How To: Create and manage policies using BIG-IP Central Manager

Create a policy

  1. Use the edit policy function to:

    • Rename the policy.

    • Adjust default settings.

    • Adjust policy endings.

    • Add policy-wide resources.

  2. Drag the flows you need for your policy into the VPD workspace.

  3. Drag rules into the appropriate flows.

  4. Expand and edit the flows and rules for your use.

Follow the procedure to create a new SAML service provider (SP) access policy using the BIG-IP Next Central Manager user interface.

  1. Log in to BIG-IP Next Central Manager. Navigate to the Go to Security Workspace > Security > Access > Policies path.

  2. To create a policy, click the Start Creating button. By default, there is no policy created. The Create Policy page opens, and the Visual Policy Designer (VPD) workspace appears.

  3. Select the required policy type radio button. Available policy options are the Per-Session Policy and Per-Request Policy.

  4. In the How would you like to create it? section, the user can select whether to create a policy using the template or from scratch. Available options are Create using a policy template and Start from scratch. Administrators are recommended to select Create using a policy template option to quickly access the policy.

  5. In the Policy Templates section, select the required policy template. Available options are Logon Page with Active Directory Query and SAML as a Service Provider.

  6. When the Logon Page with Active Directory Query is selected, this policy template includes a Logon Page and Active Directory rules for Authentication and Authorization purposes. When the SAML as a Service Provider is selected, this policy template includes SAML Federation and Variable Assign rules to configure for a SAML Service Provider setup.

  7. Click Next. Based on the selection of the policy type, the applicable policy configurations are displayed.

  8. On the General Properties tab, enter a Policy Name for the policy.

  9. Scroll through the remaining properties and revise any value that you want to change from its default setting.

  10. Click Continue. The Session Properties tab of the respective policy page appears.

  11. On the Session Properties tab, scroll through the properties and revise any value that you want to change from its default setting.

  12. Click Continue. The Logging tab of the respective policy page appears.

  13. On the Logging tab, scroll through the properties and revise any value that you want to change from its default setting.

  14. Click Continue. The Single Sign-On tab of the respective policy page appears.

  15. The Single Sign-On (SSO) provides seamless access to the applications protected through BIG-IP Next Access. This allows administrators to use more modern authentication techniques, such as SAML or OAuth, and translate it to something the back-end application supports, such as Kerberos or Forms.

  16. On the Single Sign-On tab, click Start Creating to select the required authentication type. Available options are Forms, Forms Client-Initiated, HTTP Basic, Kerberos, and OAuth Bearer. When one of the authentication type is selected, its respective configuration page appears. Fill in the required values in the given fields and save the configuration.

    • For details about specifying an HTTP Basic method, see HTTP Basic SSO.

    • For details about specifying a Kerberos method, see Kerberos SSO.

  17. Click Continue. The Endpoint Security tab of the respective policy page appears.

  18. On the Endpoint Security tab, choose the applicable version from its default setting.

  19. Click Continue. The Resources tab of the respective policy page appears.

  20. The Resources extend BIG-IP Next Access with additional capabilities such as Network Access, Access Control, Identity Providers, and Webtops.

  21. On the Resources tab, click Start Creating to select the required resource. Available options are Access Control List, Network Access, Webtop, and Webtop Section.

  22. Click Continue. The Connectivity tab of the respective policy page appears.

  23. On the Connectivity tab, scroll through the properties and revise any value that you want to change from its default setting.

  24. Click Continue. The Policy Endings tab of the respective policy page appears.

  25. On the Policy Endings tab, scroll through the properties and revise any value that you want to change from its default setting.

  26. Click Finish. A required access policy is created. The Visual Policy Designer (VPD) workspace appears.

  27. On the VPD page, drag and drop the required Flows, Rules, and Subroutines to the selected (either Per-Session or Per-Request) policy or create a policy from scratch.

  28. On the VPD page, the administrator can use the + (plus) button available on the canvas to add the Flows, Rules, or Subroutines to the policy. Click the + button to view the list of available Flows, Rules, and Subroutines. Administrator can select and add either Flows or Rules or Subroutines at a maximum of 1 item to the policy from the drop-down list which will be added to the corresponding + button location.

  29. On the VPD canvas, the administrator can select and move existing Flows, Rules, or Subroutines to a new location. When selected, the entire tree connected to the element (Flow or Rule or Subroutine) turns bluish with a dashed border around the element or node line to indicate that the elements are ready to move. This option allows users to reposition elements without deleting or recreating the policy. To exit move mode and edit the policy, click the Exit Move Mode button. Following conditions would apply to move the Flows, Rules, or Subroutines elements:

  • Move the elements within the same parent:

    • The tree to the right of the moved node is disconnected from its original position.

