How To: Create and manage policies using BIG-IP Central Manager¶
Create a policy¶
Using BIG-IP Next Central Manager GUI¶
Use the edit policy function to:
Rename the policy.
Adjust default settings.
Adjust policy endings.
Add policy-wide resources.
Drag the flows you need for your policy into the VPD workspace.
Drag rules into the appropriate flows.
Expand and edit the flows and rules for your use.
Follow the procedure to create a new SAML service provider (SP) access policy using the BIG-IP Next Central Manager user interface.
Log in to BIG-IP Next Central Manager. Navigate to the Go to Security Workspace > Security > Access > Policies path.
To create a policy, click the Start Creating button. By default, there is no policy created. The Create Policy page opens, and the Visual Policy Designer (VPD) workspace appears.
Select the required policy type radio button. Available policy options are the Per-Session Policy and Per-Request Policy.
In the How would you like to create it? section, the user can select whether to create a policy using the template or from scratch. Available options are Create using a policy template and Start from scratch. Administrators are recommended to select Create using a policy template option to quickly access the policy.
In the Policy Templates section, select the required policy template. Available options are Logon Page with Active Directory Query and SAML as a Service Provider.
When the Logon Page with Active Directory Query is selected, this policy template includes a Logon Page and Active Directory rules for Authentication and Authorization purposes. When the SAML as a Service Provider is selected, this policy template includes SAML Federation and Variable Assign rules to configure for a SAML Service Provider setup.
Click Next. Based on the selection of the policy type, the applicable policy configurations are displayed.
On the General Properties tab, enter a Policy Name for the policy.
Scroll through the remaining properties and revise any value that you want to change from its default setting.
Click Continue. The Session Properties tab of the respective policy page appears.
On the Session Properties tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Logging tab of the respective policy page appears.
On the Logging tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Single Sign-On tab of the respective policy page appears.
The Single Sign-On (SSO) provides seamless access to the applications protected through BIG-IP Next Access. This allows administrators to use more modern authentication techniques, such as SAML or OAuth, and translate it to something the back-end application supports, such as Kerberos or Forms.
On the Single Sign-On tab, click Start Creating to select the required authentication type. Available options are Forms, Forms Client-Initiated, HTTP Basic, Kerberos, and OAuth Bearer. When one of the authentication type is selected, its respective configuration page appears. Fill in the required values in the given fields and save the configuration.
For details about specifying an HTTP Basic method, see HTTP Basic SSO.
For details about specifying a Kerberos method, see Kerberos SSO.
Click Continue. The Endpoint Security tab of the respective policy page appears.
On the Endpoint Security tab, choose the applicable version from its default setting.
Click Continue. The Resources tab of the respective policy page appears.
The Resources extend BIG-IP Next Access with additional capabilities such as Network Access, Access Control, Identity Providers, and Webtops.
On the Resources tab, click Start Creating to select the required resource. Available options are Access Control List, Network Access, Webtop, and Webtop Section.
Click Continue. The Connectivity tab of the respective policy page appears.
On the Connectivity tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Policy Endings tab of the respective policy page appears.
On the Policy Endings tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Finish. A required access policy is created. The Visual Policy Designer (VPD) workspace appears.
On the VPD page, drag and drop the required Flows and Rules to the existing policy or create a policy from scratch.
Click Finish. An access policy is created.
Note: To deploy this policy with an application, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.
Using BIG-IP Next Central Manager API¶
The following example creates a new SAML service provider (SP) Access policy using the BIG-IP Next Central Manager application programming interface (API).
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Create the policy by sending a Post to the
/api/v1/spaces/default/security/access-policiesendpoint.POST https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policiesFor the API body, use the following, substituting values appropriate for the policy you want to create.
