How to: Configure policy using Single Sign-On Methods in BIG-IP Next Central Manager¶
Single sign-on methods support authentication in which clients can validate their identities without sending their credentials to the server. Ensure your authentication server supports the same SSO method you select here.
Forms Based SSO¶
With the HTTP forms method of authentication, upon detection of the start URL match, the SSO plug-in uses the cached user identity to construct and send the HTTP form-based POST request on behalf of the user.
Using the BIG-IP Next Central Manager UI to create a policy¶
The following example creates a new BIG-IP Next Access policy using Forms SSO in the BIG-IP Next Central Manager user interface (UI).
Single Sign-On Properties
This page displays when you click Start Creating and then select Forms on the Single Sign-On tab of the Policy Properties page.
The table below lists the fields for configuring Forms SSO properties:
Field | Description |
---|---|
Name | Specify the name of the Forms SSO configuration. You can specify a name, or use the name that auto-generates when you begin editing this page. |
Username Source | Specify the source for retrieving the username cached for single sign-on. The default value is session.sso.token.last.username. |
Password Source | Specifies the source for retrieving the password cached for single sign-on. The default value is session.sso.token.last.password. |
Passthrough Cookies | If you select the Enable check box, cookies presented in the form propagate to the client browser. Defaults to cleared. |
Headers
The Headers page displays after you click Start Adding on the Forms SSO properties page.
The table below lists the fields for configuring headers for an Forms SSO configuration:
Field | Description |
---|---|
Name | Specify the name of the header you are adding. |
Value | Specify the value for the header are adding. |
Start URIs
The Start URIs is displayed after you click Start Adding on the Forms SSO properties page.
URI defines the start URI value. Form-based authentication executes for SSO if the HTTP request URI matches the start URI value.
Form Attributes
The Form Attributes section is displayed in Forms SSO properties page.
The table below lists the fields for configuring form attributes for an Forms SSO configuration:
Field | Description |
---|---|
Method | Defines the SSO authentication method : GET or POST. Defaults to POST. |
Action | Defines the form action URL used for HTTP authentication request for SSO. |
Form Parameters
The Form Parameters section is displayed in Forms SSO properties page.
The table below lists the fields for configuring form parameters for an Forms SSO configuration:
Field | Description |
---|---|
Username | Defines the parameter name of the logon user name. |
Password | Defines the name of the logon password. |
Hidden Parameters
The Hidden Parameters is displayed after you click Start Adding on the Forms SSO properties page.
The table below lists the fields for configuring hidden parameters for an Forms SSO configuration:
Field | Description |
---|---|
Name | Defines the hidden form name required by the authentication server logon form at your location. |
Value | Defines the hidden form value required by the authentication server logon form at your location. |
Logon Detection
The Logon Detecttion section is displayed in Forms SSO properties page.
In this BIG-IP Next Access detects whether the user was successfully authenticated by the server. Defaults to None. You can select one option.
None: No check is made for authentication success.
URL: Redirect URL authentication success is checked by examining the redirect URL from the HTTP response. Multiple values can be specified for this option.
Cookie: Specific cookie authentication success is checked by searching for the named cookie in the response.
Using the BIG-IP Next Central Manager API to create a policy¶
The following example creates a new BIG-IP Next Access policy using Forms SSO in the BIG-IP Next Central Manager application programming interface (API).
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Create the policy by sending a Post to the
/api/v1/spaces/default/security/access-policies
endpoint.POST https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies
For the API body, use the following, substituting values appropriate for the policy you want to create.
