Configuring an Application for Smart Card Authentication and Forms Based SSO Using a Static Username and Password

A customer recently reached out requesting assistance providing smart card authentication to an application that does not integrate with AD or LDAP and has only a single username and password. While many of you out there may have done this in the past, I for one had not and of course I too was curious how I could make such a solution work. So with that, let's get to it.

In order to successfully deploy this solution, please configure the following prerequisites.

  • Local Traffic Manager licensed and provisioned
  • Access Policy Manager licensed and provisioned
  • CA certificate or a bundle of CA certs

Note: This CA cert or bundle will contain all CA certs which issued the client certificates you will be authenticating with.

  • OCSP IP address for certificate revocation checking

Configuring a LDAP AAA Resource

  • Navigate to Access > Authentication > LDAP and select Create
  • Name: Demo_LDAP_AAA
  • Server Connection: Direct
  • Base Port: 389
  • Admin DN: CN=admin,CN=Users,DC=demo,DC=lab
  • Leave all other settings at their defaults and select Finished

Configuring a OCSP AAA Resource

  • Navigate to Access > Authentication > OCSP Responder > Select Create
  • Name: Demo_OCSP
  • URL: http://OCSP_IP/ocsp
  • Certificate Authority File: Select the issuing CA Certificate
  • Leave all other settings at their defaults and select Finished

Creating a Webtop

  • Navigate to Access >> Webtops >> Webtop Lists: Create
  • From the drop down select Full for the type of Webtop you will be deploying, provide a name and select Finished.

Identify Form, Form Action and Form Parameters

In this scenario I used Firefox though your favorite browser can also be used. This data will be used to configure our SSO profile.

  • Lunch Firefox and browse to the application you are attempting to configure SSO for.
  • From the Firefox Menu bar, select Tools >> Web Developer >> Click Inspector

To make it easy to identify the form I simply clicked in the USERNAME or PASSWORD in fields in the web page and Inspector took me to that content.

  • Capture action: /console/j_spring_security_check
  • Capture method: POST
  • Capture input id for the username parameter
  • Capture input id for the password parameter

Create a Forms SSO Profile

  • Navigate to Access >> Single Sign-On >> Forms Based >> Click Create
  • Name: Demo_Web_App_Forms_SSO
  • User SSO Template: None
  • Username Source: session.sso.token.last.username
  • Password Source: session.sso.token.last.password
  • Start URI: This is URI of the application at the logon screen

  • Form Method: Post
  • Form Action: /console/j_spring_security_check
  • Form Parameter For User Name: username
  • Form Parameter For Password: password
  • Click Finished

Create a Portal Access Resource

  • Navigate to Access >> Connectivity / VPN >> Portal Access >> Portal Access List >> Click Create
  • Name: Demo_Web_App
  • Link Type: Application URI
  • Application URI: URI to your web application
  • Caption: Demo_Web_App
  • Click Create

After you click Create, the page will refresh and at the bottom of the screen you will then see an option to create Resource Items

  • Click Add
  • Destination: IP or Host Name of the web application
  • Link Type: Paths
  • Paths: /*
  • Scheme: https
  • SSO Configuration: Demo_Web_App_Forms_SSO
  • Click Finished

Create a Connectivity Profile

  • Navigate to Access >> Connectivity / VPN > Connectivity >> Profiles >> Click Add
  • Profile Name: Demo_CP
  • Parent Profile: connectivity
  • Click OK

Create Client Cert Access Policy

  • Navigate to Access > Profiles / Policies > Select Create
  • Name: Demo_cert_Auth
  • Profile Type: All
  • Profile Scope: Profile
  • Languages: Select your desired language and move it to Accepted Languages
  • Leave all other settings at their defaults and select Finished

Modify the Access Policy Using the Visual Policy Editor

  • From the Access > Profiles > Policies : Access Profiles (Per-Session Policies) page, select Edit from the access policy created in the previous step.

  • Between Start and Deny select the +
  • From the popup select the Authentication tab and select On_Demand Cert Auth > Add Item

  • You will be presented with an option to request or require a client present a client certificate. For this example, we will Require the client present a certificate.
  • Select Save

  • Following the successful branch of On Demand Cert Auth in the VPE, select +
  • From the Authentication tab, select OCSP Auth > Add Item
  • From the OCSP Responder drop down, select the OCSP AAA object created in previous steps.
  • Certificate Type: User
  • Click Save

  • Following the successful branch of OCSP Auth, select +
  • From the Assignment tab, select Variable Assign > Add Item

  • From the first empty Assignment, select Change
  • Custom Variable: session.sso.token.last.password
  • Select Secure from the drop down menu

Note: Unsecure or Secure specifies whether the variable is secure. A secure variable is stored in encrypted form in the session database. The value of a secure variable is not displayed in the session report, or logged by the logging agent.