{ "type": "PerSession", "policy_type": "PerSession", "name": "SamlPerRequestPolicy", "properties": [ { "configuration": { "timeout": 0, "inactivityTimeout": 0, "maxSessionTimeout": 0, "policyType": "PerSession", "profileType": "ltm-access", "scope": "profile", "policy": { "objectContent": { "name": "SAML_SP_configuration", "languages": [ "en", "de" ], "defaultLanguage": "en", "caption": "Sample_SAML_SP_Access_Policy", "start": { "itemType": "saml", "name": "SAML_Auth", "nextItems": [ { "itemType": "allow", "name": "Allow", "expression": "expr {[mcget {session.saml.last.result}] == 1}" }, { "itemType": "deny", "name": "Deny" } ], "service": { "name": "Sample_SAML_SP_Service", "entityId": "app.f5demo.com", "spURI": "https:\\/\\/app.f5demo.com", "wantAssertionSigned": false, "idpConnectors": [ { "name": "First_IDP_Connector", "matchingSource": "%{session.server.idpname}", "matchingValue": "idp1.partner.com" }, { "name": "Second_IDP_Connector", "matchingSource": "%{session.server.idpname}", "matchingValue": "idp2.partner.com" } ], "attributeConsumingServices": [ { "name": "First_SAML_ACS", "serviceName": "Academic Journals R US", "attributes": [ { "name": "Attribute_1", "attributeName": "urn:oid:1.3.6.1.4.1.5923.1.1.1.7", "attributeFriendlyName": "eduPersonEntitlement", "attributeNameFormat": "uri" }, { "name": "Attribute_2", "attributeName": "urn:oid:2.5.4.42", "attributeFriendlyName": "givenName", "attributeNameFormat": "uri" } ] } ], "authCtxClasses": [ "Password", "Kerberos" ], "authCtxComparisonType": "better", "authCtxMethods": [ "Password", "Kerberos" ] } } } } }, "perRequestConfiguration": { "policyType": "PerRequest", "policy": { "objectContent": { "name": "hdp1", "languages": ["en"], "defaultLanguage": "en", "start": { "itemType": "http-header-modify", "name": "HTTP_headers", "caption": "HTTP headers", "nextItems": [ {"itemType": "allow"} ], "headerEntries": [ { "headerOperation": "insert", "headerName": "X-Authenticated-User", "headerValue": "%{session.logon.last.username}" }, { "headerOperation": "append", "headerName": "User-Agent", "headerValue": "Mozilla/5.0", "headerDelimiter": ";" }, { "headerOperation": "replace", "headerName": "X-Forwarded-For", "headerValue": "%{session.user.clientip}" }, { "headerOperation": "remove", "headerName": "Cache-Control" } ], "cookieEntries": [ { "cookieOperation": "update", "cookieName": "PHPSESSID", "cookieValue": "1234" }, { "cookieOperation": "delete", "cookieName": "mySession" } ] } } } } } ] }
BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.
For the OpenAPI information of the access policy rules, refer to the F5® BIG-IP® Next Central Manager API Specifications.Note: To deploy this policy with an application, you deploy an application that uses the Access template. When you specify that template as part of application deployment, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.
Modify a policy¶
Using BIG-IP Next Central Manager GUI¶
Use this task to make revisions to an existing Access policy using the BIG-IP Next Central Manager user interface.
Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click Access.
Next to the name of the policy that you want to edit, click the
icon.
The policy opens in the Visual Policy Designer (VPD) so you can edit it.Edit the policy by revising values in any flows or rules that you want to change.
To edit a flow, click the
icon.
The flow expands so you can edit it.To edit a rule:
Locate the flow in which the rule resides, and click the
icon.
The flow expands so you can edit it.Hover the cursor over the the rule you wish to edit and then click the
icon.
The General Properties tab of the Rule Configuration page opens.Revise the values you want to change.
Click Save.
BIG-IP Next Central Manager revises the policy.Note: To deploy this policy with an application, you deploy an application that uses the Access template. When you specify that template as part of application deployment, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.
Using BIG-IP Next Central Manager API¶
Use this task to revise an existing Access policy using the BIG-IP Next Central Manager application programming interface (API).
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Retrieve the policy ID by sending a Get to the Return Access policies endpoint.
GET https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policiesYou can find the policy ID in the response. It is just above the name of the policy.
Modify the policy by sending a PUT to the Update Access policy endpoint. Use the policy ID from the last step.
PUT https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies/<policy_id>Use the following structure for the API body, but only include the parameters that you want to revise.