{ "description": "", "name": "sso_forms", "policy_type": "PerSession", "properties": [ { "configuration": { "policyType": "PerSession", "name": "sso_forms", "externalServers": [], "policy": { "objectContent": { "start": { "itemType": "deny", "name": "Deny", "caption": "Fallback" }, "endings": [ { "name": "Deny", "action": "deny", "color": "#D9647A", "default": true }, { "name": "Allow", "action": "allow", "color": "#199D4D", "default": false } ], "languages": [ "en" ], "defaultLanguage": "en" } }, "scope": "profile", "profileType": "all", "userIdentityMethod": "http", "connectivityAccessPolicyName": "sso_forms_cap", "timeout": 300, "inactivityTimeout": 900, "maxSessionTimeout": 604800, "maxConcurrentUsers": 0, "maxConcurrentSessions": 0, "maxInProgressSessions": 128, "minFailureDelay": 2, "maxFailureDelay": 5, "domainCookie": "", "secureCookie": false, "persistentCookie": false, "httpOnlyCookie": false, "restrictToSingleClientIP": false, "useHttp503OnError": false, "logoutUriTimeout": 5, "samesiteCookie": false, "samesiteCookieAttrValue": "strict", "ssos": [ { "ssoType": "FormBased", "name": "Forms-65391578", "usernameSource": "session.sso.token.last.username", "passwordSource": "session.sso.token.last.password", "passthrough": false, "headers": [ { "headerName": "forms1", "headerValue": "5" } ], "startUris": [ "12" ], "formMethod": "post", "formParams": [], "successMatchType": "url", "formUsername": "forms1234", "formPassword": "forms123456" } ], "ssoReference": "Forms-65391578" }, "connectivityProfileConfiguration": { "compressBufferSize": 4096, "compressGzipLevel": 6, "compressGzipMemlevel": 8192, "compressGzipWindowsize": 16384, "compressCpusaver": true, "compressCpusaverHigh": 90, "compressCpusaverLow": 75, "compressionAdaptive": true, "compressionDeflateLevel": 1, "compressionCodecs": [], "pppTunnel": { "profilePpp": {} }, "clientPolicy": { "ecSaveServersOnExit": true, "ecReuseWinlogonSession": false, "ecReuseWinlogonCreds": false, "ecRunLogoffScript": false, "ecWarnBeforeScriptLaunch": true, "ecSavePasswordMethod": "none", "ecSavePasswordTimeout": 240, "ecComponentUpdate": "yes", "serverList": [], "ecLocationDnsList": [], "androidEcRequireDeviceAuth": false, "androidEcSavePasswordMethod": "disk", "androidEcSavePasswordTimeout": 240, "iosEcRequireDeviceAuth": false, "iosEcSavePasswordMethod": "disk", "iosEcSavePasswordTimeout": 240, "macosEcSavePasswordMethod": "disk", "macosEcSavePasswordTimeout": 240, "chromeosEcSavePasswordMethod": "disk", "chromeosEcSavePasswordTimeout": 240, "chromeosEcLogonMethod": "native", "macosEcLogonMethod": "native", "name": "sso_forms_cap_clientPolicy" }, "policyType": "ConnectivityAccessPolicy", "name": "sso_forms_cap" }, "loggingConfiguration": [ { "component": "apmd", "level": "NOTICE" }, { "component": "tmm", "level": "NOTICE" }, { "component": "websso", "level": "NOTICE" }, { "component": "renderer", "level": "NOTICE" } ] } ] }
Forms Client-Initiated SSO¶
With the form-based client-initiated method of authentication, when BIG-IP Next Access detects the request for a logon page (URI, header, or cookie that is configured for matching the request), BIG-IP Next Access generates JavaScript code, inserts it into the logon page, and returns the logon page to the client, where it is automatically submitted by the inserted JavaScript. BIG-IP Next Access processes the submission and uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user.
Using the BIG-IP Next Central Manager UI to create a policy¶
The following example creates a new BIG-IP Next Access policy using Forms Client-Initiated SSO in the BIG-IP Next Central Manager user interface (UI).
Single Sign-On Properties
This page displays when you click Start Creating and then select Forms Client-Initiated on the Single Sign-On tab of the Policy Properties page.
The table below lists the fields for configuring Forms client-intiated SSO properties:
Field | Description |
---|---|
Name | Specify the name of the Forms client-intiated SSO configuration. You can specify a name, or use the name that auto-generates when you begin editing this page. |
Passthrough Cookies | If you select the Enable check box, cookies presented in the form propagate to the client browser. Defaults to cleared. |
Forms
The Forms page displays after you click Start Adding on the Forms client-initiated SSO properties page. The Form Properties tab opens.
