and responses to the SAML IdP. |
| ssoUri | string | Specifies the URL where BIG-IP Next Access redirects the user for authentication when the user initiates connection through the service provider. This is a required setting. |
| ssoBinding | string | Specifies how BIG-IP Next Access should send an authentication request to the SAML Identity Provider. The default value is http-post. Valid values are http-post, http-redirect, http-artifact, soap, and paos. |