How to: Configure OAuth Federation policies using BIG-IP Central ManagerΒΆ
The following example creates a new Create OAuth Federation policy using the BIG-IP Next Central Manager user interface.
Log in to BIG-IP Next Central Manager. Navigate to the Security canvas > Security > Access > Policies path.
To create a policy, click the Start Creating button. By default, there are no policies created. The Create Policy page opens, and the Visual Policy Designer (VPD) canvas appears.
Select the required policy type radio button. Available policy options are the Per-Session Policy and Per-Request Policy.
In The How would you like to create it? section, select whether to create a policy using the template or from scratch. Available options are Create using a policy template and Start from scratch. Users are recommended to select Create using a policy template option to quickly access the policy.
In the Policy Templates section, select the required policy template. Available options are Logon Page with Active Directory Query and SAML as a Service Provider. When the Logon Page with Active Directory Query is selected, this policy template includes a Logon Page and Active Directory rules for Authentication and Authorization purposes. When the SAML as a Service Provider is selected, this policy template includes SAML Federation and Variable Assign rules to configure for a SAML Service Provider setup.
Click Next. Based on the selection of the policy type, the applicable policy configurations are displayed.
On the General Properties tab, enter a Policy Name for the policy.
Scroll through the remaining properties and revise any value that you want to change from its default setting.
Click Continue. The Session Properties tab of the respective policy page appears.
On the Session Properties tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Logging tab of the respective policy page appears.
On the Logging tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Single Sign-On tab of the respective policy page appears.
The Single Sign-On (SSO) provides seamless access to the applications protected through BIG-IP Next Access. This allows administrators to use more modern authentication techniques, such as SAML or OAuth, and translate it to something the back-end application supports, such as Kerberos or Forms.
On the Single Sign-On tab, click Start Creating to select the required authentication type. Available options are Forms, Forms Client-Initiated, HTTP Basic, Kerberos, and OAuth Bearer. When one of the authentication types is selected, its respective configuration page appears. Fill in the required values in the given fields and save the configuration.
Refer to Single Sign-On methods for more information.Click Continue. The Endpoint Security tab of the respective policy page appears.
On the Endpoint Security tab, choose the applicable version from its default setting.
Click Continue. The Resources tab of the respective policy page appears.
The Resources extend BIG-IP Next Access with additional capabilities such as Network Access, Access Control, Identity Providers, and Webtops.
On the Resources tab, click Start Creating to select the required resource. Available options are Access Control List, Network Access, Webtop, and Webtop Section.
Click Continue. The Connectivity tab of the respective policy page appears.
On the Connectivity tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Policy Endings tab of the respective policy page appears.
On the Policy Endings tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Finish. A required access policy is created.
The VPD canvas opens.Note: Prior to establishing the Authentication rule, ensure that you have generated valid Certificate Authority Signed (CSA) SSL certificates. For detailed guidance on certificate management, refer to How to: Manage certificates and keys for a BIG-IP Next instance using BIG-IP Next Central Manager.
Drag an empty flow into the VPD canvas.
On the empty flow, click the
icon.
The flow expands so you can edit it.On the VPD side bar, click the
icon, and then drag the OAuth Federation rule onto the empty flow.
Hover the cursor over the OAuth Federation rule and then click the
icon.
The Rule Properties tab of the Rule Configuration page opens.For Mode, select whether you want to configure this rule as a Client or a Resource Server.
If you select Client, you create a configuration that allows BIG-IP Next Access to obtain opaque or JSON web tokens (JWTs) from an OAuth authorization server that supports them. It specifies endpoint URIs to retrieve the token and a list of associated scopes.
If you select Resource Server, you specify settings for an OAuth Authorization server and its mode of operation. You also set the client IDs, client secrets, and SSL certificates that BIG-IP Next Access requires to communicate with the OAuth provider. When the Resource Server is selected, additional options are displayed like Name, Token Validation Mode, and Vendor Presets.
For Name, specify the name for this rule. You can specify a name or use the name that auto-generates when you insert the rule into the policy.
For Grant Type, select Authorization Code from the list. The valid values are:
Authorization Code: the client redirects the resource owner to the OAuth server to request an authorization code.
Password: the client uses resource owner password credentials to request an access token from the OAuth server.
For Vendor Presets, select the required type of presets from the list that you want automatically filled in when you configure the OAuth provider. To specify your own presets, select the Custom option.