In Name field, specify the name of the form.
In Form Identification field, specify how the HTML logon form is found in the HTML body of the logon page. You can select from the dropdown:
Form Parameters: Specifies that the form parameters, which have already been defined, are used to find the form.
Form Action: Specifies the value of the action attribute.
Form ID: Specifies the form ID that is used to identify the form.
Form Name: Specifies the specific form name.
Form Order: Specifies the relative order of the form on the logon page (starting from 1).
The Form Parameter field is displayed when you click Start Creating and then fill the below fields:
Name: Specifies the name of a form parameter.
Value: Specifies the value of the form parameter. This is usually the name of a session variable. The value could also be a literal string or a combination of strings and session variable names.
Note: If the session variable is not found when the SSO request is processed, the value of the corresponding POST parameter will be empty.
Secure: Specifies whether the parameter is secure. Defaults to No.
In Javascript Injection field, this specify the whether to use the default JavaScript that BIG-IP Next Access creates. Defaults to Auto. Other options are:
Extra: This specifies more JavaScript to run at the end of the automatically generated JavaScript.
Note: Review the logon page source to determine whether any JavaScript functions are called on submit.
Custom: This specifies JavaScript to run in place of the automatically generated JavaScript.
Click Continue.
The Detection tab opens.In Request Detection field, fill the below details:
In Detection Method field, specify which element of the HTTP request headers is used to identify the application request for logon page: Cookie, Header, or URI. Defaults to URI.
In Request Method field, specify the request method is GET or POST. Defaults to GET
If Request Negative field is enabled, specifies that the system detects the form that fails to match the criteria specified for Request Detection. The system then detects the form by the absence of the specific cookie or header, or by its failure to match the URIs.
If Request Prefix field is enabled, specifies that the system matches on a partial string. If this option is disabled, the match must be verbatim.
In Submission Detection field, select the below details:
Select the Detection Method from the dropdown, by default is Auto. Other options are URI, Cookie and Header.
Enable or Disable Request Prefix field.
Enable or Disable Request Neagtive field.
In Logon Detecttion field, this specify BIG-IP Next Access detects whether the user was successfully authenticated by the server. Defaults to None. You can select one option.
None: No check is made for authentication success.
URL: Redirect URL authentication success is checked by examining the redirect URL from the HTTP response. Multiple values can be specified for this option.
Cookie: Specific cookie authentication success is checked by searching for the named cookie in the response.
Headers
The Headers page displays after you click Start Adding on the Forms client-initiated SSO properties page.
The table below lists the fields for configuring headers for an Forms client-initiated headers configuration:
Field | Description |
---|---|
Name | Specify the name of the header you are adding. |
Value | Specify the value for the header are adding. |
Using the BIG-IP Next Central Manager API to create a policy¶
The following example creates a new BIG-IP Next Access policy using Forms Client-Initiated SSO in the BIG-IP Next Central Manager application programming interface (API).
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Create the policy by sending a Post to the
/api/v1/spaces/default/security/access-policies
endpoint.POST https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies
For the API body, use the following, substituting values appropriate for the policy you want to create.
