Forum Discussion

Nimbostratus

Jun 12, 2020

Granular Access control policies

We are trying to use the Big IP system as a SAML service provider and PingFederate as a SAML Identity Provider. Is it possible to create an access policy which allows/denies user to access a particu...

BIG-IP

BIG-IP Access Policy Manager (APM)

security

youssef1

Cumulonimbus

Hello,

Yes of course, If you host your SP on F5 you can allows/denies user to access a particular SAML Attributes or LDAP attributes...

You can also using per request policy allow user to access to a specific URI depending an LDAP/AD Attributes...

give me exactly your need and I can help you to go ahead.

regards

Manoj_Chavali

Nimbostratus

Jun 15, 2020

Hi,

Thank you for the information. Could you please point me towards any document on how to implement the authorization based on the LDAP attributes?

youssef1
Cumulonimbus
Jun 16, 2020
Hello,

You don't have a specific documentation for your need. In fact you have to use a generic access policy for authentication and LDAP query in order to retrieve needed attribute.

Then you can use an per-request-policy in order to restrict URL access by LDAP/AD GRP or other.

I alread implement this need for an custoer and I use Datagroup in order to set right:
grp_A /uri1
grp_B /uri2
grp_C /uri3

try to implent an per-request-policy... if you encouter a problem keep me in touch.

regards
youssef1
Cumulonimbus
Jun 15, 2020
Hi,

First of would you check authorization on IDP or SP? The best practice is to check authorization on SP side, the IDP will return attribute to SP then SP will manage authorization.

So you confirm that your SP is hosted on F5?

regards
Manoj_Chavali
Nimbostratus
Jun 15, 2020
Hi
I don’t think you understood the question. I want to implement the attribute-based authorization on the SP side which is the F5 APM and not on the protected application. For example, if there are two resources abc.html and def.html, where abc.html can only be accessed by the directors and def.html can be accessed by developers. Can we implement this kind of access control using F5 Big-IP APM? If so, could you please point me towards the related document?
Regards

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Granular Access control policies

Recent Discussions

Creating Policy using Terraform

Alert Mail when virtual server down trubleshooting

How to disable RC4 Cipher on SSL

Big-IQ + LetsEncrypt wildcard

DEVICE-0202 Error while adding rSeries as a provider in CM

Related Content

JWT authorization with NGINX Ingress Controller

Why K8s Egress Traffic Policy Control is Critical to Security Architecture- Part 1

Why K8s Egress Traffic Policy Control is Critical to Security Architecture - Part 2

Distributed caching of authentication requests with NGINX Ingress Controller

Auditing Security Policy Updates

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS