Forum Discussion
AlexS_yb
Cirrocumulus
CirrocumulusF5 newbie - trying to work things out - help :)
Hi
my current poc ( first stages – main bit)
Web site https://demo.XYZ.com
With these url test
• /testsso/unprotected - No protection - just to check the SSO - there is no need for a SSO token and no security requirements needed
• /testsso/validsso - must be signed into the SSO - so no specific group membership just have a valid token
• /testsso/validgroup - must be signed in and be in the right group. Test with nested groups. user → groupA and groupA is member of GroupZ, allow groupZ access.
• /testsso/validip - must be member of group testIP and must also only be allowed from specific ip
• /testsso/mfasms - must be member of groupSMS and must pass the sms MFA
• /testsso/mfatotp - must be member of groupSMS and must pass the totp MFA (google auth)
• /testsso/mfacertificate - must be member of groupSMS and must pass the cert mfa - can we force the user to have a valid debts client cert
• /testsso/status - dump current status about sso and session token
• /testsso/logout - be able to log out of the sso - all token must be made invalid
So my test steps are open browser and go to
This is without any security
https://demo.XYZ.com this opens a menu page with the above url’s as links
https://demo.XYZ.com/testsso/unprotected - no security
https://demo.XYZ.com/testsso/validsso - have a valid SSO / Auth token … My presumption is that the F5 will redirect to the login page and make the user login
https://demo.XYZ.com/testsso/validgroup - be a member of a valid group … my presumption is that I have a SSO token from above and this will just test membership.
And the rest of the uri above in order with the specific tests
So I understand I need a different VS for each of the above
So i have a main vs with no resource pool
I use a policy to forward requests based on uri to specific VS
These VS have access profiles associated to them and I have attached them to a specific SSO multi-domain (look at the techdocs link below)
also have a vs which is the default which has no access profile
Looking at this https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/25.html , this seems to be the article to tie the above together.
From my reading with an SSO component and because each of the above are separate VS and separate ASM, I would have to log into each separately.
This section “Configuring an access policy for SSO multi-domain support” talks about solving that
The problem with this doc is its for version 11.I found a v15 version - basically the same
Part of this I am going to set a new url https://auth.XYZ.com I am going to use this as my login / logout hostname for the SSO.
I believe I need set this up as a new VP and attach my SSO there
So my testing would be
https://demo.XYZ.com this opens a menu page with the above url’s as links
https://demo.XYZ.com/testsso/unprotected - no security
https://demo.XYZ.com/testsso/validsso - have a valid SSO / Auth token … F5 will send me to https://auth.XYZ.com to login and once complete sends them back to https://demo.XYZ.com/testsso/validsso
https://demo.XYZ.com/testsso/validgroup - be a member of a valid group … my presumption is that I have a SSO token from above and this will just test membership.
I might need some help with setting up the access profile for the bottom two if I have an action that says login page will it know to go to https://auth.XYZ.com
How will this translate for our debts platform , or any resources protected by F5 in XYZ
User goes to https://www.XYZ.com
https://www.XYZ.com
clicks to https://www.XYZ.com/SomeProtectedArea
F5 send user to https://auth.XYZ.com where the user logins if they don’t have a valid sso
F5 send the user back to https://www.XYZ.com/SomeProtectedArea
So now my problem in testing
1) https://demo.XYZ.com this opens a menu page with the above url’s as links
2) https://demo.XYZ.com/testsso/unprotected - no security
3) https://demo.XYZ.com/testsso/validsso - have a valid SSO / Auth token … My presumption is that the F5 will redirect to the login page and make the user login
4) https://auth.XYZ.com/ this works login all good
5) https://demo.XYZ/F5Networks-SSO-Resp?SSO_ORIG_URI=XXXXXXXXX comes back 404
I believe, I think that is because /F5Networks-SSO-Resp is being routed to the default vs that has no access profile so the F5 doesn't know what do to.
So how do I fix that
Bigger question ... am i do this the right way ? Is there a better way to do it.
