Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Mar 19, 2021

F5 newbie - trying to work things out - help :)

Hi

 

 

my current poc ( first stages – main bit)

 

Web site https://demo.XYZ.com

 

With these url test

• /testsso/unprotected - No protection - just to check the SSO - there is no need for a SSO token and no security requirements needed

• /testsso/validsso - must be signed into the SSO - so no specific group membership just have a valid token

• /testsso/validgroup - must be signed in and be in the right group. Test with nested groups. user → groupA and groupA is member of GroupZ, allow groupZ access.

• /testsso/validip - must be member of group testIP and must also only be allowed from specific ip

• /testsso/mfasms - must be member of groupSMS and must pass the sms MFA

• /testsso/mfatotp - must be member of groupSMS and must pass the totp MFA (google auth)

• /testsso/mfacertificate - must be member of groupSMS and must pass the cert mfa - can we force the user to have a valid debts client cert 

• /testsso/status - dump current status about sso and session token

• /testsso/logout - be able to log out of the sso - all token must be made invalid

 

So my test steps are open browser and go to 

 

This is without any security

https://demo.XYZ.com  this opens a menu page with the above url’s as links

https://demo.XYZ.com/testsso/unprotected - no security 

https://demo.XYZ.com/testsso/validsso - have a valid SSO / Auth token … My presumption is that the F5 will redirect to the login page and make the user login 

https://demo.XYZ.com/testsso/validgroup - be a member of a valid group … my presumption is that I have a SSO token from above and this will just test membership.

 

And the rest of the uri above in order with the specific tests

So I understand I need a different VS for each of the above

So i have a main vs with no resource pool

I use a policy to forward requests based on uri to specific VS 

These VS have access profiles associated to them and I have attached them to a specific SSO multi-domain (look at the techdocs link below)

also have a vs which is the default which has no access profile 

 

 

 

 

Looking at this https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/25.html , this seems to be the article to tie the above together.

From my reading with an SSO component and because each of the above are separate VS and separate ASM, I would have to log into each separately.

 

This section “Configuring an access policy for SSO multi-domain support” talks about solving that

 

The problem with this doc is its for version 11.I found a v15 version - basically the same 

 

Part of this I am going to set a new url https://auth.XYZ.com I am going to use this as my login / logout hostname for the SSO.

I believe I need set this up as a new VP and attach my SSO there 

 

So my testing would be 

 

https://demo.XYZ.com  this opens a menu page with the above url’s as links

https://demo.XYZ.com/testsso/unprotected - no security 

https://demo.XYZ.com/testsso/validsso - have a valid SSO / Auth token … F5 will send me to https://auth.XYZ.com to login and once complete sends them back to https://demo.XYZ.com/testsso/validsso

https://demo.XYZ.com/testsso/validgroup - be a member of a valid group … my presumption is that I have a SSO token from above and this will just test membership.

 

I might need some help with setting up the access profile for the bottom two if I have an action that says login page will it know to go to https://auth.XYZ.com

 

 

How will this translate for our debts platform , or any resources protected by F5 in XYZ

 

 

User goes to https://www.XYZ.com

 

https://www.XYZ.com

clicks to https://www.XYZ.com/SomeProtectedArea

F5 send user to https://auth.XYZ.com where the user logins if they don’t have a valid sso

F5 send the user back to https://www.XYZ.com/SomeProtectedArea

 

 

So now my problem in testing 

 

1) https://demo.XYZ.com  this opens a menu page with the above url’s as links  

2) https://demo.XYZ.com/testsso/unprotected - no security 

3) https://demo.XYZ.com/testsso/validsso - have a valid SSO / Auth token … My presumption is that the F5 will redirect to the login page and make the user login 

4) https://auth.XYZ.com/  this works login all good

5) https://demo.XYZ/F5Networks-SSO-Resp?SSO_ORIG_URI=XXXXXXXXX comes back 404

 

 

I believe, I think that is because /F5Networks-SSO-Resp is being routed to the default vs that has no access profile so the F5 doesn't know what do to.

 

 

So how do I fix that 

Bigger question ... am i do this the right way ? Is there a better way to do it.

 

 

 

 

 

 

 

 

10 Replies

  • You need F5 APM for SSO not ASM. You can check the link below and see the option for a global profile under Profile Scope and also the option "SSO / Auth Domains: Primary Authentication URI". The ASM will just block you if you haven't passed the login page first if you have corecty configured this (https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/5.html ). The ASM and APM can work well together to accomplish the things you want:

     

    https://support.f5.com/csp/article/K54217479

     

     

    https://support.f5.com/csp/article/K13315545

     

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-1-0/40.html

    • AlexS_yb's avatar
      AlexS_yb
      Icon for Cirrocumulus rankCirrocumulus

      Thanks, i think I have done that . Sorry I am new to the F5 and the terminology

       

      so i created these VS

      • auth.xyz.com .. .this is the url for the shared SSO - multidomain
      • auth.xyz.com_redirect so http -> https
      • demo.xyz.com . this is really an empty config - no resources - but I currently have 2 addons (1-irule set and 2 policy rule) I am doing both for testing not sure which is the preferred (best practice), I can see that the irule is very flexible
      • demo.xyz.com_redirect http->https
      • demo.xyz.com_default ... this is the default VS from the empty one above - for irule I use a switch to decide which vs to use based upon uri and I have a policy which does the same - both have a catch all at the bottom that sends it to this vs
      • demo.xyz.com_case2 ... this is the vs that handles /testsso/validsso, basically it wants a valid sso token. this is where I am stuck

       

      so on auth.xyz.com & demo.xyz.com_case2 i have SSO attached - same one setup as multidomain.

