cancel
Showing results for 
Search instead for 
Did you mean: 

F5 newbie - trying to work things out - help :)

AlexS_yb
Cirrostratus
Cirrostratus

Hi

 

 

my current poc ( first stages – main bit)

 

Web site https://demo.XYZ.com

 

With these url test

• /testsso/unprotected - No protection - just to check the SSO - there is no need for a SSO token and no security requirements needed

• /testsso/validsso - must be signed into the SSO - so no specific group membership just have a valid token

• /testsso/validgroup - must be signed in and be in the right group. Test with nested groups. user → groupA and groupA is member of GroupZ, allow groupZ access.

• /testsso/validip - must be member of group testIP and must also only be allowed from specific ip

• /testsso/mfasms - must be member of groupSMS and must pass the sms MFA

• /testsso/mfatotp - must be member of groupSMS and must pass the totp MFA (google auth)

• /testsso/mfacertificate - must be member of groupSMS and must pass the cert mfa - can we force the user to have a valid debts client cert 

• /testsso/status - dump current status about sso and session token

• /testsso/logout - be able to log out of the sso - all token must be made invalid

 

So my test steps are open browser and go to 

 

This is without any security

https://demo.XYZ.com  this opens a menu page with the above url’s as links

https://demo.XYZ.com/testsso/unprotected - no security 

https://demo.XYZ.com/testsso/validsso - have a valid SSO / Auth token … My presumption is that the F5 will redirect to the login page and make the user login 

https://demo.XYZ.com/testsso/validgroup - be a member of a valid group … my presumption is that I have a SSO token from above and this will just test membership.

 

And the rest of the uri above in order with the specific tests

So I understand I need a different VS for each of the above

So i have a main vs with no resource pool

I use a policy to forward requests based on uri to specific VS 

These VS have access profiles associated to them and I have attached them to a specific SSO multi-domain (look at the techdocs link below)

also have a vs which is the default which has no access profile 

 

 

 

 

Looking at this https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/25.html , this seems to be the article to tie the above together.

From my reading with an SSO component and because each of the above are separate VS and separate ASM, I would have to log into each separately.

 

This section “Configuring an access policy for SSO multi-domain support” talks about solving that

 

The problem with this doc is its for version 11.I found a v15 version - basically the same 

 

Part of this I am going to set a new url https://auth.XYZ.com I am going to use this as my login / logout hostname for the SSO.

I believe I need set this up as a new VP and attach my SSO there 

 

So my testing would be 

 

https://demo.XYZ.com  this opens a menu page with the above url’s as links

https://demo.XYZ.com/testsso/unprotected - no security 

https://demo.XYZ.com/testsso/validsso - have a valid SSO / Auth token … F5 will send me to https://auth.XYZ.com to login and once complete sends them back to https://demo.XYZ.com/testsso/validsso

https://demo.XYZ.com/testsso/validgroup - be a member of a valid group … my presumption is that I have a SSO token from above and this will just test membership.

 

I might need some help with setting up the access profile for the bottom two if I have an action that says login page will it know to go to https://auth.XYZ.com

 

 

How will this translate for our debts platform , or any resources protected by F5 in XYZ

 

 

User goes to https://www.XYZ.com

 

https://www.XYZ.com

clicks to https://www.XYZ.com/SomeProtectedArea

F5 send user to https://auth.XYZ.com where the user logins if they don’t have a valid sso

F5 send the user back to https://www.XYZ.com/SomeProtectedArea

 

 

So now my problem in testing 

 

1) https://demo.XYZ.com  this opens a menu page with the above url’s as links  

2) https://demo.XYZ.com/testsso/unprotected - no security 

3) https://demo.XYZ.com/testsso/validsso - have a valid SSO / Auth token … My presumption is that the F5 will redirect to the login page and make the user login 

4) https://auth.XYZ.com/  this works login all good

5) https://demo.XYZ/F5Networks-SSO-Resp?SSO_ORIG_URI=XXXXXXXXX comes back 404

 

 

I believe, I think that is because /F5Networks-SSO-Resp is being routed to the default vs that has no access profile so the F5 doesn't know what do to.

 

 

So how do I fix that 

Bigger question ... am i do this the right way ? Is there a better way to do it.