- Nikoolayy1
MVP
You need F5 APM for SSO not ASM. You can check the link below and see the option for a global profile under Profile Scope and also the option "SSO / Auth Domains: Primary Authentication URI". The ASM will just block you if you haven't passed the login page first if you have corecty configured this (https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/5.html ). The ASM and APM can work well together to accomplish the things you want:
https://support.f5.com/csp/article/K54217479
https://support.f5.com/csp/article/K13315545
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-1-0/40.html
AlexS_ybThanks, i think I have done that . Sorry I am new to the F5 and the terminology
so i created these VS
- auth.xyz.com .. .this is the url for the shared SSO - multidomain
- auth.xyz.com_redirect so http -> https
- demo.xyz.com . this is really an empty config - no resources - but I currently have 2 addons (1-irule set and 2 policy rule) I am doing both for testing not sure which is the preferred (best practice), I can see that the irule is very flexible
- demo.xyz.com_redirect http->https
- demo.xyz.com_default ... this is the default VS from the empty one above - for irule I use a switch to decide which vs to use based upon uri and I have a policy which does the same - both have a catch all at the bottom that sends it to this vs
- demo.xyz.com_case2 ... this is the vs that handles /testsso/validsso, basically it wants a valid sso token. this is where I am stuck
so on auth.xyz.com & demo.xyz.com_case2 i have SSO attached - same one setup as multidomain.
I have a per session access rule in place for both of them. although different.
for auth it setup login page and does a ad login and save the variables to the sso tokens.
for demo.xyz.com_case2 it has its own pre session access profile - which basically just does the sso token task, this sends it to the login url - https://auth.xyz.com, that works, once logged in it uses the F5Networks-SSO-Resp mechanism to go from auth to demo.
So this is me guessing, but demo vs the shell one takes that and sends it to the demo_default vs, which doesn't have a access profile associated with it, so it fails !
I don't want a access profile attached to the default as I want people to come there with out a sso token..
so what I have done in the irule and also the ltm policy is redirect demo/F5Networks-SSO-Resp to auth/F5Networks-SSO-Resp and that works.
I would write a irule to do it myself with out the redirect but I don't know how and I wouldn't know how to do it in the ltm policy - I am guessing a TCL command ?
I have a quick look at the documents - but I believe I have done what they are suggesting - or I am missing something - think we getting around the terminology.
I was thinking maybe just add an access policy to the demo_default vs
also I believe I have set both the auth access policy to global and the demo_case2 to global ?
thanks for the input
still lost, not 100% of the next steps, to do it the F5 way
EDIT
Creating a BIG-IP ASM security policy and applying it to the layered virtual server
Impact of procedure: Performing the following procedure should not have a negative impact on the system.
To create the server, perform the appropriate procedures outlined in the following F5 manuals:
- For BIG-IP ASM 13.x and 14.x, refer to the Creating a Simple Security Policy chapter of the BIG-IP Application Security Manager: Getting Started manual.
I tried to follow this, but I can't do that under my security main menu I only have cloud services !
in fact most of the steps below that I can't do
from this article https://support.f5.com/csp/article/K13315545
Am i missing something - I am on 15.1
EDIT #2
I found on the licensing page, that the ASM module didn't look like it was enabled, so I have enabled it ... maybe thats what I have been missing !
EDIT #3
turning on ASM module - after reboot - I had lost all of my work :( time for a break... sigh
EDIT #4
so rebuilt it.
vs_base -> this has the ASM attached to it
prolicy route for validsso to a new vs
The sso works, but its still not processing the F5Networks-SSO-Rep uri :(
- Nikoolayy1
You seem to be good with APM, I wouldn't call you junior with it.
For Local traffic policy redirect just see the example https://support.f5.com/csp/article/K26312346 and you can replace the iRule. It is with TCL command as you mentioned. If you redirecting to a static domain and there will be no variables used for the redirect like [HTTP::uri] or [HTTP::host] then just enter the static URL without using "tcl:" as "tcl:" is when you need to have access to tcl variables and for static URL this is not needed.
If you set two access profiles to global then if the user has authenticated to one, he will have access to the other as mentioned in https://devcentral.f5.com/s/question/0D51T00006j20Ce/v12-apm-profile-scope .
For the ASM VIP it could be that the ASM is blocking the SSO, so if possible test without an ASM policy out of working hours and check if that is the case and if needed check the articles I have given for ASM and APM integration. As if you followed https://support.f5.com/csp/article/K54217479 then ASM if before the APM (normally it is AFM > LTM > APM > ASM) but by following the article with layered VS then the ASM is first and maybe it could be blocking something if not configured corectly.
For the demo_default VS if you don't have access policy or profile then the SSO shouldn't work as even the global profiles will not work if there is no access profile under the VIP.
Just a note with irules you can dissable and enable the SSO https://clouddocs.f5.com/api/irules/WEBSSO__disable.html . Also with the variable assign agent you can modify the SSO as for example the user logs into the APM with username and password but the backend server wants other username (username with a domain attached and so on) https://support.f5.com/csp/article/K52926273 . If the SSO you use by default does not have an option you need check the variable assign agent.