{ "description": "", "name": "sso_fci", "policy_type": "PerSession", "properties": [ { "configuration": { "policyType": "PerSession", "name": "sso_fci", "externalServers": [], "policy": { "objectContent": { "start": { "itemType": "deny", "name": "Deny", "caption": "Fallback" }, "endings": [ { "name": "Deny", "action": "deny", "color": "#D9647A", "default": true }, { "name": "Allow", "action": "allow", "color": "#199D4D", "default": false } ], "languages": [ "en" ], "defaultLanguage": "en" } }, "scope": "profile", "profileType": "all", "userIdentityMethod": "http", "connectivityAccessPolicyName": "sso_fci_cap", "timeout": 300, "inactivityTimeout": 900, "maxSessionTimeout": 604800, "maxConcurrentUsers": 0, "maxConcurrentSessions": 0, "maxInProgressSessions": 128, "minFailureDelay": 2, "maxFailureDelay": 5, "domainCookie": "", "secureCookie": false, "persistentCookie": false, "httpOnlyCookie": false, "restrictToSingleClientIP": false, "useHttp503OnError": false, "logoutUriTimeout": 5, "samesiteCookie": false, "samesiteCookieAttrValue": "strict", "ssos": [ { "ssoType": "ClientInitiatedFormBased", "name": "Forms-Client-Initiated-7f15d3fc", "headers": [ { "headerName": "fci123", "headerValue": "10" } ], "passthroughMode": true, "forms": [ { "name": "Form-3ac8fa4a", "formParameters": [ { "formParameterName": "fci123", "formParameterValue": "10", "isSecure": true } ], "formIdentification": { "type": "name-attribute", "value": "fci123" }, "javascriptInjection": { "type": "auto" }, "formRequestDetection": { "type": "uri", "requestMethod": "get", "requestValue": "/", "requestNegative": false, "requestPrefix": true }, "submitDetection": { "type": "auto" }, "loginDetection": { "type": "none" } } ] } ], "ssoReference": "Forms-Client-Initiated-7f15d3fc" }, "connectivityProfileConfiguration": { "compressBufferSize": 4096, "compressGzipLevel": 6, "compressGzipMemlevel": 8192, "compressGzipWindowsize": 16384, "compressCpusaver": true, "compressCpusaverHigh": 90, "compressCpusaverLow": 75, "compressionAdaptive": true, "compressionDeflateLevel": 1, "compressionCodecs": [], "pppTunnel": { "profilePpp": {} }, "clientPolicy": { "ecSaveServersOnExit": true, "ecReuseWinlogonSession": false, "ecReuseWinlogonCreds": false, "ecRunLogoffScript": false, "ecWarnBeforeScriptLaunch": true, "ecSavePasswordMethod": "none", "ecSavePasswordTimeout": 240, "ecComponentUpdate": "yes", "serverList": [], "ecLocationDnsList": [], "androidEcRequireDeviceAuth": false, "androidEcSavePasswordMethod": "disk", "androidEcSavePasswordTimeout": 240, "iosEcRequireDeviceAuth": false, "iosEcSavePasswordMethod": "disk", "iosEcSavePasswordTimeout": 240, "macosEcSavePasswordMethod": "disk", "macosEcSavePasswordTimeout": 240, "chromeosEcSavePasswordMethod": "disk", "chromeosEcSavePasswordTimeout": 240, "chromeosEcLogonMethod": "native", "macosEcLogonMethod": "native", "name": "sso_fci_cap_clientPolicy" }, "name": "sso_fci_cap", "policyType": "ConnectivityAccessPolicy" }, "loggingConfiguration": [ { "component": "apmd", "level": "NOTICE" }, { "component": "tmm", "level": "NOTICE" }, { "component": "websso", "level": "NOTICE" }, { "component": "renderer", "level": "NOTICE" } ] } ] }
HTTP Basic SSO¶
With the HTTP Basic SSO authentication method, BIG-IP Next Access uses the cached user identity and sends the request with the authorization header.
Using the BIG-IP Next Central Manager UI to create a policy¶
The following example creates a new BIG-IP Next Access policy using HTTP Basic SSO in the BIG-IP Next Central Manager user interface (UI).
Single Sign-On Properties
This page displays when you click Start Creating and then select HTTP Basic on the Single Sign-On tab of the Policy Properties page.
The table below lists the fields for configuring HTTP Basic SSO properties:
Field | Description |
---|---|
Name | Specify the name of the HTTP Basic SSO configuration. You can specify a name, or use the name that auto-generates when you begin editing this page. |
Username Source | Specify the source for retrieving the username cached for single sign-on. The default value is session.sso.token.last.username. |
Password Source | Specifies the source for retrieving the password cached for single sign-on. The default value is session.sso.token.last.password. |
Username Conversion | Specify whether to convert the PREWIN2k/UPN username input format to the format you want to use for SSO. For example, convert domain\username or username@domain to username . |
Headers
The Headers page displays after you click Start Adding on the HTTP Basic SSO properties page.
