Access: Overview¶
Introduction¶
F5 BIG-IP Next Access is flexible, high-performance access management and security solution delivering contextual, unified global access to your applications, the cloud, and network. It secures, simplifies, and centralizes access to apps, APIs, and data, no matter where users and their apps are located. BIG-IP Next Access leverages a re-architected control plane to free up valuable IT resources, provide robust application and network security, and rapidly scale to meet growing demands. In addition, BIG-IP Next Access empowers you to provide trusted application access by creating and enforcing dynamic, context-based intelligent access policies for all of your applications.
BIG-IP Next Access consolidates your infrastructure and simplifies access management by providing authentication and authorization control. It supports identity federation and SSO options leveraging SAML 2.0. This empowers organizations to centrally enable and disable user-authorized access to any identity-enabled applications, regardless of where they are hosted, saving time and boosting productivity. BIG-IP Next Access acts as a SAML service provider (SP) and supports SP and SAML identity providers (IdP) initiated flows. In addition, you can enable fine-grained access control to your applications based on the attributes received in the SAML assertion.
Policy Structure¶
Access policies define the criteria for granting access to various servers, applications, and other resources on your network. BIG-IP Next Access provides two types of policies.
Per-session policy¶
The per-session policy runs when a client initiates a session. A per-session policy is also known as BIG-IP Next Access policy. Depending on the items you include in the BIG-IP Next Access policy, it can authenticate the user, present a logon page, and populate session variables with data for use throughout the session.
Example: The following example shows a Per-session policy.
PUT https://{{bigip_next_mgmt_ip}}:{{bigip_next_mgmt_port}}/api/v1/access-policies
{
"policyType": "PerSessionAccessPolicy",
"name": "new-policy",
"caption": "Some description for the policy",
"profileType": "ltm-access",
"policy": {
"objectContent": {
"languages": [
"en",
"es"
],
"defaultLanguage": "en",
"generalUi": [
],
"logout": [
],
"start": {
"itemType": "allow",
"name": "Name of policy item"
},
"macros": [
]
}
},
"externalServers": [],
"ssos": [],
"ssoReference": "string"
}
| Object | Type | Description |
|---|---|---|
| policyType | string | Specifies the type of policy. For a per-session policy, the value as PerSession. |
| name | string | Specifies the name of the BIG-Next Access policy. |
| profileType | string | Specifies the type of access profile. Valid values are all, ltm-access, oauth-resource-server, and sso. |
| policy | object | Specifies the policy tree structure. It defines policy objects, rules, items, customization and language data, macros, and configuration objects not related to external servers. |
| externalServers (optional) | array | Specifies configuration objects describing communications with external servers such as SAML IdP Connectors and server definitions. |
| ssos (optional) | array | Defines an array of Kerberos SSO objects used for authentication. |
Refer to Create Access Policy for the OpenAPI specification document which details the required objects and parameters.
Per-request policy¶
After the session initiates, the per-request policy runs each time the client makes an HTTP or HTTPS request and determines whether to allow or reject the request. Because of this behavior, a per-request policy is beneficial when the client requires re-verification on every request or change based on gating criteria. Configure a per-request policy with policy items that support per-request branch rules and actions. Most per-request policy items are unique to a per-request policy.
Example: The following example shows a Per-request policy.
PUT https://{{bigip_next_mgmt_ip}}:{{bigip_next_mgmt_port}}/api/v1/access-policies
{
"policyType": "PerRequestAccessPolicy",
"name": "new-policy",
"caption": "Some description for the policy",
"policy": {
"objectContent": {
"languages": [
"en",
"es"
],
"defaultLanguage": "es",
"generalUi": [
],
"logout": [
],
"start": {
"itemType": "allow",
"name": "Name of policy item"
},
"macros": [
]
}
},
"externalServers": [ ],
"ssos": [ ]
}
| Object | Type | Description |
|---|---|---|
| policyType | string | Specifies the type of policy. For a per-request policy, the value as PerRequest. |
| name | string | Specifies the name of the BIG-Next Access policy. |
| policy | object | Specifies the policy tree structure and objects that sets additional configuration properties such as items, customization and language data, and macros. |
| externalServers | array | Specifies configuration objects describing communications with external servers. |
| ssos | array | Defines an array of Kerberos SSO objects used for authentication. |
Refer to Create Access Policy for the OpenAPI specification document which details the required objects and parameters.