For Scope, specify the URI for the OAuth server to redirect back to the client. This is an optional field. You can specify one or more scopes. Enter the value as a list of space-delimited, case-sensitive strings. The strings are defined by the OAuth authorization server.
For OpenID Connect, select Enabled.
For Flow Type, select Authorization Code from the list and click Continue. Available options are Authorization Code and Hybrid.
The Providers tab of the Rule Configuration screen opens.
Under OAuth Provider, click Start Creating.
The Provider Properties tab of the Provider Configuration page opens.
For Name, specify the name of this provider. You can specify one or use the auto-generated name.
For Redirect URI, use the default value. Click Reset to restore the default value.
Select Support Introspection. Token introspection allows a protected resource to query the authorization server to determine the metadata associated with the token.
Under Provider URI Endpoints, use the toggle button to enable or disable the Auto Discover Endpoints.
When the Auto Discover Endpoints option is enabled, the options displayed are:
For OpenID URI, specify the URI for your authorization server provider, and then click Discover.
BIG-IP Next Central Manager validates the URI and displays a Discovery Successful notification. If discovery is unsuccessful, correct your entry and try again.
To validate tokens when the certificate that signs those tokens is expired, select Ignore Expired Certificate Validation.
To enable self-signed certificates, select Allow Self-Signed JWK Config Certificate. By default, this option is selected.
For Trusted Certificate Authorities, select the required certificate from the drop-down list. These certificates are used to authenticate client certificates presented during the session.
When the Auto Discover Endpoints option is disabled, the options displayed are:
Select Ignore Expired Certificate Validation to validate tokens when the certificate that signs those tokens is expired.
For Authentication URI, add the required URI endpoint to access secured resources by handling login requests and returning tokens or session information. The default value is https://f5-oauth.local/f5-oauth2/v1/authorize.
For Token URI, add the required URI endpoint. The token URI is the endpoint that the client uses to obtain an access token or a refresh token. The default value is https://f5-oauth.local/f5-oauth2/v1/token.
For Token Validation Scope URI, add the required URI endpoint to validate the token process where the system ensures that the provided access token matches the required scope and permissions for a specific resource. The Token Validation Scope URI refers to the URI used during token validation in access policies. The default value is https://f5-oauth.local/f5-oauth2/v1/introspect.
For Userinfo Request URI, add the required URI endpoint to handle Userinfo requests by validating the tokens. The Userinfo Request URI refers to the endpoint used to retrieve user profile information from an authorization server. The default value is https://f5-oauth.local/f5-oauth2/v1/userinfo.
Click Continue.
The JWT Configuration tab of the Provider Configuration page opens.
Under JSON Web Token Configuration, configure the following options:
For Issuer, specify the issuer name in the Issuer text box. The Issuer refers to the entity that created and signed the JWT. It helps identify who issued the token. The Issuer name is specified as part of the token verification process to ensure that the trusted authority issued the token.
For Access Token Expiration (minutes), specify the number of minutes the JSON Web Token should remain active. If the value is set to 0, the access token never expires.
Under JSON Web Encryption, use the toggle button to enable or disable the JSON Web Encryption (JWE) settings.
For Key Encryption Algorithm, select the required algorithm from the list. This option specifies the key encryption algorithm used in the JWE token generation. The default value is the RSA-OAEP algorithm, which indicates RSA encryption using Optimal Asymmetric Encryption Padding (OAEP).
For Content Encryption Algorithm, select the required algorithm from the list. This option specifies the data encryption algorithm used in the JWE token generation. The default value is the A128GCM algorithm.
For ID token, select the required token from the list. The ID token is a security token that carries information about an authenticated user and is issued by the authorization server after a successful authentication process.
To select a different key to encrypt the access token, click the Use a different key to encrypt Access Tokens checkbox. Additional options are displayed. For Access Token, select the required token from the list.
To restrict access to specific servers, for Audience, click Create and add the URI available from the Redirect URI field on the previous screen. To add more servers, click Create again.
For Signing Algorithm, click Create and select the required algorithm from the list. Administrators can only view the Create option when the Auto Discover Endpoints option is disabled for the Provider URI Endpoints in the Provider Properties page. Available options are NONE, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384.
To allow or block the created algorithm, click the required checkbox under the Status area. Available options are Allowed and Blocked.
To delete an algorithm, select the required algorithm and click Delete.
For JSON Web Keys, click Add. An Add JSON Web Key page opens. This option is accessible only when the Auto Discover Endpoints option is disabled for the Provider URI Endpoints in the Provider Properties page.
