CONFIDENTIAL
F5 APM &
SECURITY ASSERTION MARKUP LANGUAGE
‘SAM-EL’
Lloyd Webb
[email protected]
07889 641911
Enable Simplified Application Access
with BIG-IP Access Policy Manager (APM)
BIG-IP Access Policy Manager (APM)
Unified Access and Control for BIG-IP
BIG-IP® APM ROI Benefits:
• Consolidates auth. infrastructure
• Reduces AAA management costs
• Simplifies remote, web and
application access control
BIG-IP® APM Features:
•
•
•
•
•
Centralizes single sign on and access control services
Full proxy L4 – L7 access control at BIG-IP speeds
Adds endpoint inspection to the access policy
Visual Policy Editor (VPE) provides policy based access control
VPE Rules – programmatic interface for custom access policies
*AAA = Authentication, Authorization and Accounting (or Auditing)
What is the problem?
• Users authenticate to their enterprise, but
more and more resources are hosted
elsewhere….
• How do we maintain control of those
credentials, policies and their lifecycle?
What is SAML?
• Security Assertion Markup Language
• Solid standard current version 2.0 (March
2005)
• Strong commercial and open source
support
• An XML-based open standard data format
for exchanging authentication and
authorization data between parties, in
particular, between an identity provider
(iDP) and a service provider (SP).”
What is SAML? Now in English
• Its ‘Internet/Web’ SSO
• Eliminates Need for Multiple
Passwords/Password Databases
in Multiple Locations
• Enables Enterprise in the ‘Cloud’
What is SAML – Components
• A ‘SAML Assertion’ is a Token/Cookie
used to communicate the successful
authentication of users
• Uses SSL Certificates to:
• Sign the Assertion
• Encrypt the Assertion
• Still require an authentication database,
LDAP/AD/Radius/Two factor etc
What is SAML – Components
• SAML IdP (Identity Provider)
• The device that authenticates the user
• The device that creates, signs, encrypts and
inserts the Assertion
• The device that redirects the user to the target
application with the Assertion
User
Authentication
Database
What is SAML – Components
• SAML SP (Service Provider)
• The device that redirects the user request to the
IdP for authentication
• The device that consumes the Assertion and
validates it
• The device that redirects the authenticated user
to the application (APM does not require a redirect
as it the proxy for the app)
Application
What is SAML – Trust
• SAML SP and IdP
• Trust relationships are built using Certificates
Trust Relationship
Who uses SAML?
• SaaS Providers
• E.g. Google, SalesForce, Office365
• Public Sector
• Universities/Schools
• Enterprises that want to host apps in a
Cloud Provider but want to keep their
user accounts DB internal!
APM as IDP
1
iDP
user
Auth server
2
SP
1. APM is used to create an assertion, either upfront, or after trying to access a
protected resource without a required assertion
2. User now uses assertion to access SP , where assertion is validated, and
access provided
APM as IDP – IDP initiated
 When the user goes directly to the IDP (APM) to authenticate,
 A logon page will normally be provided
 And a webtop displayed
• The webtop will have one or more SAML resources
• Allows the user to select the resource on a given SP.
APM as IDP - IDP initiated
2
user
1
iDP
3
Auth server
SP
1. User first visits APM, since no session exists, the access policy runs.
2. The Access Policy, authenticates the user, and presents a webtop with
SAML resources.
3. Once a resource is selected an assertion is created and the user is
redirected to the ACS on the SP.
APM as IDP - SP initiated
 The user goes to the SP first
 Tries to access a resource that is protected
 The SP will send an authentication request to the IDP to
authenticate the user
 And then have them redirected back with an assertion.
APM as IDP - SP initiated
3
user
4
5
IDP
2
Auth server
1
SP
1. User first visits the SP, and tries to access a protected resource.
2. The SP redirects the user with an authentication request via a redirect to
the APM SSO URL (a well known path off a VS).
3. The Access Policy, takes the SAML AUTHn request and validates it
4. Using the entity-id, it finds an SAML SSO object and creates an assertion.
5. The user is redirected to the ACS on the SP with the assertion.
APM as SP Introduction
 A user is authenticated to SAML IDP (APM)
 They access a resource behind the APM
 They don’t need to authenticate again.
 APM uses (consumes) a SAML assertion (claims) and
validates its trustworthiness
 This allows the user to access to the resource.
APM as SP - SP initiated
 When the user directly accesses a SP (APM) resource
 The user will be directed to the IDP to authenticate
 And get an assertion.
APM as SP - SP initiated
4
IDP
User
3
2
Server
5
1
SP
1. The SP (APM) is contacted to access a resource.
2. Since no session exists, the Access Policy runs.
3. The access policy will typically send an SAML authn request to the IDP.
4. The IDP authenticates the user and redirects the user back to the APM
ACS.
5. APM will then validate the assertion and parse it, populating session
variables from fields in the assertion. The access policy can then provide
access to the resource (typically via a pool).
APM as SP - IDP initiated
 When the user directly accesses an IDP resource
 The user is redirected back to APM with an assertion.
 In this case APM just consumes the assertion.
APM as SP - IDP initiated
1
IDP
user
2
SP
3
server
1. IDP is contacted upfront, for authentication.
a) The user is authenticated and the user is redirected to the ACS on the SP with
the assertion.
2. APM receives assertion and validates it, parses it
3. Access is now provided