The table below lists the fields for configuring headers for an HTTP Basic SSO configuration:
Field | Description |
---|---|
Name | Specify the name of the header you are adding. |
Value | Specify the value for the header are adding. |
Using the BIG-IP Next Central Manager API to create a policy¶
The following example creates a new BIG-IP Next Access policy using HTTP Basic SSO in the BIG-IP Next Central Manager application programming interface (API).
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Create the policy by sending a Post to the
/api/v1/spaces/default/security/access-policies
endpoint.POST https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies
For the API body, use the following, substituting values appropriate for the policy you want to create.
{ "description": "", "name": "sso_basic", "policy_type": "PerSession", "properties": [ { "configuration": { "policyType": "PerSession", "name": "sso_basic", "externalServers": [], "policy": { "objectContent": { "start": { "itemType": "deny", "name": "Deny", "caption": "Fallback" }, "endings": [ { "name": "Deny", "action": "deny", "color": "#D9647A", "default": true }, { "name": "Allow", "action": "allow", "color": "#199D4D", "default": false } ], "languages": [ "en" ], "defaultLanguage": "en" } }, "scope": "profile", "profileType": "all", "userIdentityMethod": "http", "connectivityAccessPolicyName": "sso_basic_cap", "timeout": 300, "inactivityTimeout": 900, "maxSessionTimeout": 604800, "maxConcurrentUsers": 0, "maxConcurrentSessions": 0, "maxInProgressSessions": 128, "minFailureDelay": 2, "maxFailureDelay": 5, "domainCookie": "", "secureCookie": false, "persistentCookie": false, "httpOnlyCookie": false, "restrictToSingleClientIP": false, "useHttp503OnError": false, "logoutUriTimeout": 5, "samesiteCookie": false, "samesiteCookieAttrValue": "strict", "ssos": [ { "headers": [ { "headerName": "basic123", "headerValue": "10" } ], "usernameConversion": true, "passwordSource": "session.sso.token.last.password", "usernameSource": "session.sso.token.last.username", "name": "Http-Basic-SSO-b6953081", "ssoType": "HttpBasic" } ], "ssoReference": "Http-Basic-SSO-b6953081" }, "connectivityProfileConfiguration": { "compressBufferSize": 4096, "compressGzipLevel": 6, "compressGzipMemlevel": 8192, "compressGzipWindowsize": 16384, "compressCpusaver": true, "compressCpusaverHigh": 90, "compressCpusaverLow": 75, "compressionAdaptive": true, "compressionDeflateLevel": 1, "compressionCodecs": [], "pppTunnel": { "profilePpp": {} }, "clientPolicy": { "ecSaveServersOnExit": true, "ecReuseWinlogonSession": false, "ecReuseWinlogonCreds": false, "ecRunLogoffScript": false, "ecWarnBeforeScriptLaunch": true, "ecSavePasswordMethod": "none", "ecSavePasswordTimeout": 240, "ecComponentUpdate": "yes", "serverList": [], "ecLocationDnsList": [], "androidEcRequireDeviceAuth": false, "androidEcSavePasswordMethod": "disk", "androidEcSavePasswordTimeout": 240, "iosEcRequireDeviceAuth": false, "iosEcSavePasswordMethod": "disk", "iosEcSavePasswordTimeout": 240, "macosEcSavePasswordMethod": "disk", "macosEcSavePasswordTimeout": 240, "chromeosEcSavePasswordMethod": "disk", "chromeosEcSavePasswordTimeout": 240, "chromeosEcLogonMethod": "native", "macosEcLogonMethod": "native", "name": "sso_basic_cap_clientPolicy" }, "name": "sso_basic_cap", "policyType": "ConnectivityAccessPolicy" }, "loggingConfiguration": [ { "component": "apmd", "level": "NOTICE" }, { "component": "tmm", "level": "NOTICE" }, { "component": "websso", "level": "NOTICE" }, { "component": "renderer", "level": "NOTICE" } ] } ] }
Kerberos SSO¶
The Kerberos SSO method allows you to authenticate your users to backend applications using Kerberos Constrained Delegation.
To configure Kerberos Auth, you must create a Kerberos AAA server and authentication objects.