For ID, enter the valid ID.
For Type, select the required algorithm type. Available options are RSA, Octet, or Elliptic Curve.
RSA - Uses RSA algorithms
Elliptic Curve - Uses ECDSA algorithms
Octet - Uses HMAC algorithms
For Signing Algorithm, select the required algorithm from the list such as 256, 384, or 512 based on the Type selected. This option specifies values of RSA, ECDSA (Elliptic Curve), or HMAC (Octet) algorithm types.
For RSA and Elliptic Curve, the JWK settings can be configured either in the Certificates or Parameters area. However, the Octet type can only be configured in the Parameters area.
To support the applicable key type, click the From Certificate radio button to configure the settings in the Certificates area.
For Certificate, select the required certificate from the list such as ca-bundle.
To configure the settings in the Parameters area based on the key Type selected, click the Manually radio button. The Parameters options are displayed.
For the RSA type, in the absence of a certificate, go to the Parameters area and complete these substeps:
For Modulus, type the modulus of the RSA public key.
For Public Exponent, type the public exponent of the RSA public key.
Provide values for the SHA-1 Thumbprint and SHA-256 Thumbprint fields.
Click Save. The newly created JWK displays on the list.
For the Elliptic Curve type, in the absence of a certificate, go to the Parameters area and complete these substeps:
For X Coordinate, type an X coordinate for the elliptic curve.
For Y Coordinate, type an Y coordinate for the elliptic curve.
For Curve, specify an elliptic curve. For example, type P-256.
Provide values for the SHA-1 Thumbprint and SHA-256 Thumbprint fields.
Click Save. The newly created JWK displays on the list.
For the Octet type, go to the Parameters area and complete these substeps:
For Use Client Secret, click the checkbox as needed. If selected and enabled, the client secret is used by the OAuth client to authenticate to the authorization server for an Octet type. In addition, the encoding format and shared secret are not needed. If not selected, the shared secret is used.
For Encoding Format, select the required format from the drop-down list. Available options are None and Base64url.
In Shared Secret, type the secret. To maximize the security of the algorithm, use enough characters so that the resulting key size matches the block size for the signing algorithm: for HS256, 32 characters; for HS384, 48 characters; for HS512, 64 characters.
Click Save. The newly created JWK displays on the list.
To delete the existing JSON Web Keys, select the required algorithm and click Delete.
Click Finish. The Rule Configuration page opens.
Under Authorization Server, click Start Creating.
The Server Properties tab of the Server Configuration page opens.
For Name, specify the name for this server. You can specify one, or use the auto-generated name.
For Token Validation Interval (in minutes), specify the number of minutes that the token can remain valid. The token becomes invalid when this interval elapses, or at the token expiry that the authentication server specifies, whichever is shorter. When the token expires, the subsession times out. This setting applies only to a per-request policy. The default value is 60.
Note: It is recommended to use short expiry values for the Authorization Code Lifetime setting in the Authorization server to protect against attacks.
For Override Vendor Presets, use the toggle button to enable or disable the override vendor presets option. By default, this option is disabled. When enabled, the Request Configuration settings are displayed.
Under Request Configuration, click the Authorization Requests tab.
For HTTP Method, select the required protocol method from the drop-down list. The default value is GET.
For Parameters, click Create and add values in the Type, Name, and Value fields. By default, the client-id, response-type, redirect-uri, and scope parameters are configured. To delete the existing parameter(s), select the required parameter(s) and click Delete.
For Headers, add the Name and Value of the header. To delete the existing Header(s), select the required Header(s) and click Delete.
Click Continue.
Click the Access Token Requests tab.
For HTTP Method, select the required protocol method from the drop-down list. The default value is POST. Available options are GET and POST.
For Parameters, click Create and add values in the Type, Name, and Value fields. By default, the client-id, client-secret, grant-type, and redirect-uri parameters are configured. To delete the existing parameter(s), select the required parameter(s) and click Delete.
For Headers, add the Name and Value of the header. To delete the existing Header(s), select the required Header(s) and click Delete.
Click Continue.
Click the Refresh Token Requests tab.
For HTTP Method, select the required protocol method from the drop-down list. The default value is POST. Available options are GET and POST.
For Parameters, click Create and add values in the Type, Name, and Value fields. By default, the client-id, client-secret, and custom parameters are configured. To delete the existing parameter(s), select the required parameter(s) and click Delete.
For Headers, add the Name and Value of the header. To delete the existing Header(s), select the required Header(s) and click Delete.