  • Text: password
  • Select Finished

  • Under Variable Assign, select Add new entry > Change empty variable
  • Custom Variable: session.sso.token.last.username
  • Text: admin

  • Under Variable Assign, select Add new entry > Change empty variable
  • Custom Variable: session.logon.last.upn
  • Custom Expression:
set x509e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"];  # For each element in the list:  foreach field $x509e_fields {  # If the element contains UPN:
if { $field contains "othername:UPN" } {  ## set start of UPN variable  set start [expr {[string first "<" $field] +1}]  # UPN format is   # Return the UPN, by finding the index of opening and closing brackets, then use string range to get everything between.  return [string range $field $start [expr { [string first ">" $field $start] - 1 } ] ];  } }  # Otherwise return UPN Not Found:  return "UPN-NOT-FOUND";
  • Select Finished > Save

  • Select Save

  • Following the fallback branch of Variable Assign, select +
  • From the Authentication tab, select LDAP Query > Add Item

  • From the Server drop down, select the LDAP AAA created in previous steps
  • SearchDN: CN=Users,DC=demo,DC=lab
  • SearchFilter: UserPrincipalName=%{session.logon.last.upn}
  • Fetch Groups to which the user or group below: Direct
  • Required Attributes: sAMAccountName
  • Required Attributes: memberOf

Note: sAMAccountName is not required for successful authentication as it is when performing Kerberos KCD though it can be useful to know who is logging in by name versus a long string of characters.

  • Navigate to the Branch Rules tab
  • Remove the existing Group Membership expression by selecting the X
  • Select Add Branch Rule
  • Name: LDAP Query Successful
  • Next to expression, select change
  • Agent Sel: LDAP Query
  • Condition: LDAP Query Passed
  • LDAP Query has: Passed
  • Select Add Expression > Finished

  • Click Save

  • Following the LDAP Query Successful branch, select +
  • From the Assignment tab, select SSO Credential Mapping > Add Item
  • SSO Token Username: mcget {session.sso.token.last.username}
  • SSO Token Password: mcget {session.sso.token.last.password}

  • Click Save
  • Following the SSO Credential Mapping branch select +
  • Select Advanced Resource Assign from the Assignment tab

  • Click Add new entry
  • Click Add/Delete

  • From the Portal Access tab, select the Demo_Web_App resource created in previous tasks.
  • From the Webtop tab, select the demo_webtop created in previous tasks.
  • Click Update
  • Click Save
  • From the fallback branch, select Deny
  • Change ending to Allow and click Save

At this point, you have a fully deployed VPE capable of supporting smart card authentication and have statically created a username and password that will be included in your HTTP Post to the web application.

  • Select Apply Policy

Configure SSL Client Profile

  • To support client certificate-based authentication, we must also create a Client SSL Profile on the BIG-IP using the steps below.
  • Navigate to Local Traffic > Profiles > SSL > Client > Create
  • Name: DemoSSLProfile
  • Certificate Key Chain: Place a check mark under the custom field. Click Add to select the appropriate cert/key pair.
  • Client Certificate: Leave it set to ignore as the APM ODCA will perform this function.
  • Trusted Certificate Authorities: Select the CA or CA bundle certificate
  • Advertised Certificate Authorities: Select the CA or CA bundle certificate

  • All other settings can be left at their defaults.
  • Click Finished

Create a Virtual Server for your Web Application

  • Navigate to Local Traffic >> Virtual Servers >> Click Create
  • Name: Demo_Web_App_VS
  • Destination Address: IP that users will connect to in order to access the web application
  • Service Port: 443
  • Protocol Profile (Client): f5-tcp-lan
  • HTTP Profile: http
  • SSL Profile (Client): DemoSSLProfile
  • SSL Profile (Server): serverssl

  • Source Address Translation: Automap
  • Rewrite Profile: rewrite_portal
  • Access Profile: Demo_cert_Auth
  • Connectivity Profile: Demo_CP

  • Click Finished

At this point, we have successfully configured all components required to support this use case so let's attempt access.

Validation Testing

  • From a browser navigate to the IP of your virtual server or the DNS name that resolves that IP
  • You should be prompted for user certificate

  • Select your user cert and Click OK
  • You should be presented with your Webtop

  • Click on the resource item and you should be redirected to that web application
  • If your configuration is correct, you will be logged in using the SSO credentials provided within the VPE and SSO profile.

In my first attempt I actually was not successful and received no logon error. This is likely one of 2 things, either I did not assign my SSO profile or the Start URI is incorrect. Let's validate

  • Validated SSO profile is assigned

Ahhh, now I see! Human error of course. I typed the Start URI incorrectly so, no there was no uri match.

After modifying the Start URI to the correct URI, I am now able to successfully login using the SSO configuration in this guide.

I am by no means saying this will be a common configuration though it is a use case that I have seen in the field more than once. As always, if it helps at least one of you out there it was well worth it. Until next time.

Published Aug 01, 2018
Version 1.0
No CommentsBe the first to comment