Using the BIG-IP Next Central Manager UI to create a policy¶
The following example creates a new BIG-IP Next Access policy using Kerberos SSO in the BIG-IP Next Central Manager user interface (UI).
Kerberos AAA server
This page displays when you click Start Creating and then select Kerberos on the Single Sign-On tab of the Policy Properties page.
Kerberos AAA server specifies the objects for configuring a Kerberos authentication server. In the Access policy, you define Kerberos AAA server properties by selecting Kerberos SSO in the Single Sign-On section of the Policy Properties.
The table below lists the objects for configuring a Kerberos AAA server:
Field | Description |
---|---|
Name | Specify the name of the Kerberos configuration. You can specify a name, or use the name that auto-generates when you begin editing this page. |
Kerberos Realm | Specify the Kerberos auth realm name (administrative name). For example: testbed.lab.companynet.com . |
KDC | Specify the IP Address or the Kerberos Key Distribution Center (KDC) host name (normally an Active Directory domain controller) for the server realm. Make sure you create a DNS resolver to resolve the KDC host name. |
Account Name | Specify the Active Directory account name configured for delegation. |
Account Password | Specify the password for the delegation account specified in the Account Name field. |
SPN Pattern | Use this field to specify how the Service Principal Name (SPN) for the servers is constructed. This property is optional. The default value is HTTP/%s@REALM, where %s is replaced by the server host name, which is discovered through reverse DNS lookup using the server IP address. |
Ticket Lifetime | Specify the maximum ticket lifetime in minutes. Should not be set higher than the value configured for the Active Directory delegation account (which defaults to 600). Minimum valid value is 10. |
Send Authorization | Specify when to submit the Kerberos ticket to application servers. Valid values are:
|
Username Source | Specify the username to cache for single sign-on. For SSO credential mapping, this property has a value of session.sso.token.last.username . |
User Realm Source | Specify the realm for the user. Defaults to a session variable. If the variable is set, it must contain the Kerberos realm for the user. If left empty or the variable does not exist, the user is assumed to be in the same Kerberos realm as the server. For example, session.logon.last.domain . |
Using the BIG-IP Next Central Manager API to create a policy¶
The following example creates a new Access policy using Kerberos SSO in the BIG-IP Next Central Manager application programming interface (API).
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Create the policy by sending a Post to the
/api/v1/spaces/default/security/access-policies
endpoint.POST https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies
For the API body, use the following, substituting values appropriate for the policy you want to create.
{ "description": "", "name": "sso_kerberos", "policy_type": "PerSession", "properties": [ { "configuration": { "policyType": "PerSession", "name": "sso_kerberos", "externalServers": [], "policy": { "objectContent": { "start": { "itemType": "deny", "name": "Deny", "caption": "Fallback" }, "endings": [ { "name": "Deny", "action": "deny", "color": "#D9647A", "default": true }, { "name": "Allow", "action": "allow", "color": "#199D4D", "default": false } ], "languages": [ "en" ], "defaultLanguage": "en" } }, "scope": "profile", "profileType": "all", "userIdentityMethod": "http", "connectivityAccessPolicyName": "sso_kerberos_cap", "timeout": 300, "inactivityTimeout": 900, "maxSessionTimeout": 604800, "maxConcurrentUsers": 0, "maxConcurrentSessions": 0, "maxInProgressSessions": 128, "minFailureDelay": 2, "maxFailureDelay": 5, "domainCookie": "", "secureCookie": false, "persistentCookie": false, "httpOnlyCookie": false, "restrictToSingleClientIP": false, "useHttp503OnError": false, "logoutUriTimeout": 5, "samesiteCookie": false, "samesiteCookieAttrValue": "strict", "ssos": [ { "name": "Kerberos-SSO-18a1e304", "accountName": "kb123", "accountPassword": "kb1234", "domainSource": "session.logon.last.domain", "kdc": "", "realm": "testbed.lab.companynet.com", "sendAuthorization": "always", "spnPattern": "HTTP/%s@REALM", "ticketLifetime": 