Forum Discussion

Stig_88256's avatar
Stig_88256
Icon for Nimbostratus rankNimbostratus
Oct 02, 2013

F5 APM and external authentication

Hi all,

 

I am researching the possibility to include authentication and SSO of external users in a F5 APM/LTM solution. I have so far found support of SAML 2.0 in APM, but there are so few sites that supports begin a SAML IdP as of now. I guess the next step would be to use a federation server that can talk to several others. My APM would then have to talk to this FS with SAML. I have glanced at Windows ACS on Azure and it seems to be a match to what I want, but I'm a bit unsure as to the next steps. The ACS would be setup to act as a FS and the APM should be a SAML SP talking to the ACS (being a SAML IdP with the SAML Preview feature)?

 

Anyone?

 

APM
Azure
cloud
design
microsoft
security

7 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 02, 2013

    but there are so few sites that supports begin a SAML IdP as of now

     

    I would entirely disagree here. The "SAMLP" (SAML 2.0) protocol is very widely used. It is available through social media vendors (Google, Facebook, Salesforce, etc.), and through commercial and open source tools (Shibboleth, MS ADFS, Azure ACS, RadiantLogic, OpenAM, etc.). The only real hold-outs that I've come across are SharePoint and other applications that rely solely on WIF (Windows Identity Framework). In many of the above cases, APM SAML can be used as the IdP or the SP. To interact with SharePoint, you just need an ADFS in the environment, as the local "STS-RP", for protocol transformation.

     

    As for Azure (as IdP), APM SAML currently only supports SHA-1 for signing, and ACS defaults to SHA-256. I'm not really sure how to change that in ACS, and the update for SHA-256 in APM is coming soon (so Ive heard).

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 02, 2013

    You are correct, most of the social media vendors support SAML for access to their own applications (using a third-party IdP). You can use APM SAML as an IdP for Google, Facebook, and Salesforce. As for the IdP itself, it really depends on where the users are.

     

    I highly recommend this (free) book from Microsoft (A Guide to Claims-based Identity and Access Control, Second Edition) as an excellent primer:

     

    http://www.microsoft.com/en-us/download/details.aspx?id=28362

     

    It talks about using Azure ACS as a connector to Facebook and others (which do actually assert claims) for social media authentication. Here's another interesting stackoverflow post that points to API references for various "social login" options.

     

    http://stackoverflow.com/questions/6235735/how-to-add-social-login-services-from-google-facebook-yahoo-etc-to-my-website

     

    Now, to tie this all back to F5 APM, you still need a connector like ACS for protocol transformation, which then asserts a claim back to your APM SP, or optionally to your APM IdP as a relying party (for additional claims assertion) before forwarding to the SP.

     

  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Oct 03, 2013

    Stig,

     

    What exactly is your use case? You're stating that you want external users to authenticate to your site. Where are these users coming from? What is driving the need to federate external identities? If we understand your use case and need a little bit better, we can provide more accurate guidance here.

     

    • Stig_88256's avatar
      Stig_88256
      Icon for Nimbostratus rankNimbostratus
      Oct 03, 2013
      Sorry if this is a bit thin, but I'm really in the investigating phase as this part is new to me (claims-based authentication etc.). This is a site at "company X" which today has ordinary AD Auth and SSO for logging into their pages. The company now wants to allow external users into parts of their pages. I'm not really too informed about the real reason for this, but they have asked me how this could be done and how the F5's would be involved. They want a loginpage with their ordinary login and a box with "login with xxx, yyy, zzz" where the x'es, y's and z's are f.ex. google, facebook, twitter etc.
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Oct 03, 2013

    Stig,

     

    What exactly is your use case? You're stating that you want external users to authenticate to your site. Where are these users coming from? What is driving the need to federate external identities? If we understand your use case and need a little bit better, we can provide more accurate guidance here.

     

    • Stig_88256's avatar
      Stig_88256
      Icon for Nimbostratus rankNimbostratus
      Oct 03, 2013
      Sorry if this is a bit thin, but I'm really in the investigating phase as this part is new to me (claims-based authentication etc.). This is a site at "company X" which today has ordinary AD Auth and SSO for logging into their pages. The company now wants to allow external users into parts of their pages. I'm not really too informed about the real reason for this, but they have asked me how this could be done and how the F5's would be involved. They want a loginpage with their ordinary login and a box with "login with xxx, yyy, zzz" where the x'es, y's and z's are f.ex. google, facebook, twitter etc.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 03, 2013

    For social media authentication, you need a third party connector like Azure ACS to be the "STS RP" in front of your SP/RP. There are other vendors that support multiple social media APIs, but I don't remember any off the top of my head other than Azure.