Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

F5 APM and external authentication

Hi all,

I am researching the possibility to include authentication and SSO of external users in a F5 APM/LTM solution. I have so far found support of SAML 2.0 in APM, but there are so few sites that supports begin a SAML IdP as of now. I guess the next step would be to use a federation server that can talk to several others. My APM would then have to talk to this FS with SAML. I have glanced at Windows ACS on Azure and it seems to be a match to what I want, but I'm a bit unsure as to the next steps. The ACS would be setup to act as a FS and the APM should be a SAML SP talking to the ACS (being a SAML IdP with the SAML Preview feature)?

Anyone?

1
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You are correct, most of the social media vendors support SAML for access to their own applications (using a third-party IdP). You can use APM SAML as an IdP for Google, Facebook, and Salesforce. As for the IdP itself, it really depends on where the users are.

I highly recommend this (free) book from Microsoft (A Guide to Claims-based Identity and Access Control, Second Edition) as an excellent primer:

http://www.microsoft.com/en-us/download/details.aspx?id=28362

It talks about using Azure ACS as a connector to Facebook and others (which do actually assert claims) for social media authentication. Here's another interesting stackoverflow post that points to API references for various "social login" options.

http://stackoverflow.com/questions/6235735/how-to-add-social-login-services-from-google-facebook-yahoo-etc-to-my-website

Now, to tie this all back to F5 APM, you still need a connector like ACS for protocol transformation, which then asserts a claim back to your APM SP, or optionally to your APM IdP as a relying party (for additional claims assertion) before forwarding to the SP.

1
Comments on this Answer
Comment made 03-Oct-2013 by Stig 84
Thank you Kevin, I'll read the book and see if understand this better.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

but there are so few sites that supports begin a SAML IdP as of now

I would entirely disagree here. The "SAMLP" (SAML 2.0) protocol is very widely used. It is available through social media vendors (Google, Facebook, Salesforce, etc.), and through commercial and open source tools (Shibboleth, MS ADFS, Azure ACS, RadiantLogic, OpenAM, etc.). The only real hold-outs that I've come across are SharePoint and other applications that rely solely on WIF (Windows Identity Framework). In many of the above cases, APM SAML can be used as the IdP or the SP. To interact with SharePoint, you just need an ADFS in the environment, as the local "STS-RP", for protocol transformation.

As for Azure (as IdP), APM SAML currently only supports SHA-1 for signing, and ACS defaults to SHA-256. I'm not really sure how to change that in ACS, and the update for SHA-256 in APM is coming soon (so Ive heard).

0
Comments on this Answer
Comment made 02-Oct-2013 by Stig 84
I am not trying do disrespect sites which does in fact support SAML to use them as identity providers, but I have not found any good list or guide that points me to them. I have found Google to support SAML for use internally for their own Google Apps, but not the other way. Please correct me if I am wrong. I found the following page concerning the use of Google accounts for authentication for external sites: https://developers.google.com/accounts/docs/OpenID and the following page says it's possible to use Google Apps for SAML: https://developers.google.com/google-apps/sso/saml_reference_implementation, but if I'm reading this correctly, it's not what I want. I want to let external users login to my site (using SAML or whatever else F5 APM supports).
0
Comment made 12-Dec-2013 by THi 1154
"As for Azure (as IdP), APM SAML currently only supports SHA-1 for signing, and ACS defaults to SHA-256. I'm not really sure how to change that in ACS, and the update for SHA-256 in APM is coming soon (so Ive heard)." Does this prevent using Azure AD as IdP for local apps using APM as SP?
0
Comment made 12-Dec-2013 by Kevin Stewart
I believe that is a true statement for now.
0
Comment made 12-Dec-2013 by THi 1154
I found the following from 11.4.0 hotfix HF4 release notes: "424572 BIG-IP APM SAML can now interoperate with other systems using RSA-SHA256/RSA-SHA512 XML signature algorithms and/or SHA256/SHA512 digest algorithms. It continues to sign its own SAML messages (AuthnRequests and Assertions) using RSA-SHA1." Also found from: http://www.theidentityguy.com/articles/2013/6/4/a-look-at-azure-ads-web-sign-in-endpoints.html "When submitting an AuthnRequest to the SAML-P sign in endpoint, the request cannot be signed, as Azure AD does not support SAML authentication request signing. However, when submitting a LogoutRequest to the sign out endpoint, that request does need to be signed. " Don't know if the above is true, but can I infer that the Azure AD (as IdP) could work with APM as SP for the AuthnRequest (as unsigned), but not for the LogoutRequest. Or does Azure AD accept SHA-1 signed LogoutRequests? Do we know if this has been tested? I have a customer case where the customer wan't to use Azure AD for external workers and use APM as SP to their local on-premises applications. I believe there are similar use cases among F5 customers.
0
Comment made 12-Dec-2013 by Kevin Stewart
Don't know if it's been tested, but if 11.4.0 HF4 now supports SHA-256, then it should work. Granted, the only thing we really care about is the AuthnResponse signature from the IdP. An AuthnRequest is not generally required to be signed.
0
Comment made 16-Jun-2014 by THi 1154
Tested this today with my O365 tenant with Azure 30 day trial. For me Azure AD works ok as an IdP and BIG-IP as SP. SP initated connection in my case.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Stig,

What exactly is your use case? You're stating that you want external users to authenticate to your site. Where are these users coming from? What is driving the need to federate external identities? If we understand your use case and need a little bit better, we can provide more accurate guidance here.

0
Comments on this Answer
Comment made 03-Oct-2013 by Stig 84
Sorry if this is a bit thin, but I'm really in the investigating phase as this part is new to me (claims-based authentication etc.). This is a site at "company X" which today has ordinary AD Auth and SSO for logging into their pages. The company now wants to allow external users into parts of their pages. I'm not really too informed about the real reason for this, but they have asked me how this could be done and how the F5's would be involved. They want a loginpage with their ordinary login and a box with "login with xxx, yyy, zzz" where the x'es, y's and z's are f.ex. google, facebook, twitter etc.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

For social media authentication, you need a third party connector like Azure ACS to be the "STS RP" in front of your SP/RP. There are other vendors that support multiple social media APIs, but I don't remember any off the top of my head other than Azure.

0