 

 

 

 

 

 

 

 

10 REPLIES 10

You need F5 APM for SSO not ASM. You can check the link below and see the option for a global profile under Profile Scope and also the option "SSO / Auth Domains: Primary Authentication URI". The ASM will just block you if you haven't passed the login page first if you have corecty configured this (https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/5.html ). The ASM and APM can work well together to accomplish the things you want:

 

https://support.f5.com/csp/article/K54217479

 

 

https://support.f5.com/csp/article/K13315545

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-1-0/40.html

Thanks, i think I have done that . Sorry I am new to the F5 and the terminology

 

so i created these VS

  • auth.xyz.com .. .this is the url for the shared SSO - multidomain
  • auth.xyz.com_redirect so http -> https
  • demo.xyz.com . this is really an empty config - no resources - but I currently have 2 addons (1-irule set and 2 policy rule) I am doing both for testing not sure which is the preferred (best practice), I can see that the irule is very flexible
  • demo.xyz.com_redirect http->https
  • demo.xyz.com_default ... this is the default VS from the empty one above - for irule I use a switch to decide which vs to use based upon uri and I have a policy which does the same - both have a catch all at the bottom that sends it to this vs
  • demo.xyz.com_case2 ... this is the vs that handles /testsso/validsso, basically it wants a valid sso token. this is where I am stuck

 

so on auth.xyz.com & demo.xyz.com_case2 i have SSO attached - same one setup as multidomain.

I have a per session access rule in place for both of them. although different.

for auth it setup login page and does a ad login and save the variables to the sso tokens.

for demo.xyz.com_case2 it has its own pre session access profile - which basically just does the sso token task, this sends it to the login url - https://auth.xyz.com, that works, once logged in it uses the F5Networks-SSO-Resp mechanism to go from auth to demo.

 

So this is me guessing, but demo vs the shell one takes that and sends it to the demo_default vs, which doesn't have a access profile associated with it, so it fails !

I don't want a access profile attached to the default as I want people to come there with out a sso token..

 

so what I have done in the irule and also the ltm policy is redirect demo/F5Networks-SSO-Resp to auth/F5Networks-SSO-Resp and that works.

I would write a irule to do it myself with out the redirect but I don't know how and I wouldn't know how to do it in the ltm policy - I am guessing a TCL command ?

 

 

I have a quick look at the documents - but I believe I have done what they are suggesting - or I am missing something - think we getting around the terminology.

 

I was thinking maybe just add an access policy to the demo_default vs

 

also I believe I have set both the auth access policy to global and the demo_case2 to global ?

 

thanks for the input

still lost, not 100% of the next steps, to do it the F5 way

 

 

 

 

 EDIT

Creating a BIG-IP ASM security policy and applying it to the layered virtual server

Impact of procedure: Performing the following procedure should not have a negative impact on the system.

To create the server, perform the appropriate procedures outlined in the following F5 manuals:

  • For BIG-IP ASM 13.x and 14.x, refer to the Creating a Simple Security Policy chapter of the BIG-IP Application Security Manager: Getting Started manual.

 

I tried to follow this, but I can't do that under my security main menu I only have cloud services !

 

in fact most of the steps below that I can't do

from this article https://support.f5.com/csp/article/K13315545

Am i missing something - I am on 15.1

 

 

EDIT #2

I found on the licensing page, that the ASM module didn't look like it was enabled, so I have enabled it ... maybe thats what I have been missing !

 

 

EDIT #3

turning on ASM module - after reboot - I had lost all of my work 😞 time for a break... sigh

 

 

EDIT #4

 

so rebuilt it.

vs_base -> this has the ASM attached to it

prolicy route for validsso to a new vs

The sso works, but its still not processing the F5Networks-SSO-Rep uri 😞

 

You seem to be good with APM, I wouldn't call you junior with it.

 

 

For Local traffic policy redirect just see the example https://support.f5.com/csp/article/K26312346 and you can replace the iRule. It is with TCL command as you mentioned. If you redirecting to a static domain and there will be no variables used for the redirect like [HTTP::uri] or [HTTP::host] then just enter the static URL without using "tcl:" as "tcl:" is when you need to have access to tcl variables and for static URL this is not needed.

 

 

If you set two access profiles to global then if the user has authenticated to one, he will have access to the other as mentioned in https://devcentral.f5.com/s/question/0D51T00006j20Ce/v12-apm-profile-scope .

 

 

For the ASM VIP it could be that the ASM is blocking the SSO, so if possible test without an ASM policy out of working hours and check if that is the case and if needed check the articles I have given for ASM and APM integration. As if you followed https://support.f5.com/csp/article/K54217479 then ASM if before the APM (normally it is AFM > LTM > APM > ASM) but by following the article with layered VS then the ASM is first and maybe it could be blocking something if not configured corectly.

 

 

 

For the demo_default VS if you don't have access policy or profile then the SSO shouldn't work as even the global profiles will not work if there is no access profile under the VIP.

 

 

 

Just a note with irules you can dissable and enable the SSO https://clouddocs.f5.com/api/irules/WEBSSO__disable.html . Also with the variable assign agent you can modify the SSO as for example the user logs into the APM with username and password but the backend server wants other username (username with a domain attached and so on) https://support.f5.com/csp/article/K52926273 . If the SSO you use by default does not have an option you need check the variable assign agent.