      I have a per session access rule in place for both of them. although different.

      for auth it setup login page and does a ad login and save the variables to the sso tokens.

      for demo.xyz.com_case2 it has its own pre session access profile - which basically just does the sso token task, this sends it to the login url - https://auth.xyz.com, that works, once logged in it uses the F5Networks-SSO-Resp mechanism to go from auth to demo.

       

      So this is me guessing, but demo vs the shell one takes that and sends it to the demo_default vs, which doesn't have a access profile associated with it, so it fails !

      I don't want a access profile attached to the default as I want people to come there with out a sso token..

       

      so what I have done in the irule and also the ltm policy is redirect demo/F5Networks-SSO-Resp to auth/F5Networks-SSO-Resp and that works.

      I would write a irule to do it myself with out the redirect but I don't know how and I wouldn't know how to do it in the ltm policy - I am guessing a TCL command ?

       

       

      I have a quick look at the documents - but I believe I have done what they are suggesting - or I am missing something - think we getting around the terminology.

       

      I was thinking maybe just add an access policy to the demo_default vs

       

      also I believe I have set both the auth access policy to global and the demo_case2 to global ?

       

      thanks for the input

      still lost, not 100% of the next steps, to do it the F5 way

       

       

       

       

       EDIT

      Creating a BIG-IP ASM security policy and applying it to the layered virtual server

      Impact of procedure: Performing the following procedure should not have a negative impact on the system.

      To create the server, perform the appropriate procedures outlined in the following F5 manuals:

      • For BIG-IP ASM 13.x and 14.x, refer to the Creating a Simple Security Policy chapter of the BIG-IP Application Security Manager: Getting Started manual.

       

      I tried to follow this, but I can't do that under my security main menu I only have cloud services !

       

      in fact most of the steps below that I can't do

      from this article https://support.f5.com/csp/article/K13315545

      Am i missing something - I am on 15.1

       

       

      EDIT #2

      I found on the licensing page, that the ASM module didn't look like it was enabled, so I have enabled it ... maybe thats what I have been missing !

       

       

      EDIT #3

      turning on ASM module - after reboot - I had lost all of my work :( time for a break... sigh

       

       

      EDIT #4

       

      so rebuilt it.

      vs_base -> this has the ASM attached to it

      prolicy route for validsso to a new vs

      The sso works, but its still not processing the F5Networks-SSO-Rep uri :(

       

  • You seem to be good with APM, I wouldn't call you junior with it.

     

     

    For Local traffic policy redirect just see the example https://support.f5.com/csp/article/K26312346 and you can replace the iRule. It is with TCL command as you mentioned. If you redirecting to a static domain and there will be no variables used for the redirect like [HTTP::uri] or [HTTP::host] then just enter the static URL without using "tcl:" as "tcl:" is when you need to have access to tcl variables and for static URL this is not needed.

     

     

    If you set two access profiles to global then if the user has authenticated to one, he will have access to the other as mentioned in https://devcentral.f5.com/s/question/0D51T00006j20Ce/v12-apm-profile-scope .

     

     

    For the ASM VIP it could be that the ASM is blocking the SSO, so if possible test without an ASM policy out of working hours and check if that is the case and if needed check the articles I have given for ASM and APM integration. As if you followed https://support.f5.com/csp/article/K54217479 then ASM if before the APM (normally it is AFM > LTM > APM > ASM) but by following the article with layered VS then the ASM is first and maybe it could be blocking something if not configured corectly.

     

     

     

    For the demo_default VS if you don't have access policy or profile then the SSO shouldn't work as even the global profiles will not work if there is no access profile under the VIP.

     

     

     

    Just a note with irules you can dissable and enable the SSO https://clouddocs.f5.com/api/irules/WEBSSO__disable.html . Also with the variable assign agent you can modify the SSO as for example the user logs into the APM with username and password but the backend server wants other username (username with a domain attached and so on) https://support.f5.com/csp/article/K52926273 . If the SSO you use by default does not have an option you need check the variable assign agent.

     

    %%%%%%%%%%%%%%%

    Edit

     

    Also check out:

     

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/27.html

     

    and the below article as each access profile should have the SSO credential mapping (you may also use the variable assign macro) for SSO to work.

