Federation rules¶
These rules federate user identity and enable single sign-on (SSO) to on-premises and cloud applications, including SaaS.
OAuth Federation¶
Open Authorization (OAuth) is an open delegation standard that allows a resource owner to grant access to third-party applications to their resources without having to share their credentials. OAuth clients use OAuth and OpenID Connect to authenticate resource owners and access protected resources on the owner’s behalf, while Resource Services hold the protected resources.
You can set up BIG-IP Next Access as an OAuth Client, a Resource server, or as both Client & Resource Server. To configure Access as an OAuth client and resource server, you must create OAuth providers, OAuth servers, OAuth client, and OAuth scope objects.
For instructions and examples on configuring OAuth Client or Resource Server, refer to How to: Create OAuth Client or Resource Server policies using BIG-IP Central Manager.
When you use this rule, you configure fields on a number of pages. Each page is documented separately.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Mode | Select Client, or Resource Server or both, depending on how you want this rule to perform. |
| Name | Specify the name of the provider. |
| Grant Type | Specify the type of grant that the OAuth client uses. The valid values are:
|
| Vendor Presets | Choose which set of pre-configured values you want BIG-IP Next Central Manager to use. |
| Scope | Specify the scope of the group lookup for a user or a group. When the search returns a user or a group, this attribute specifies whether to also look up the groups to which this user or group belongs. The valid values are:
|
| Open ID Connect | Specify whether the rule uses OpenID Connect for authorization. Note: The OAuth provider (associated with the server) must be configured to support JSON web tokens. |
Provider Properties
The Provider Properties page, displays when you click Start Creating on the OAuth Federation rule Providers tab.
| Field | Description |
|---|---|
| Name | Specify a name for the OAuth provider. You can specify a name, or use the name that auto-generates when you insert the rule into the policy. |
| Redirect URI | Specify an ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986. This is a required field. |
| Enable Auto Discovery | Specify whether to automatically discover the configuration of the authorization server. Note: The authorization server must support OpenID Connect. |
| OpenID URI | Specify an openid-userinfo-request type of request. The OAuth Client item uses this request to access a well-known endpoint for OpenID Connect to get the authorization server configuration. |
| Authentication URI | When Auto Discovery is disabled, specify the endpoint URI that redirects the user for authentication to get the authorization code. This endpoint is used by the OAuth Client item when the grant type is configured to Authorization Code. |
| Token URI | When Auto Discovery is disabled, specify the URI to use to retrieve an access token from the provider. The OAuth Client item uses this endpoint. |
| Token Validation Scope URI | When Auto Discovery is disabled, specify the URI the OAuth Scope item uses to retrieve a list of scopes associated with an access token. The OAuth Scope item uses this endpoint to retrieve a list of scopes associated with an opaque token and validate them. The OAuth Client item uses this endpoint to validate an opaque token. |
| Userinfo Request URI | When Auto Discovery is disabled, specify the endpoint URI that is used to request userinfo information. This endpoint is used by the OAuth Scope item. |
| Support Introspection | Select this checkbox to support token introspection that allows a protected resource to query the authorization server to determine the metadata associated with the token. |
JSON Web Token Configuration
This tab displays when you click Save & Continue on the OAuth Federation Provider Properties tab.
| Field | Description |
|---|---|
| Ignore Expired Certificate Validation | Select enable to specify that expired AS certificate enforcement is to be ignored. The default value is false |
| Allow Self-Signed JWK Config Certificate | Select enable to create a JWK config with a self-signed certificate. |
| Trusted Certificate Authorities | Make a selection to instruct BIG-IP Next to supply a default certificate and a ca-bundle.crt file that includes all well-known public certificate authority (CA) certificates for client-side processing. |
| Issuer | Specify the URL for the issuer of the JSON web token. This is a required setting. |
| Access Token Expiration (minutes) | Specify the number of minutes the access token should live. The default value is 0. |
| Audience | Specify the audience for the token. |
SAML Federation¶
Security Assertion Markup Language (SAML) is an open federation standard that allows an identity provider (IdP) and a service provider (SP) to exchange user authentication and authorization data. With SAML and BIG-IP Next Access, you can enable a single sign-on (SSO) experience for your applications.
For instructions and examples on configuring SAML Authentication, refer to How to: Create SAML SP policy workflows using BIG-IP Central Manager.
When you use this rule, you configure fields on a number of pages. Each page is documented separately.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Service Name | Specify the name of the SAML authentication rule. This is a required field. |
| Description | Specify a description that helps to identify this rule. |
| Service Provider Configuration | When you click Advanced, a set of toggles appears that you can select to specify advanced settings on other pages. |
Add Service Provider
Specifies the configuration settings for the local SP service associated with a SAML IdP. The local SP service configuration uniquely identifies the SP and defines its security requirements. It also specifies advanced SP settings, such as ACS, Affiliation, or Authentication Context Classes.
