Enterprise Web Access and Federated Identity – match made in heaven?
The reality of enterprise web access today and the challenges it brings to the companies and their security departments are pretty well described in this blog post. The conclusion of that post is that:
“F5 Secure Web Gateway – with BIG-IP Access Policy Manager – delivers this, and more…”
Let’s pick it up where that blog post left off and explore the “more” part of that sentence in order to uncover the unique value proposition that F5 brings.
Over the past five years, many F5 customers have used F5 Access Policy Manager (APM) to provide granular, context-aware secure access into enterprise applications. In that time, customers have deployed APM to provide strong multi-factor authentication for the applications, perform single sign-on, and enable access control based on Layer 4 and Layer 7 ACLs. Further, as of about 18 months ago, F5 capabilities expanded to include federated access to applications using SAML 2.0. The need to provide federated identify in the enterprise grows rapidly as companies turn to outsourcers and cloud-based applications to meet their needs: Office 365, Salesforce.com, Concur, Amazon Web Services, Microsoft Azure, etc. In fact, it’s hard to find an enterprise today that is not relying on at least one cloud-based application, and thus has the need to provide user identity services to these applications.
Based upon real-world APM implementations that I have seen, as well as quite a few DevCentral posts from customers and partners, a real need exists to perform “silent” user authentication and seamless sign-on into cloud-based applications. Let’s go over how that normally works in the enterprise environment:
APM would be configured to act in the SAML Identity Provider (IDP) role. When a user attempts to access cloud-based SAML-enabled applications, those applications ask for a SAML assertion from the user’s IDP. So, when a user who has not yet been authenticated attempts to access a cloud application, that user is sent to the IDP that has been defined for that application as the trusted identity provider. The user has to authenticate to that IDP, after which the IDP will issue a SAML assertion to the cloud-based application. The user will then be logged in based upon the SAML assertion data sent by the IDP.
Many enterprises today want their users to seamlessly authenticate to the IDP while accessing external applications from an internal network. While many IDPs leverage forms-based authentication method for external access—where a user enters their username and password and submits it to authentication store such as Active Directory for verification—internal IDPs can take advantage of the fact that the user has already authenticated from an endpoint inside the internal network. As such, users may silently authenticate to the IDP using either NTLM or Kerberos authentication, which can then provide seamless logon experience into the IDP.
Now, let’s revisit the need to provide enterprise web access control and to ensure the compliance with the outbound security access policy. F5 Secure Web Gateway Services can protect users from exposure to potentially dangerous websites and malware-infected web apps, ensuring compliance with the organization’s web access policy. And because F5 Secure Web Gateway is tightly coupled with APM, customers can now solve two problems simultaneously—ensure efficient web access control while providing seamless federated identity services for accessing SaaS applications. What’s important is that this is all accomplished on the same device, using the same policy-editing GUI, preserving transparency and enhancing end-user experience for both outbound web access and use of cloud applications.
By combining the power of Secure Web Gateway Services and Access Policy Manager, you’ve got the cake, and you get to eat it too. It tastes delicious!