600, "usernameSource": "session.sso.token.last.username", "upn": true, "ssoType": "Kerberos" } ], "ssoReference": "Kerberos-SSO-18a1e304" }, "connectivityProfileConfiguration": { "compressBufferSize": 4096, "compressGzipLevel": 6, "compressGzipMemlevel": 8192, "compressGzipWindowsize": 16384, "compressCpusaver": true, "compressCpusaverHigh": 90, "compressCpusaverLow": 75, "compressionAdaptive": true, "compressionDeflateLevel": 1, "compressionCodecs": [], "pppTunnel": { "profilePpp": {} }, "clientPolicy": { "ecSaveServersOnExit": true, "ecReuseWinlogonSession": false, "ecReuseWinlogonCreds": false, "ecRunLogoffScript": false, "ecWarnBeforeScriptLaunch": true, "ecSavePasswordMethod": "none", "ecSavePasswordTimeout": 240, "ecComponentUpdate": "yes", "serverList": [], "ecLocationDnsList": [], "androidEcRequireDeviceAuth": false, "androidEcSavePasswordMethod": "disk", "androidEcSavePasswordTimeout": 240, "iosEcRequireDeviceAuth": false, "iosEcSavePasswordMethod": "disk", "iosEcSavePasswordTimeout": 240, "macosEcSavePasswordMethod": "disk", "macosEcSavePasswordTimeout": 240, "chromeosEcSavePasswordMethod": "disk", "chromeosEcSavePasswordTimeout": 240, "chromeosEcLogonMethod": "native", "macosEcLogonMethod": "native", "name": "sso_kerberos_cap_clientPolicy" }, "name": "sso_kerberos_cap", "policyType": "ConnectivityAccessPolicy" }, "loggingConfiguration": [ { "component": "apmd", "level": "NOTICE" }, { "component": "tmm", "level": "NOTICE" }, { "component": "websso", "level": "NOTICE" }, { "component": "renderer", "level": "NOTICE" } ] } ] }
OAuth Bearer SSO¶
With the OAuth Bearer SSO authentication method, BIG-IP Next Access uses bearer tokens to verify, authenticate, and grant access to protected resources. OAuth Bearer SSO provides the JSON Web Token (JWT) as a bearer token to the backend resource server that expects OAuth authorization to allow access. You can specify whether to send the token always or when you receive a 4xx response from the server.
Using the BIG-IP Next Central Manager UI to create a policy¶
The following example creates a new Access policy using OAuth Bearer SSO in the BIG-IP Next Central Manager user interface (UI).
Single Sign-On Properties
This page displays when you click Start Creating and then select OAuth Bearer on the Single Sign-On tab of the Policy Properties page.
The table below lists the fields for configuring OAuth Bearer SSO properties:
Field | Description |
---|---|
Name | Specify the name of the OAuth Bearer SSO configuration. You can specify a name, or use the name that auto-generates when you begin editing this page. |
Mode | Choose the mode based on the source you will use to obtain an access token.
|
Send Token | Specify when to send the OAuth Bearer token.
|
Passthrough Mode: Configure the below settings:
Headers
The Headers page displays after you click Start Adding on the properties page.
The table below lists the fields for configuring headers for an configuration:
Field | Description |
---|---|
Name | Specify the name of the header you are adding. |
Value | Specify the value for the header are adding. |
OAuth Server Specifies the OAuth server that provided the token.
Generate Token Mode: Configure the below settings:
Field | Description |
---|---|
Headers | Header name-value pairs to send with the SSO method. |
Issuer | Specifies the issuer of the Token. |
Subject | Specifies what the token is intended for. |
Enable Token Cache | When selected, stores the token in cache for the session and reuses it; enabling the cache provides increased performance. |
Access Token Lifetime | Specifies the number of minutes a Token access token is considered valid. |
Ignore Expired Certificate Validation | When selected, the certificate is used for signing an access token even if it is expired. |
Scope | Specifies one or more space-separated scope strings (using the ASCII character set) or session variables. |
Audience | Specifies the audience claim for which the JWT access token is intended. |
Claims | Specifies a list of claims that define additional information that you want to transmit as part of the JWT access token. |
JSON Web Keys | Specifies a JSON web key (JWK) configuration for signing the token. |
Using the BIG-IP Next Central Manager API to create a policy¶
The following example creates a new Access policy using OAuth Bearer SSO in the BIG-IP Next Central Manager application programming interface (API).