Single Sign-On¶
Single Sign-On (SSO) leverages credential caching and proxying to allow users to access multiple applications using one set of credentials. BIG-IP Next Access creates a user session and collects the user identity based on the Access policy in a session database. Then, it reuses the cached identity to seamlessly log the user into the secured web applications eliminating the need to enter credentials multiple times.
Several SSO authentication protocols exist, such as HTTP Basic, NTLM, Kerberos, Form-Based, OAuth bearer, and SAML. Each configuration may require several attributes that need to be specified to support SSO. Refer to Overview: Configure Single Sign-On methods for details on the supported SSO methods.
The SSO configuration is defined in the ssos property that contains an array of SSO objects used for authentication.
Example: The following example shows the ssos property.
"ssos": [
{
"ssoType": "Kerberos",
"name": "ks1",
"realm": "MY.HOST.LAB.MYNET.COM",
"accountName": "kan1",
"accountPassword": "*****"
}
]
Refer to Create Access Policy for the OpenAPI specification document which details the required objects and parameters.
Additionally, for details of schema objects, refer to Single Sign-On Configurations.
External Servers¶
The BIG-IP Next Access policy defines the external server configuration in the externalServers property. This property contains an array of external server objects for configuring external servers such as LDAP, RADIUS, Active Directory, Kerberos, and OAuth client and resource server. In addition, you can also configure SAML IdP Connectors and OAuth providers.
Example: The following example shows the externalServers property for SAML IdP Connector.
"externalServers": [
{
"name": "First_IDP_Connector",
"serverType": "SamlIdPConnector",
"entityId": "https://idp.partner1.com",
"ssoUri": "https://idp.partner1.com"
}
]
| Object | Type | Description |
|---|---|---|
| name | string | Specifies the server or connector name. |
| serverType | string | Specifies the external server type. For example, SamlIdPConnector. |
| entityId | string | Specifies a unique identifier for the Identity Provider. |
| ssoUri | string | Specifies the URL where BIG-IP Next Access redirects the user for authentication when the user initiates a connection through the service provider. |
Refer to Create Access Policy for the OpenAPI specification document which details the required objects and parameters.
Additionally, for details of schema objects of various server definitions, refer to Reference: Policy Items.
Tree-structure in a policy configuration¶
The BIG-IP Next Access policy configuration contains one or more elements called Items in an open-ended tree structure. It is created declaratively in JSON format based on the Access schemas.
Items represent a set of configuration objects that define the behavior of a policy. They help perform operations such as SSO credential mapping, Kerberos Auth, Radius Auth, HTTP Header and Cookies, and configuring IdPs and Logon pages. The outcome of evaluating an item branch rule grants or denies access or continues to the following item in the policy. The order of items in an BIG-IP Next Access policy determines the flow of action.
The following tree structure shows the sequence in which a typical Access policy runs.
{
"policyType": "PerSession",
"name": "policyname",
"profileType": "ltm-access",
"policy": {
"objectContent": {
"start": {
"itemType": "<ITEM1>"
<ITEM1 SETTINGS>
"nextItems":[
{
"caption":"Successful",
"expression":"<BRANCH EXPRESSION>",
"itemType": "<SAML Item>"
<SAML ITEM SETTINGS>
"nextItems":[
{
"caption":"Branch Rule 1",
"expression":"<BRANCH EXPRESSION>",
"itemType": "<ITEM3>"
<ITEM3 SETTINGS>
"nextItems":[
{
"caption":"Fallback",
"itemType":"allow"
}
]
},
{
"caption":"Successful",
"expression":"<BRANCH EXPRESSION>",
"itemType": "<ITEM4>"
<ITEM4 SETTINGS>
"nextItems":[
{
"caption":"Successful",
"expression":"<BRANCH EXPRESSION>",
"itemType":"allow"
},
{
"caption":"Fallback",
"itemType":"deny"
}
]
},
{
"caption":"Fallback",
"itemType":"deny"
}
]
},
{
"caption":"Fallback",
"itemType":"deny"
}
]
}
}
},
"ssos": [
],
"externalServers": [
]
}
Refer to Reference: Policy Items for more information on the available items and their schema object details.