    • A new default end node will appear in the original position.

    • If the destination node is connected to an end node, the end node is subjected to be removed.

    • The tree is moved and pasted in the new location.

  • Move the elements to a different parent:

    • The tree to the right of the moved node is disconnected from its original position.

    • A new default end node will appear in the original position.

    • If the destination node is connected to an end node, the end node is subjected to be removed.

    • The tree is moved and pasted in the new location.

    • All end nodes from the moved tree will change to the default end nodes of the new parent.

  1. In the Flow section of the sidebar, drag another Empty Flow and drop it onto the main VPD tree.

  2. Click the 2nd Rule node. The sidebar will collapse, and the selected node color changes to bluish with a dashed border around the node. A banner stating “You are in Move Mode” appears at the top of the screen.

  3. The + buttons adjacent to the selected Rule node will be disabled, except for the first + button, which will be enabled and will change to a move location icon.

  4. If the + button is clicked on the main tree, and the user tries to add a Rule, the Rule will not be added to the main tree. However, the tree remains in the move mode.

  5. When the user attempts to add a Flow to a Subroutine, the drop points within the expanded Subroutine is disabled and a Flow cannot be moved inside the Subroutine.

  6. Click the first drop point. The selected Rule moves to the first position, and other Rules shift to the right of it.

  7. Click the Rule node again to re-enter move mode. Collapse the Flow node by clicking on the collapse icon.

  8. On the main tree, all drop points are disabled because the selected node is a Rule, and it cannot be dropped at the top level.

  9. Expand another Flow node and click the drop point inside this Flow. The selected Rule and any nodes attached to its right (except for end nodes) would be moved to the new location.

  10. If you try to drop a Flow node inside multiple nested Flows, the drop points would be disabled.

  11. Moving a Flow inside a subroutine will disable the drop points. An attempt to move a subroutine inside another subroutine (three levels of nesting) would also disable the drop points.

  12. Click Finish. An access policy is created.

Note: To deploy this policy with an application, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.

The following example creates a new SAML service provider (SP) Access policy using the BIG-IP Next Central Manager application programming interface (API).

  1. Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

  2. Create the policy by sending a Post to the /api/v1/spaces/default/security/access-policies endpoint.

    POST https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies
    

    For the API body, use the following, substituting values appropriate for the policy you want to create.

