Forum Discussion
CirrostratusSAML SSO - Secure Sideband Connections
Curious as to the community's thoughts on this.
I'm planning out a SAML SSO that will require data not contained in Active Directory (and thusly not able to be natively queried by APM). We've previously accomplished this with non-sensitive data using an http sideband connector in an iRule that's called by the Access Policy.
The proposed solution will potentially contain more sensitive data, so there's a requirement to secure it. However, I don't see an ability to use SSL connections with sideband connections. Additionally, I don't see any sideband options that natively support NTLM or other authentication methods.
Are there any thoughts out there on how to best accomplish a sideband connection that requires authentication and SSL?
7 Replies
Cody_GreenEmployee
AJ, this comes up form time to time when customers need to pull additional data out of systems like SAP or PeopleSoft. Most enterprises utilize a virtual directory system that allows F5 to perform an LDAP query against the VD which then in turn queries the underlying data source (SQL, AD, LDAP, etc.).
How is the data stored/accessed in the 2nd data source?
AJ_01_135899The 2nd data source is an MS SQL 2008R2 database.
- AJ_01_135899So after a little research it looks like something like Penrose might be able to help with this. While this would be an early use case for this in our environment, I can see where this may be useful for future efforts so I may look into implementing Penrose to federate Active Directory and SQL data sources, and provide it via LDAPS. That said, I do wish there was more native data source support built into Access Policies :) In the short term however, if anyone has info on how I could best secure a sideband connection via HTTPS it would be appreciated...
- Kevin_Stewart
Generally speaking it's a "best practice" to always point sideband calls at another local VIP. That VIP is of course unencrypted on the client side, but can be re-encrypted on the server side to the application by simply applying a server SSL profile.
- Kevin_Stewart
Are you talking about doing sideband to an APM VIP? If so, you'd necessarily need to use clientless-mode on that VIP, which would also limit credential input to whatever you can pass per-emptively (ie. HTTP Basic, HTTP headers, etc.). For server side authentication (SSO) on that sideband APM VIP, there are really no restrictions.
- AJ_01_135899
The use case would be using sideband as part of an APM SAML SSO access policy, triggered by an iRule event step in the access policy itself.
Thanks for the feedback on this, I wish there weren't the SSL and authentication limitations but at least I have options.
- Kevin_Stewart
Can you elaborate on what you're doing? Can I assume that the sideband call is part of an iRule in the APM SAML IdP configuration, for the purpose of doing some form of authentication that APM does not natively support?