Click Finish.
Click Continue.
The Client Settings tab of the Server Configuration page opens.
On the Client Settings,
For Client ID, specify the application ID for the client.
Note: You can get the Client ID and Client Secret from your authorization server settings.
For Client Secret, specify the application secret for the client.
For Cipher String, specify the cipher string for server-side SSL communications. The default value is DEFAULT.
Under TLS Options, select the versions of TLS supported versions. By default, Support TLS 1.2 and Support TLS 1.3 is selected. Available options are Support TLS 1.1, Support TLS 1.2, and Support TLS 1.3.
Click Continue.
The Branches tab of the Rule Configurations page opens.
Under Branches, click Create.
The Branches page opens.
Under Expression, select a Context, a Condition and a Result for this branch.
Add any (optional) branches needed for the policy, and then click Finish.
The VPD canvas displays the revised policy.
Review the policy in the VPD canvas; then click Save to finish creating the policy.
The BIG-IP Next Central Manager adds the policy to the Access Policies list.
The following example creates a new OAuth Federation Access policy using the BIG-IP Next Central Manager application programming interface (API).
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Create the policy by sending a Post to the
/api/v1/spaces/default/security/access-policies
endpoint.POST https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies
For the API body, use the following, substituting values appropriate for the policy you want to create.
{ "description": "", "name": "OAuth_JWE", "policy_type": "PerSession", "properties": [ { "configuration": { "policyType": "PerSession", "name": "OAuth_JWE", "externalServers": [ { "dnsResolverName": "global_f5_internal_net_resolver", "clientTls": { "cipherstring": "DEFAULT", "tlsVersions": { "enableTLS1.1": false, "enableTLS1.2": true, "enableTLS1.3": true } }, "name": "OAuth-Server-2b1b98b2", "mode": "client", "serverType": "Oauth", "overrideVendorPresets": false, "providerName": "OAuth-Provider-c2a813cd", "tokenValidationInterval": 60, "clientId": "<id>", "clientSecret": "<secret>" }, { "authenticationUri": "https://f5-oauth.local/f5-oauth2/v1/authorize", "enableAutoDiscovery": false, "name": "OAuth-Provider-c2a813cd", "providerType": "f5", "serverType": "OauthProvider", "tokenUri": "https://f5-oauth.local/f5-oauth2/v1/token", "tokenValidationScopeUri": "https://f5-oauth.local/f5-oauth2/v1/introspect", "userinfoRequestUri": "https://f5-oauth.local/f5-oauth2/v1/userinfo", "introspect": "supported", "ignoreExpiredCert": false, "allowSelfSignedJwkCert": true, "jwtConfig": { "issuer": "issuer", "accessTokenExpiresIn": 0, "audience": [ "aud1" ], "allowedSigningAlgorithms": [ "RS512", "RS256", "RS384" ], "blockedSigningAlgorithms": [], "allowedKeys": [ { "keyType": "rsa", "algType": "RS256", "keyId": "jws_key1", "modulus": "<The modulus value for an RSA public key in base64url-encoded format.>", "publicExponent": "<The encryption exponent value for an RSA public key in base64url-encoded format.>", "certThumbprintSha256": "<The base64url-encoded SHA-256 thumbprint of the DER encoding of the X.509 certificate.>" } ], "blockedKeys": [] }, "useEncryptedConnection": true, "useDifferentKeyForEnc": false, "openIdUri": "https://f5-oauth.local/f5-oauth2/v1/.well-known/openid-configuration", "jweKey": { "contentEncryptionAlgorithm": "a128gcm", "keyEncryptionAlgorithm": "rsa-oaep", "keyId": "3de9caec13be4543", "jwtType": "jwe", "cert": "jweKey.crt", "certKey": "jweKey.pem" } } ], "policy": { "objectContent": { "macros": [ { "name": "Emptyd0b10844", "start": { "name": "OAuth-Federation-5533a7c3", "nextItems": [ { "itemType": "terminal-out", "name": "Allow", "caption": "Branch-63239d01", "expression": "expr {[mcget {session.oauth.client.last.authresult}] == 1}" }, { "caption": "Fallback", "itemType": "terminal-out", "name": "Deny" } ], "itemType": "oauth-client", "ruleType": "oauth-client", "ruleId": "OAuth-Federation-e66f7ee5", "isValid": true, "oauthServer": "OAuth-Server-2b1b98b2", "caption": "Fallback", "grantType": "authorization-code", "openidConnect": true, "openidFlowType": "code", "requestAuthRedirect": { "headers": [], "method": "get", "parameters": [ { "name": "client_id", "type": "client-id", "value": "" }, { "name": "response_type", "type": "response-type", "value": "" }, { "name": "redirect_uri", "type": "redirect-uri", "value": "" }, { "name": "scope", "type": "scope", "value": "" }, { "name": "token_content_type", "type": "custom", "value": "jwt" } ] }, "requestToken": { "headers": [], "method": "post", "parameters": [ { "name": "client_id", "type": "client-id", "value": "" }, { "name": "client_secret", "type": "client-secret", "value": "" }, { "name": "grant_type", "type": "grant-type", "value": "" }, { "name": "redirect_uri", "type": "redirect-uri", "value": "" }, { "name": "token_content_type", "type": "custom", "value": "jwt" } ] }, "requestRefreshToken": { "headers": [], "method": "post", "parameters": [ { "name": "client_id", "type": "client-id", "value": "" }, { "name": "client_secret", "type": "client-secret", "value": "" }, { "name": "grant_type", "type": "custom", "value": "refresh_token" } ] }, "scope": "profile email ", "redirectionUri": "https://%{session.server.network.name}/oauth/client/redirect" }, "endings": [ { "color": "#D9647A", "default": true, "name": "Deny" }, { "name": "Allow", "color": "#199D4D" } ] } ], "start": { "caption": "Fallback", "isValid": true, "itemType": "macro-call", "macro": "Emptyd0b10844", "name": "Empty-4354d689", "nextItems": [ { "caption": "Deny", "itemType": "deny", "name": "Deny" }, { "itemType": "allow", "name": "Allow", "caption": "Allow" } ] }, "endings": [ { "action": "deny", "color": "#D9647A", "default": true, "name": "Deny" }, { "action": "allow", "color": "#199D4D", "default": false, "name": "Allow" } ], "languages": [ "en" ], "defaultLanguage": "en" } }, "scope": "profile", "profileType": "all", "userIdentityMethod": "http", "timeout": 300, "inactivityTimeout": 900, "maxSessionTimeout": 604800, "maxConcurrentUsers": 0, "maxConcurrentSessions": 0, "maxInProgressSessions": 128, "minFailureDelay": 2, "maxFailureDelay": 5, "domainCookie": "", "secureCookie": false, "persistentCookie": false, "httpOnlyCookie": false, "restrictToSingleClientIP": false, "useHttp503OnError": false, "logoutUriInclude": "", "logoutUriTimeout": 5, "samesiteCookie": false, "samesiteCookieAttrValue": "strict" }, "connectivityProfileConfiguration": { "clientPolicy": { "androidEcRequireDeviceAuth": false, "androidEcSavePasswordMethod": "disk", "androidEcSavePasswordTimeout": 240, "chromeosEcLogonMethod": "native", "chromeosEcSavePasswordMethod": "disk", "chromeosEcSavePasswordTimeout": 240, "ecComponentUpdate": "yes", "ecLocationDnsList": [], "ecReuseWinlogonCreds": false, "ecReuseWinlogonSession": false, "ecRunLogoffScript": false, "ecSavePasswordMethod": "none", "ecSavePasswordTimeout": 240, "ecSaveServersOnExit": true, "ecWarnBeforeScriptLaunch": true, "iosEcRequireDeviceAuth": false, "iosEcSavePasswordMethod": "disk", "iosEcSavePasswordTimeout": 240, "macosEcLogonMethod": "native", "macosEcSavePasswordMethod": "disk", "macosEcSavePasswordTimeout": 240, "serverList": [] }, "compressBufferSize": 4096, "compressCpusaver": true, "compressCpusaverHigh": 90, "compressCpusaverLow": 75, "compressGzipLevel": 6, "compressGzipMemlevel": 8192, "compressGzipWindowsize": 16384, "compressionAdaptive": true, "compressionCodecs": [], "compressionDeflateLevel": 1, "pppTunnel": { "profilePpp": {} } }, "loggingConfiguration": [ { "component": "apmd", "level": "NOTICE" }, { "component": "tmm", "level": "NOTICE" }, { "component": "websso", "level": "NOTICE" }, { "component": "renderer", "level": "NOTICE" } ] } ] }
BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.
.
Important: To fully configure this policy, attach this rule to an application. After attaching to an application, make sure to configure the DNS Resolver and External or AAA servers as well for CRLDP Authentication. For additional details about managing an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.