{ "_links": { "self": { "href": "/api/v1/spaces/default/security/access-policies/{2a7bfd6c-91f7-4e44-81a4-329cb35b9b54" } }, "deployment_status": "DRAFT", "id": "2a7bfd6c-91f7-4e44-81a4-329cb35b9b54", "name": "Jpk_SAML_Policy_123", "policy_type": "PerSession", "properties": [ { "configuration": { "domainCookie": "string", "domainMode": "multiple", "httpOnlyCookie": false, "inactivityTimeout": 100, "logoutUriInclude": "/index.php /another/logout.cgi", "logoutUriTimeout": 4294967295, "maxConcurrentSessions": 100, "maxConcurrentUsers": 100, "maxFailureDelay": 100, "maxInProgressSessions": 100, "maxSessionTimeout": 100, "minFailureDelay": 100, "name": "Jpk_SAML_Policy_123", "persistentCookie": false, "policy": { "content": "{\n \"name\": \"Jpk_SAML_Policy_123\",\n \"languages\": [\n \"en\",\n \"de\"\n ],\n \"defaultLanguage\": \"en\",\n \"caption\": \"Sample_SAML_SP_Access_Policy\",\n \"start\": {\n \"caption\": \"Fallback\",\n \"name\": \"SAML_Auth\",\n \"itemType\": \"saml\",\n \"nextItems\": [\n {\n \"caption\": \"Successful\",\n \"itemType\": \"allow\",\n \"name\": \"Allow\",\n \"expression\": \"expr {[mcget {session.saml.last.result}] == 1}\"\n },\n {\n \"caption\": \"Fallback\",\n \"itemType\": \"deny\",\n \"name\": \"Deny\"\n }\n ],\n \"service\": {\n \"name\": \"Sample_SAML_SP_Service\",\n \"entityId\": \"app.f5demo.com\",\n \"isAuthnRequestSigned\": false,\n \"relayState\": \"rs1\",\n \"acsBinding\": \"http-post\",\n \"wantAssertionEncrypted\": true,\n \"decryptionKey\":\"newCert\",\n \"decryptionCertificate\":\"newCert\",\n \"wantAssertionSigned\": false,\n \"attributeConsumingServices\": [\n {\n \"name\": \"First_SAML_ACS\",\n \"serviceName\": \"Academic Journals R US\",\n \"attributes\": [\n {\n \"name\": \"Attribute_1\",\n \"attributeName\": \"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\",\n \"attributeFriendlyName\": \"eduPersonEntitlement\",\n \"attributeNameFormat\": \"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"\n },\n {\n \"name\": \"Attribute_2\",\n \"attributeName\": \"urn:oid:2.5.4.42\",\n \"attributeFriendlyName\": \"givenName\",\n \"attributeNameFormat\": \"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"\n }\n ]\n }\n ],\n \"authCtxClasses\": [\n \"Password\",\n \"Kerberos\"\n ],\n \"authCtxComparisonType\": \"better\",\n \"authCtxMetods\": [\n \"Password\",\n \"Kerberos\"\n ],\n \"providerName\": \"pn1\"\n }\n }\n}" }, "policyType": "PerSession", "profileType": "ltm-access", "restrictToSingleClientIP": false, "samesiteCookie": false, "samesiteCookieAttrValue": "lax", "scope": "global", "secureCookie": true, "timeout": 500, "useHttp503OnError": false } } ] }
BIG-IP Next Central Manager edits the policy parameter values that you included in the body of your POST.
Note: To deploy this policy with an application, you deploy an application that uses the Access template. When you specify that template as part of application deployment, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.
Delete a policy¶
Using BIG-IP Next Central Manager GUI¶
Use this task to remove an existing Access policy using the BIG-IP Next Central Manager user interface.
Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click Access.
Click the name of the policy that you want to delete.
The General Properties tab of the Edit Policy screen opens.At the top of the screen, click
Delete.
BIG-IP Next Central Manager removes the policy.
Using BIG-IP Next Central Manager API¶
Use this task to remove an existing Access policy using the BIG-IP Next Central Manager application programming interface (API).
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Retrieve the policy ID for the policy you want to delete by sending a Get to the Return Access policies endpoint.
GET https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policiesYou can find the policy ID in the response. It is just above the name of the policy.
Delete the policy by sending a Delete call to the Delete Access policy endpoint. Use the policy ID from the last step.
DELETE https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies/<policy_id>No body is required for a delete call.