 

%%%%%%%%%%%%%%%

Edit

 

Also check out:

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/27.html

 

and the below article as each access profile should have the SSO credential mapping (you may also use the variable assign macro) for SSO to work.

 

https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-assignment-items/about-sso-credential-mapping.html

 

Thanks.

 

okay, let me try this from a different angle then based on this

 

"

For the demo_default VS if you don't have access policy or profile then the SSO shouldn't work as even the global profiles will not work if there is no access profile under the VIP.

 "

 

so lets say I want people to freely get to

 

demo.xyz.com/

but when they hit

demo.xyz.com/secret

 

I want them to login, especially I want them to use a global SSO (auth.xyz.com)

 

so from what I have read

 

I create a VS for

demo.xyz.com which is just a big switch to these vs and also has a ASM attached to the front

demo.xyz.com_secret << this has a APM

demo.xyz.com_default

 

You are saying to get SSO working properly, I need to attach a APM to demo.xyz.com_default vs

 

can I have a APM that just allows every one with out doing any checking ?

 

 

 

 

 

 

 

 

 

Can you check this post :

 

https://devcentral.f5.com/s/question/0D51T00006i7h0S/apm-sso-between-two-virtual-servers

 

 

The idea is to have demo.xyz.com_default with the same SSO object in Access profile and the access profile will do no more checks but just have the SSO.

 

 

 

You can use the multi domain to redirect from demo.xyz.com_default to demo.xyz.com_secret if no aythenticated but as you have the F5 ASM Login Page protection, you will simply block access to the other URL if the login page is not hit fitst.

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/27.html

AlexS_yb
Cirrostratus
Cirrostratus

Thanks for all your help. That last document is about where I started from.

 

I think my next step is to try apply APM to the dem.xyz.com_default vs and some how allow any access

 

You just need to add the same SSO object and add only allow action at the end of it in the access policy (the main access profile and the one for the default VIP need to be with a scope global) or better yet you can just add the same profile with a profile scope "Profile" for demo.xyz.com_secret and demo.xyz.com_default and when the user logs in demo.xyz.com_secret after that they try to access the demo.xyz.com_default, they will not need to again pass the profile checks as there is a created session for the user when they accessed demo.xyz.com_secret 🙂 Test it out lab it out and it will work.

 

AskF5 | Manual Chapter: Understanding Access Policies

 

 

 

With ASM enforce login page you will block the users from first trying to enter demo.xyz.com_default before demo.xyz.com_secret

 

 

AskF5 | Manual Chapter: Creating Login Pages for Secure Application Access

 

 

F5 has trial license for Vmware so test it in your hope. Also go to learn F5 and pass the getting started for ASM/APM and if needed LTM:

 

LearnF5

 

 

Also check the operations guides they are great:

 

 

https://support.f5.com/csp/article/K73819494

Hi

 

I'm a bit lost here.

 

"

 With ASM enforce login page you will block the users from first trying to enter demo.xyz.com_default before demo.xyz.com_secret

 "

 

But I don't want people to have to login to access the site by default - only some uri.

 

 

Let me rephrase it back to you

vs-auth << main auth ltm prolicy to vs-auth-apm

vs-auth-apm has apm attached

 

vs-demo << main vs, using irule to send to other vs. also a policy profile that turns on ASM with a profile

 

vs-demo-default << all the default traffic , no access profile - nothing special

 

vs-demo-validsso << has access profile . policy is start -> sso variable -> accept

This sort of works, the F5NetworkSSO uri still doesn't work not picked up by vs-demo or vs-demo-default. right now I map this to vs vs-auth or vs-demo-validsso not the best but

 

vs-demo-validip << has access profile and per request profile ... it fails (by design to test). the fail page fails . even when i map the url to vs-auth or vs-demo-validsso it fails, seems like it is only process properly by vs-demo-validip

 

sso is setup as multidomain and all the access profiles (per session) are setup as global.

 

 

So ... what I am trying to do is insert into the headers what vs the call was from so I can map /public /vdesk /F5Networks back to that vs. not ideal, in fact rather bad as i would think it should just work... but ..

 

 

 

 

 

 

 

 

 

If the last answer is good enough for you can you mark it as solved, so that question will be marked as resolved.

AlexS_yb
Cirrostratus
Cirrostratus

So I have found a working answer

 

based upon this

https://devcentral.f5.com/s/question/0D51T00006i7Xc3/only-enable-access-policy-when-server-response-is-401

 

basically attach access profile and per request profile to first VS

 

then use irule to turn access on and off where needed

 

so i have a switch that pulls out the protected url

 

and a default that turns it off, except if hrmsession is not empty !

 

the one issue which i worked around is the sso forms based login uri including /

 

not sure I fully understand how the sso is supposed to work .. another thread

 

this works really well its all in 1 vs so ...