Overview: Configure Single Sign-On¶
BIG-IP Next Access provides a Single Sign-On (SSO) feature that leverages the credential caching and credential proxying technology.
Credential caching and proxying is a two-phase security approach that asks users to enter their credentials once to access their secure web applications on the back-end server. After that occurs, Access creates a user session and collects the user identity based on the Access policy. When the Access policy completes successfully, the user identity is saved (cached) in a session database. Then, Access reuses the cached identity to seamlessly log the user into the secured web applications, thus providing the user with a single sign-on experience.
The Single Sign-On (SSO) feature provides the following benefits:
Eliminates the need to administer and maintain multiple user logins.
Eliminates the need for users to enter their credentials multiple times.
Supported Methods¶
BIG-IP Next Access supports the following SSO authentication methods:
Form-Based SSO: Access uses the cached user credentials to construct and send the HTTP form-based post request on behalf of the user. Form-based authentication allows applications to be integrated into an existing Identity Provider (IdP) to provide single sign-on access.
Forms Client-Initiated: With the form-based client-initiated method of authentication, when BIG-IP Next Access detects the request for a logon page (URI, header, or cookie that is configured for matching the request), BIG-IP Next Access generates JavaScript code, inserts it into the logon page, and returns the logon page to the client, where it is automatically submitted by the inserted JavaScript. BIG-IP Next Access processes the submission and uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user.
HTTP Basic SSO: Access uses the cached user identity and sends the request with the authorization header.
Kerberos SSO: Access allows users to get a Kerberos ticket and present it transparently to the Windows Web application servers (IIS) for authentication.
OAuth Bearer SSO: Access uses OAuth bearer tokens to verify, authenticate, and grant access to protected resources.