Forum Discussion

AJ_01_135899's avatar
AJ_01_135899
Icon for Cirrostratus rankCirrostratus
Jun 09, 2014

SAML SSO - Secure Sideband Connections

Curious as to the community's thoughts on this.

 

I'm planning out a SAML SSO that will require data not contained in Active Directory (and thusly not able to be natively queried by APM). We've previously accomplished this with non-sensitive data using an http sideband connector in an iRule that's called by the Access Policy.

 

The proposed solution will potentially contain more sensitive data, so there's a requirement to secure it. However, I don't see an ability to use SSL connections with sideband connections. Additionally, I don't see any sideband options that natively support NTLM or other authentication methods.

 

Are there any thoughts out there on how to best accomplish a sideband connection that requires authentication and SSL?

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
design
devops
iRules
security

7 Replies

Sort By
  • Cody_Green's avatar
    Cody_Green
    Icon for Employee rankEmployee
    Jun 21, 2014

    AJ, this comes up form time to time when customers need to pull additional data out of systems like SAP or PeopleSoft. Most enterprises utilize a virtual directory system that allows F5 to perform an LDAP query against the VD which then in turn queries the underlying data source (SQL, AD, LDAP, etc.).

     

    How is the data stored/accessed in the 2nd data source?

     

    • AJ_01_135899's avatar
      AJ_01_135899
      Icon for Cirrostratus rankCirrostratus
      Jun 24, 2014
      So after a little research it looks like something like Penrose might be able to help with this. While this would be an early use case for this in our environment, I can see where this may be useful for future efforts so I may look into implementing Penrose to federate Active Directory and SQL data sources, and provide it via LDAPS. That said, I do wish there was more native data source support built into Access Policies :) In the short term however, if anyone has info on how I could best secure a sideband connection via HTTPS it would be appreciated...
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 24, 2014

    Generally speaking it's a "best practice" to always point sideband calls at another local VIP. That VIP is of course unencrypted on the client side, but can be re-encrypted on the server side to the application by simply applying a server SSL profile.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 24, 2014

    Are you talking about doing sideband to an APM VIP? If so, you'd necessarily need to use clientless-mode on that VIP, which would also limit credential input to whatever you can pass per-emptively (ie. HTTP Basic, HTTP headers, etc.). For server side authentication (SSO) on that sideband APM VIP, there are really no restrictions.

     

  • AJ_01_135899's avatar
    AJ_01_135899
    Icon for Cirrostratus rankCirrostratus
    Jun 24, 2014

    The use case would be using sideband as part of an APM SAML SSO access policy, triggered by an iRule event step in the access policy itself.

     

    Thanks for the feedback on this, I wish there weren't the SSL and authentication limitations but at least I have options.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 25, 2014

    Can you elaborate on what you're doing? Can I assume that the sideband call is part of an iRule in the APM SAML IdP configuration, for the purpose of doing some form of authentication that APM does not natively support?