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Create the policy by sending a Post to the
/api/v1/spaces/default/security/access-policies
endpoint.POST https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policies
For the API body, use the following, substituting values appropriate for the policy you want to create.
{ "description": "", "name": "sso_oauth", "policy_type": "PerSession", "properties": [ { "configuration": { "policyType": "PerSession", "name": "sso_oauth", "externalServers": [], "policy": { "objectContent": { "start": { "itemType": "deny", "name": "Deny", "caption": "Fallback" }, "endings": [ { "name": "Deny", "action": "deny", "color": "#D9647A", "default": true }, { "name": "Allow", "action": "allow", "color": "#199D4D", "default": false } ], "languages": [ "en" ], "defaultLanguage": "en" } }, "scope": "profile", "profileType": "all", "userIdentityMethod": "http", "connectivityAccessPolicyName": "sso_oauth_cap", "timeout": 300, "inactivityTimeout": 900, "maxSessionTimeout": 604800, "maxConcurrentUsers": 0, "maxConcurrentSessions": 0, "maxInProgressSessions": 128, "minFailureDelay": 2, "maxFailureDelay": 5, "domainCookie": "", "secureCookie": false, "persistentCookie": false, "httpOnlyCookie": false, "restrictToSingleClientIP": false, "useHttp503OnError": false, "logoutUriTimeout": 5, "samesiteCookie": false, "samesiteCookieAttrValue": "strict", "ssos": [ { "enableTokenCache": true, "ignoreExpiredCert": false, "issuer": "%{session.network.name}", "jwtAccessTokenLifetime": 5, "name": "OAuth_bearer", "scope": "", "sendTokenAlways": true, "sendTokenOn400": true, "sendTokenOn401": true, "sendTokenOn403": true, "ssoType": "OauthBearerGenerate", "subject": "%{session.assigned.uuid}", "headers": [ { "headerName": "oauth123", "headerValue": "12" } ], "jwtKey": { "keyType": "elliptic-curve", "keyId": "ddf17074b5a98b04", "algType": "ES256", "cert": "g1.crt", "certKey": "g1.pem" }, "audience": [] } ], "ssoReference": "OAuth_bearer" }, "connectivityProfileConfiguration": { "compressBufferSize": 4096, "compressGzipLevel": 6, "compressGzipMemlevel": 8192, "compressGzipWindowsize": 16384, "compressCpusaver": true, "compressCpusaverHigh": 90, "compressCpusaverLow": 75, "compressionAdaptive": true, "compressionDeflateLevel": 1, "compressionCodecs": [], "pppTunnel": { "profilePpp": {} }, "clientPolicy": { "ecSaveServersOnExit": true, "ecReuseWinlogonSession": false, "ecReuseWinlogonCreds": false, "ecRunLogoffScript": false, "ecWarnBeforeScriptLaunch": true, "ecSavePasswordMethod": "none", "ecSavePasswordTimeout": 240, "ecComponentUpdate": "yes", "serverList": [], "ecLocationDnsList": [], "androidEcRequireDeviceAuth": false, "androidEcSavePasswordMethod": "disk", "androidEcSavePasswordTimeout": 240, "iosEcRequireDeviceAuth": false, "iosEcSavePasswordMethod": "disk", "iosEcSavePasswordTimeout": 240, "macosEcSavePasswordMethod": "disk", "macosEcSavePasswordTimeout": 240, "chromeosEcSavePasswordMethod": "disk", "chromeosEcSavePasswordTimeout": 240, "chromeosEcLogonMethod": "native", "macosEcLogonMethod": "native", "name": "sso_oauth_cap_clientPolicy" }, "name": "sso_oauth_cap", "policyType": "ConnectivityAccessPolicy" }, "loggingConfiguration": [ { "component": "apmd", "level": "NOTICE" }, { "component": "tmm", "level": "NOTICE" }, { "component": "websso", "level": "NOTICE" }, { "component": "renderer", "level": "NOTICE" } ] } ] }