Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Jan 27, 2016

APM + SSO questions about server side authentication

I have a good amount of experience working with the F5 as a SAML SP using a 3rd party external IdP and then using kerberos for server side SSO.

 

I have a question though about other options. Since I am using an external IdP I can't use NTLM or BASIC for SSO as they require a username AND password and I don't have the password as all I receive from the IdP is the username. Which is why, in the past, I've been using Kerberos - b/c with constrained delegation setup I can query the servers with a service account and get a token for the user in question. With that said, I have some applications that don't support Kerberos so I'm trying to figure out what SSO options I have. I see that SAML is listed in the SSO section but I'm not entirely certain how it works and can't find any good documentation. Is it possible for the F5 to function as a SAML SP, to receive assertion information from the external IdP and then to send that username to an application using SAML (as the SSO method)?

 

I think that the only other option would be "forms based" if I could get the application owners to write a web page that has a form that simply requires a username. But maybe I'm wrong on that.

 

In the end all I'm trying to figure out is what are my SSO options if all I have is a username? I know Kerberos is an option, but are there other options?

 

Thanks!

 

APM
saml
security
SSO

2 Replies

Sort By
  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Jan 27, 2016

    You stated that your application servers don't have the capability of using Kerberos. Can you tell us what authentication mechanisms they have today?

     

    One thought would be to have a datagroup that did a username/password mapping then you could pull from that data group to a fixed password and send it to the back end. This way the user doesn't have to type a password but the app server isn't wide open only looking for a username.

     

    -Seth

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Jan 27, 2016

    You have a couple of options in this scenario:

     

    1. Integrating SAML support into the application natively(some work there)
    2. Allowing access by extracting username from the HTTP header

    The second one is typically much easier to implement. F5 can easily insert the username in the specific HTTP header, and the application can be modified to look for that header and extract user identity from it. This approach is used by many large enterprise Web Access Management solutions.

     

    Optionally, you can also choose to encrypt the username using symmetric key encryption between the BIG-IP and your application, and you should also restrict traffic to the application to ensure it accepts it only from the IP address of the BIG-IP to avoid tampering with it and bypassing security.

     

    Hope this helps.