    {
        "type": "PerSession",
       "policy_type": "PerSession",
        "name": "SamlPerRequestPolicy",
        "properties": [
     	   {
     		   "configuration": {
     			   "timeout": 0,
     			   "inactivityTimeout": 0,
     			   "maxSessionTimeout": 0,
     			   "policyType": "PerSession",
     			      "profileType": "ltm-access",
     			   "scope": "profile",
     			   "policy": {
     				   "objectContent": {
     					   "name": "SAML_SP_configuration",
     					   "languages": [
     						  "en",
     						  "de"
     					   ],
     					   "defaultLanguage": "en",
     					   "caption": "Sample_SAML_SP_Access_Policy",
     					   "start": {
     						   "itemType": "saml",
     						   "name": "SAML_Auth",
     						   "nextItems": [
     							   {
     								   "itemType": "allow",
     								   "name": "Allow",
     								   "expression": "expr {[mcget {session.saml.last.result}] == 1}"
     							   },
     							   {
     							   	"itemType": "deny",
     							   	   "name": "Deny"
     							   }
     						   ],
     						   "service": {
     							   "name": "Sample_SAML_SP_Service",
     							   "entityId": "app.f5demo.com",
     							   "spURI": "https:\\/\\/app.f5demo.com",
     							   "wantAssertionSigned": false,
     							   "idpConnectors": [
     							 	   {
     									   "name": "First_IDP_Connector",
     									   "matchingSource": "%{session.server.idpname}",
     									   "matchingValue": "idp1.partner.com"
     								   },
     								   {
     									   "name": "Second_IDP_Connector",
     									   "matchingSource": "%{session.server.idpname}",
     									   "matchingValue": "idp2.partner.com"
     								   }
     							   ],
     							   "attributeConsumingServices": [
     								   {
     									   "name": "First_SAML_ACS",
     									   "serviceName": "Academic Journals R US",
     									   "attributes": [
     										   {
     											   "name": "Attribute_1",
     											   "attributeName": "urn:oid:1.3.6.1.4.1.5923.1.1.1.7",
     											   "attributeFriendlyName": "eduPersonEntitlement",
     											   "attributeNameFormat": "uri"
     										   },
     										   {
     											   "name": "Attribute_2",
     											   "attributeName": "urn:oid:2.5.4.42",
     											   "attributeFriendlyName": "givenName",
     											   "attributeNameFormat": "uri"
     										   }
     									   ]
     								   }
     							   ],
     							   "authCtxClasses": [
     							   	   "Password",
     								   "Kerberos"
     							   ],
     							   "authCtxComparisonType": "better",
     							   "authCtxMethods": [
     								   "Password",
     								   "Kerberos"
     							   ]
     						   }
     					   }
     				   }
     			   }
     		   },
     		   "perRequestConfiguration": {
     			   "policyType": "PerRequest",
     			   "policy": {
     				    "objectContent": {
     					   "name": "hdp1",
     					   "languages": ["en"],
     					   "defaultLanguage": "en",
     					   "start": {
     						   "itemType": "http-header-modify",
     						   "name": "HTTP_headers",
     						   "caption": "HTTP headers",
     						   "nextItems": [
     						 	   {"itemType": "allow"}
     						   ],
     						   "headerEntries": [
     							   {
     								   "headerOperation": "insert",
     								   "headerName": "X-Authenticated-User",
     								   "headerValue": "%{session.logon.last.username}"
     							   },
     							   {
     								   "headerOperation": "append",
     								   "headerName": "User-Agent",
     								   "headerValue": "Mozilla/5.0",
     								   "headerDelimiter": ";"
     							   },
     							   {
     								   "headerOperation": "replace",
     								   "headerName": "X-Forwarded-For",
     								   "headerValue": "%{session.user.clientip}"
     							   },
     							   {
     								   "headerOperation": "remove",
     								   "headerName": "Cache-Control"
     							   }
     						   ],
     						   "cookieEntries": [
     							   {
     								   "cookieOperation": "update",
     								   "cookieName": "PHPSESSID",
     								   "cookieValue": "1234"
     							   },
     							   {
     								   "cookieOperation": "delete",
     								   "cookieName": "mySession"
     							   }
     						   ]
     					   }
     				   }
     			   }
     		   }
     	   }
        ]
     }
    

    BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.
    For the OpenAPI information of the access policy rules, refer to the F5® BIG-IP® Next Central Manager API Specifications.

    Note: To deploy this policy with an application, you deploy an application that uses the Access template. When you specify that template as part of application deployment, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.

Modify a policy

Use this task to make revisions to an existing Access policy using the BIG-IP Next Central Manager user interface.

  1. Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click Access.

  2. Next to the name of the policy that you want to edit, click the Edit icon.
    The policy opens in the Visual Policy Designer (VPD) so you can edit it.

  3. Edit the policy by revising values in any flows or rules that you want to change.

    • To edit a flow, click the Expand icon.
      The flow expands so you can edit it.

    • To edit a rule:

    1. Locate the flow in which the rule resides, and click the Expand icon.
      The flow expands so you can edit it.

    2. Hover the cursor over the the rule you wish to edit and then click the Edit icon.
      The General Properties tab of the Rule Configuration page opens.

    3. Revise the values you want to change.

  4. Click Save.
    BIG-IP Next Central Manager revises the policy.

    Note: To deploy this policy with an application, you deploy an application that uses the Access template. When you specify that template as part of application deployment, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.

Use this task to revise an existing Access policy using the BIG-IP Next Central Manager application programming interface (API).

  1. Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

  2. Retrieve the policy ID by sending a Get to the Return Access policies endpoint.

    GET https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies
    

    You can find the policy ID in the response. It is just above the name of the policy.

  3. Modify the policy by sending a PUT to the Update Access policy endpoint. Use the policy ID from the last step.

    PUT https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies/<policy_id>
    

    Use the following structure for the API body, but only include the parameters that you want to revise.

