Forum Discussion

kuldeep_Jakhar_'s avatar
kuldeep_Jakhar_
Icon for Nimbostratus rankNimbostratus
Apr 30, 2013

BIG IP APM as reverse proxy

Hi,

 

 

I want to publish our mobile application on Internet through BIG-IP APM as reverse proxy.

 

 

The application uses OpenID Authentication mechanism(google and Yahoo) for authentication purpose and runs on JBoss architecture.

 

As after home page of application, it sends request to Google/yahoo for authentication purpose and then after validation, it allows the user to browse the application.

 

 

Please guide how to implement/configure the same in BIG-IP APM.

 

config
design

3 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 30, 2013
    Are you asking how to implement OpenID in a proxied architecture, or how to federate identity, in general, with APM? As of 11.3, APM now supports full SAML 2.0 (IdP and SP) services but does not currently support native OpenID. These authentication methods, OpenID/OAuth and SAML all rely on HTTP as a transport, so you can still provide access to your applications behind LTM/APM without really changing the way your authentication functions.
  • kuldeep_Jakhar_'s avatar
    kuldeep_Jakhar_
    Icon for Nimbostratus rankNimbostratus
    Apr 30, 2013
    we need to implement in OpenID in a proxy architecture. As i am not sure how to federate the identity with APM , since if we integrate the identity with APM , we have to check with Application part also. How the application will handle the authentication forwarded by APM.

     

     

    Secondly, as i m not aware of SAML, can you please elaborate the same. How this feature can be used in our requirement.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 30, 2013
    I'll start with some references to SAML as a protocol and APM as a SAML service:

     

     

    http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

     

    http://www.f5.com/pdf/white-papers/apm-saml-solution-whitepaper.pdf

     

    http://www.f5.com/featured/video/inside-look-saml/

     

    http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0.html

     

     

    In a nutshell though, SAML is a form of federated authentication, sort of similar to OpenID, that involves an Identity Provider (IdP or PDP), a Service Provider (SP or PEP), a client, and series of redirect and/or POST messages to get the client to authenticate at the Identity Provider, which then sends an "assertion" to the Service Provider to guarantee proper authentication. BIG-IP APM 11.3 can provide both the IdP and SP roles (either or both) on the same platform, across platforms, and with other SAML 2.0 (SP or IdP) vendors (Google, MS ADFS, etc.).

     

     

    As to your requirement, I really see two options:

     

     

    1. Switch to SAML 2.0. Google supports it natively (though I don't know if Yahoo does) and BIG-IP APM 11.3 can be a full (SAML) authentication proxy.

     

     

    2. Code it. APM doesn't currently support OpenID or OAuth as a proxied authentication service, though there's nothing preventing you from load balancing the JBoss environment with the RP agents installed there. And since it's all HTTP, you could conceivable pull values from the OID messaging to feed to an APM access session.