     

    https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-assignment-items/about-sso-credential-mapping.html

     

    • AlexS_yb's avatar
      AlexS_yb
      Icon for Cirrocumulus rankCirrocumulus

      Thanks.

       

      okay, let me try this from a different angle then based on this

       

      "

      For the demo_default VS if you don't have access policy or profile then the SSO shouldn't work as even the global profiles will not work if there is no access profile under the VIP.

       "

       

      so lets say I want people to freely get to

       

      demo.xyz.com/

      but when they hit

      demo.xyz.com/secret

       

      I want them to login, especially I want them to use a global SSO (auth.xyz.com)

       

      so from what I have read

       

      I create a VS for

      demo.xyz.com which is just a big switch to these vs and also has a ASM attached to the front

      demo.xyz.com_secret << this has a APM

      demo.xyz.com_default

       

      You are saying to get SSO working properly, I need to attach a APM to demo.xyz.com_default vs

       

      can I have a APM that just allows every one with out doing any checking ?

       

       

       

       

       

       

       

       

       

      • Nikoolayy1's avatar
        Nikoolayy1
        Icon for MVP rankMVP

        Can you check this post :

         

        https://devcentral.f5.com/s/question/0D51T00006i7h0S/apm-sso-between-two-virtual-servers

         

         

        The idea is to have demo.xyz.com_default with the same SSO object in Access profile and the access profile will do no more checks but just have the SSO.

         

         

         

        You can use the multi domain to redirect from demo.xyz.com_default to demo.xyz.com_secret if no aythenticated but as you have the F5 ASM Login Page protection, you will simply block access to the other URL if the login page is not hit fitst.

         

        https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/27.html

  • Thanks for all your help. That last document is about where I started from.

     

    I think my next step is to try apply APM to the dem.xyz.com_default vs and some how allow any access

     

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP

      You just need to add the same SSO object and add only allow action at the end of it in the access policy (the main access profile and the one for the default VIP need to be with a scope global) or better yet you can just add the same profile with a profile scope "Profile" for demo.xyz.com_secret and demo.xyz.com_default and when the user logs in demo.xyz.com_secret after that they try to access the demo.xyz.com_default, they will not need to again pass the profile checks as there is a created session for the user when they accessed demo.xyz.com_secret :) Test it out lab it out and it will work.

       

      AskF5 | Manual Chapter: Understanding Access Policies

       

       

       

      With ASM enforce login page you will block the users from first trying to enter demo.xyz.com_default before demo.xyz.com_secret

       

       

      AskF5 | Manual Chapter: Creating Login Pages for Secure Application Access

       

       

      F5 has trial license for Vmware so test it in your hope. Also go to learn F5 and pass the getting started for ASM/APM and if needed LTM:

       

      LearnF5

       

       

      Also check the operations guides they are great:

       

       

      https://support.f5.com/csp/article/K73819494

      • AlexS_yb's avatar
        AlexS_yb
        Icon for Cirrocumulus rankCirrocumulus

        Hi

         

        I'm a bit lost here.

         

        "

         With ASM enforce login page you will block the users from first trying to enter demo.xyz.com_default before demo.xyz.com_secret

         "

         

        But I don't want people to have to login to access the site by default - only some uri.

         

         

        Let me rephrase it back to you

        vs-auth << main auth ltm prolicy to vs-auth-apm

        vs-auth-apm has apm attached

         

        vs-demo << main vs, using irule to send to other vs. also a policy profile that turns on ASM with a profile

         

        vs-demo-default << all the default traffic , no access profile - nothing special

         

        vs-demo-validsso << has access profile . policy is start -> sso variable -> accept

        This sort of works, the F5NetworkSSO uri still doesn't work not picked up by vs-demo or vs-demo-default. right now I map this to vs vs-auth or vs-demo-validsso not the best but

         

        vs-demo-validip << has access profile and per request profile ... it fails (by design to test). the fail page fails . even when i map the url to vs-auth or vs-demo-validsso it fails, seems like it is only process properly by vs-demo-validip

         

        sso is setup as multidomain and all the access profiles (per session) are setup as global.

         

         

        So ... what I am trying to do is insert into the headers what vs the call was from so I can map /public /vdesk /F5Networks back to that vs. not ideal, in fact rather bad as i would think it should just work... but ..

         

         

         

         

         

         

         

         

         

  • If the last answer is good enough for you can you mark it as solved, so that question will be marked as resolved.

  • So I have found a working answer

     

    based upon this

    https://devcentral.f5.com/s/question/0D51T00006i7Xc3/only-enable-access-policy-when-server-response-is-401

     

    basically attach access profile and per request profile to first VS

     

    then use irule to turn access on and off where needed

     

    so i have a switch that pulls out the protected url

     

    and a default that turns it off, except if hrmsession is not empty !

     

    the one issue which i worked around is the sso forms based login uri including /

     

    not sure I fully understand how the sso is supposed to work .. another thread

     

    this works really well its all in 1 vs so ...