I’m an IAM architect, not BigIP expert, and I’m wondering if BigIP LTM/APM has the capabilities to support the use case described below.
It’s about non-HTTP protocol, more precisely DICOM protocol. So all the nice token based solutions, stateless security enforcement that I'm used to with HTTP do not work here.
We want to control network access between DICOM client application running on workstations (managed windows 10 running Edge Client) and the DICOM servers. Access control should be based on both workstation security controls (authentication, security posture) and end user authentication. If successful, network access should be allowed. Whether user authentication had to happen upfront, before starting the DICOM client, or just in time when TCP connection is initiated is interesting to know, as well as user experience. User authentication is to be integrated with an IdP, based on standard federation protocols (OIDC or SAML). Once traffic is allowed, security session must be monitored and closed in case of inactivity or client application termination / logout.
Thanks for reading so far!
Any feedback, ideas, clue on how to achieve that if possible will be appreciated.
I can answer to myself at DICOM seems to support SAML/JWT(OAUTH2) token format, but this would be application level access control not involving BigIP. Not network access control.