After you define the rule properties and click Save & Continue, click Start Creating to get to this page.
| Field | Description |
|---|---|
| Audience URI (Entity ID) | Specify a unique identifier for the SAML Identity Provider. This is a required setting. |
| Host | Specify the FQDN for the application. If the Audience URI is not an FQDN, his field is required. |
| Relay State | Specify an arbitrary string that communicates the state of the relay. |
| Force Authentication | Select this option to force the user to authenticate with the identity provider even if they already have an established session with the IdP. |
| Sign Authentication Requests | Select this check box to specify whether the IdP expects signed authentication requests. |
| Message Signing Certificate and Key | Select the Certificate and key to use for this service provider. |
| Want Encrypted Assertion | Select this check box to specify whether the assertion must be encrypted. |
| Assertion Decryption Certificate and Key | Select the Certificate and key to use to decrypt the assertion. |
Attribute Consuming Service
Specifies the name of one of the attribute consuming service associated with the server. The index associated with the selected attribute consuming service is included in the SAML authentication request generated. The identity provider maps the index to the list of attributes derived from the metadata previously shared and returns those attributes in the SAML response. For example, the SP may include an Attribute Consuming Index in a SAML request to get the attributes of an authenticated user.
When you select Advanced Properties on the Rule Properties page, and then select Attribute Consuming Service, this page appears as a new tab on the Add Service Provider page.
| Field | Description |
|---|---|
| Name | Specify a name for the attribute consuming service. |
| Description | Specify a description that helps to identify this attribute consuming service. |
| Service Name | Specify a name for the attribute consuming service. |
| Attribute Name | Specify a name for the attribute. |
| Attribute Format | Select the format for this attribute. |
| Friendly Name | Specify an easy to read name that helps to identify this rule. |
Force Authentication
Allows the SP to include the ForceAuthn flag in an Authentication request at runtime. This option determines whether to force users to authenticate again even when they have an SSO session at the identity provider.
To use this property, the external IdP should support a force authentication flag. The options are:
Enable - Overrides the Service Provider Force Authentication setting and always adds ForceAuthn=true to the Authentication request. Uses the Force Authentication setting on the Service Provider (Access Federation SAML Service Provider).
Disable - Overrides the Service Provider Force Authentication setting and always adds ForceAuthn=false to the Authentication request. By default, Disable is selected.
Session Variable Setting - Specifies that you want to use a session variable to control the ForceAuthn flag included in the Authentication request.
Force Authentication Session Variable
When Force Authentication is set to Session variable setting, it specifies a session variable that controls the value of the ForceAuthn flag included in the Authentication request, as follows.
If the session variable resolves to 1 at runtime, Access adds ForceAuthn=true to the Authentication request overriding the Force Authentication setting on the Service Provider.
If the session variable resolves to 0 at runtime, Access adds ForceAuthn=false to the Authentication request overriding the Force Authentication setting on the Service Provider.
If the session variable is not found at runtime or resolves to a value other than 1 or 0, then the Force Authentication setting on the Service Provider controls the behavior of the ForceAuthn flag included in the Authentication request.
Artifact Resolution Service
When you select Advanced Properties on the Rule Properties page, and then select Artifact Resolution Service, this page appears as a new tab on the Add Identity Provider page.
| Field | Description |
|---|---|
| Location URL | Specify the FQDN of the identity provider. |
| Sign Artifact Resolution Request | Select this check box to specify whether the IdP requires artifact resolution requests from a SAML SP to be signed. |
| Username | Specifies a name for the artifact resolution service request. |
| Password | Specifies a password for the artifact resolution service request. |
Single Logout Service
When you select Advanced Properties on the Rule Properties page, and then select Single Logout Service, this page appears as a new tab on the Add Identity Provider page.
| Field | Description |
|---|---|
| Name Qualifier | Specify the security or administrative domain of the Identity Provider. |
| Single Logout URL | Specify the URL of the SAML IdP to which BIG-IP Next Access can send the logout request when a service provider initiates a logout. |
| Single Logout Response URL | Specify the URL of the SAML IdP to which BIG-IP Next Access can send the logout response when the IdP initiates the logout request. |
| Single Logout Binding | Specify the binding method that BIG-IP Next Access uses when it sends logout requests and responses to the SAML IdP. |
SAML Affiliation
When you select Advanced Properties on the Rule Properties page, and then select SAML Affiliation, this page appears as a new tab on the Add Service Provider page.
| Field | Description |
|---|---|
| Provider Name | Specify the arbitrary name that is agreed upon between the identity provider and a group of service providers. |
| Name-identifier Policy Format | The URN format agreed upon between the identity provider and a group of service providers. |
| Allow Name-identifier Creation | Specify whether or not the IdP can create the name identifier for the service provider. |
Authentication Context Classes
When you select Advanced Properties on the Rule Properties page, and then select Authentication Context Classes, this page appears as a new tab on the Add Service Provider page.
| Field | Description |
|---|---|
| Comparison Method | Select the comparison method to use for the context classes. |
| Predefined Classes | Select the context classes that you want to compare. |
