Overview: Configure Single Sign-On

BIG-IP Next Access provides a Single Sign-On (SSO) feature that leverages the credential caching and credential proxying technology.

Credential caching and proxying is a two-phase security approach that asks users to enter their credentials once to access their secure web applications on the back-end server. After that occurs, Access creates a user session and collects the user identity based on the Access policy. When the Access policy completes successfully, the user identity is saved (cached) in a session database. Then, Access reuses the cached identity to seamlessly log the user into the secured web applications, thus providing the user with a single sign-on experience.

The Single Sign-On (SSO) feature provides the following benefits:

  • Eliminates the need to administer and maintain multiple user logins.

  • Eliminates the need for users to enter their credentials multiple times.

Supported Methods

BIG-IP Next Access supports the following SSO authentication methods:

  • Form-Based SSO: Access uses the cached user credentials to construct and send the HTTP form-based post request on behalf of the user. Form-based authentication allows applications to be integrated into an existing Identity Provider (IdP) to provide single sign-on access.

  • Forms Client-Initiated: With the form-based client-initiated method of authentication, when BIG-IP Next Access detects the request for a logon page (URI, header, or cookie that is configured for matching the request), BIG-IP Next Access generates JavaScript code, inserts it into the logon page, and returns the logon page to the client, where it is automatically submitted by the inserted JavaScript. BIG-IP Next Access processes the submission and uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user.

  • HTTP Basic SSO: Access uses the cached user identity and sends the request with the authorization header.

  • Kerberos SSO: Access allows users to get a Kerberos ticket and present it transparently to the Windows Web application servers (IIS) for authentication.

  • OAuth Bearer SSO: Access uses OAuth bearer tokens to verify, authenticate, and grant access to protected resources.

Configure Single Sign-On

You can configure single sign-on in the following ways:

Configure Single Sign-On using BIG-IP Next Central Manager