    {
     "_links": {
         "self": {
             "href": "/api/v1/spaces/default/security/access-policies/{2a7bfd6c-91f7-4e44-81a4-329cb35b9b54"
         }
     },
     "deployment_status": "DRAFT",
     "id": "2a7bfd6c-91f7-4e44-81a4-329cb35b9b54",
     "name": "Jpk_SAML_Policy_123",
     "policy_type": "PerSession",
     "properties": [
         {
             "configuration": {
                 "domainCookie": "string",
                 "domainMode": "multiple",
                 "httpOnlyCookie": false,
                 "inactivityTimeout": 100,
                 "logoutUriInclude": "/index.php /another/logout.cgi",
                 "logoutUriTimeout": 4294967295,
                 "maxConcurrentSessions": 100,
                 "maxConcurrentUsers": 100,
                 "maxFailureDelay": 100,
                 "maxInProgressSessions": 100,
                 "maxSessionTimeout": 100,
                 "minFailureDelay": 100,
                 "name": "Jpk_SAML_Policy_123",
                 "persistentCookie": false,
                 "policy": {
                     "content": "{\n    \"name\": \"Jpk_SAML_Policy_123\",\n    \"languages\": [\n        \"en\",\n        \"de\"\n    ],\n    \"defaultLanguage\": \"en\",\n    \"caption\": \"Sample_SAML_SP_Access_Policy\",\n    \"start\": {\n        \"caption\": \"Fallback\",\n        \"name\": \"SAML_Auth\",\n        \"itemType\": \"saml\",\n        \"nextItems\": [\n            {\n                \"caption\": \"Successful\",\n                \"itemType\": \"allow\",\n                \"name\": \"Allow\",\n                \"expression\": \"expr {[mcget {session.saml.last.result}] == 1}\"\n            },\n            {\n                \"caption\": \"Fallback\",\n                \"itemType\": \"deny\",\n                \"name\": \"Deny\"\n            }\n        ],\n        \"service\": {\n            \"name\": \"Sample_SAML_SP_Service\",\n            \"entityId\": \"app.f5demo.com\",\n            \"isAuthnRequestSigned\": false,\n            \"relayState\": \"rs1\",\n            \"acsBinding\": \"http-post\",\n            \"wantAssertionEncrypted\": true,\n            \"decryptionKey\":\"newCert\",\n            \"decryptionCertificate\":\"newCert\",\n            \"wantAssertionSigned\": false,\n            \"attributeConsumingServices\": [\n                {\n                    \"name\": \"First_SAML_ACS\",\n                    \"serviceName\": \"Academic Journals R US\",\n                    \"attributes\": [\n                        {\n                            \"name\": \"Attribute_1\",\n                            \"attributeName\": \"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\",\n                            \"attributeFriendlyName\": \"eduPersonEntitlement\",\n                            \"attributeNameFormat\": \"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"\n                        },\n                        {\n                            \"name\": \"Attribute_2\",\n                            \"attributeName\": \"urn:oid:2.5.4.42\",\n                            \"attributeFriendlyName\": \"givenName\",\n                            \"attributeNameFormat\": \"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"\n                        }\n                    ]\n                }\n            ],\n            \"authCtxClasses\": [\n                \"Password\",\n                \"Kerberos\"\n            ],\n            \"authCtxComparisonType\": \"better\",\n            \"authCtxMetods\": [\n                \"Password\",\n                \"Kerberos\"\n            ],\n            \"providerName\": \"pn1\"\n        }\n    }\n}"
                 },
                 "policyType": "PerSession",
                 "profileType": "ltm-access",
                 "restrictToSingleClientIP": false,
                 "samesiteCookie": false,
                 "samesiteCookieAttrValue": "lax",
                 "scope": "global",
                 "secureCookie": true,
                 "timeout": 500,
                 "useHttp503OnError": false
             }
         }
     ]
    }
    

    BIG-IP Next Central Manager edits the policy parameter values that you included in the body of your POST.

    Note: To deploy this policy with an application, you deploy an application that uses the Access template. When you specify that template as part of application deployment, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.

Delete a policy

Use this task to remove an existing Access policy using the BIG-IP Next Central Manager user interface.

  1. Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click Access.

  2. Click the name of the policy that you want to delete.
    The General Properties tab of the Edit Policy screen opens.

  3. At the top of the screen, click Delete Delete.
    BIG-IP Next Central Manager removes the policy.

Use this task to remove an existing Access policy using the BIG-IP Next Central Manager application programming interface (API).

  1. Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

  2. Retrieve the policy ID for the policy you want to delete by sending a Get to the Return Access policies endpoint.

    GET https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies
    

    You can find the policy ID in the response. It is just above the name of the policy.

  3. Delete the policy by sending a Delete call to the Delete Access policy endpoint. Use the policy ID from the last step.

    DELETE https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies/<policy_id>
    

    No body is required for a delete call.