%%%%%%%%%%%%%%%
Edit
Also check out:
https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/27.html
and the below article as each access profile should have the SSO credential mapping (you may also use the variable assign macro) for SSO to work.
https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-assignment-items/about-sso-credential-mapping.html
- AlexS_yb
Thanks.
okay, let me try this from a different angle then based on this
"
For the demo_default VS if you don't have access policy or profile then the SSO shouldn't work as even the global profiles will not work if there is no access profile under the VIP.
"
so lets say I want people to freely get to
demo.xyz.com/
but when they hit
demo.xyz.com/secret
I want them to login, especially I want them to use a global SSO (auth.xyz.com)
so from what I have read
I create a VS for
demo.xyz.com which is just a big switch to these vs and also has a ASM attached to the front
demo.xyz.com_secret << this has a APM
demo.xyz.com_default
You are saying to get SSO working properly, I need to attach a APM to demo.xyz.com_default vs
can I have a APM that just allows every one with out doing any checking ?
- Nikoolayy1
Can you check this post :
https://devcentral.f5.com/s/question/0D51T00006i7h0S/apm-sso-between-two-virtual-servers
The idea is to have demo.xyz.com_default with the same SSO object in Access profile and the access profile will do no more checks but just have the SSO.
You can use the multi domain to redirect from demo.xyz.com_default to demo.xyz.com_secret if no aythenticated but as you have the F5 ASM Login Page protection, you will simply block access to the other URL if the login page is not hit fitst.
https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/27.html
- AlexS_yb
Thanks for all your help. That last document is about where I started from.
I think my next step is to try apply APM to the dem.xyz.com_default vs and some how allow any access
- Nikoolayy1
You just need to add the same SSO object and add only allow action at the end of it in the access policy (the main access profile and the one for the default VIP need to be with a scope global) or better yet you can just add the same profile with a profile scope "Profile" for demo.xyz.com_secret and demo.xyz.com_default and when the user logs in demo.xyz.com_secret after that they try to access the demo.xyz.com_default, they will not need to again pass the profile checks as there is a created session for the user when they accessed demo.xyz.com_secret :) Test it out lab it out and it will work.
AskF5 | Manual Chapter: Understanding Access Policies
With ASM enforce login page you will block the users from first trying to enter demo.xyz.com_default before demo.xyz.com_secret
AskF5 | Manual Chapter: Creating Login Pages for Secure Application Access
F5 has trial license for Vmware so test it in your hope. Also go to learn F5 and pass the getting started for ASM/APM and if needed LTM:
Also check the operations guides they are great:
- AlexS_yb
Hi
I'm a bit lost here.
"
With ASM enforce login page you will block the users from first trying to enter demo.xyz.com_default before demo.xyz.com_secret
"
But I don't want people to have to login to access the site by default - only some uri.
Let me rephrase it back to you
vs-auth << main auth ltm prolicy to vs-auth-apm
vs-auth-apm has apm attached
vs-demo << main vs, using irule to send to other vs. also a policy profile that turns on ASM with a profile
vs-demo-default << all the default traffic , no access profile - nothing special
vs-demo-validsso << has access profile . policy is start -> sso variable -> accept
This sort of works, the F5NetworkSSO uri still doesn't work not picked up by vs-demo or vs-demo-default. right now I map this to vs vs-auth or vs-demo-validsso not the best but
vs-demo-validip << has access profile and per request profile ... it fails (by design to test). the fail page fails . even when i map the url to vs-auth or vs-demo-validsso it fails, seems like it is only process properly by vs-demo-validip
sso is setup as multidomain and all the access profiles (per session) are setup as global.
So ... what I am trying to do is insert into the headers what vs the call was from so I can map /public /vdesk /F5Networks back to that vs. not ideal, in fact rather bad as i would think it should just work... but ..
- Nikoolayy1
If the last answer is good enough for you can you mark it as solved, so that question will be marked as resolved.
- AlexS_yb
So I have found a working answer
based upon this
https://devcentral.f5.com/s/question/0D51T00006i7Xc3/only-enable-access-policy-when-server-response-is-401
basically attach access profile and per request profile to first VS
then use irule to turn access on and off where needed
so i have a switch that pulls out the protected url
and a default that turns it off, except if hrmsession is not empty !
the one issue which i worked around is the sso forms based login uri including /
not sure I fully understand how the sso is supposed to work .. another thread
this works really well its all in 1 vs so ...
