Presentation is loading. Please wait.

Presentation is loading. Please wait.

F5 APM & Security Assertion Markup Language ‘sam-el’

Published byJoel Harper Modified over 8 years ago

Similar presentations

Presentation on theme: "F5 APM & Security Assertion Markup Language ‘sam-el’"— Presentation transcript:

1 F5 APM & Security Assertion Markup Language ‘sam-el’
Jason Smith

2 Agenda What is SAML? Who uses it and why use it?
F5 APM 11.3 Implementation SAML Use Cases F5 Unified VDI access solutions are fast and easy to implement The competition (Citrix) involves multi-server configuration pain The breadth of access capabilities in the F5 solution have no match Demo Roadmap

3 What is the problem? Users authenticate to their enterprise, but more and more resources are hosted elsewhere…. How do we maintain control of those credentials, policies and their lifecycle?

4 What is SAML? Security Assertion Markup Language
Solid standard current version 2.0 (March ) Strong commercial and open source support An XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider (iDP) and a service provider (SP).”

5 What is SAML? Now in English
Its ‘Internet/Web’ SSO Eliminates Need for Multiple Passwords/Password Databases in Multiple Locations Enables Enterprise in the ‘Cloud’

6 What is SAML – Components
A ‘SAML Assertion’ is a Token/Cookie used to communicate the successful authentication of users Uses SSL Certificates to: Sign the Assertion Encrypt the Assertion Still require an authentication database, LDAP/AD/Radius/Two factor etc

7 What is SAML – Components
SAML IdP (Identity Provider) The device that authenticates the user The device that creates, signs, encrypts and inserts the Assertion The device that redirects the user to the target application with the Assertion IdP User Authentication Database

8 What is SAML – Components
SAML SP (Service Provider) The device that redirects the user request to the IdP for authentication The device that consumes the Assertion and validates it The device that redirects the authenticated user to the application (APM does not require a redirect as it the proxy for the app) Application SP

9 What is SAML – Trust SAML SP and IdP
Trust relationships are built using Certificates User Access Services Authentication Service Provider Identity Provider Trust Relationship

10 SP-Initiated SSO: Redirect/POST
Get attributes (optional) Validate token & Establish session (create session variables) IdP User DB SP SAML response Redirect with SAML request Authenticate Resource Request resource POST SAML response User

11 Who uses SAML? SaaS Providers Public Sector
E.g. Google, SalesForce, Office365 Public Sector Universities/Schools Enterprises that want to host apps in a Cloud Provider but want to keep their user accounts DB internal!

12 SAML Use Cases - Authenticating to the App without User/Pass
SAML Assertion replaces the requirement for Password APM SSO to the Application will be Kerberos (KCD) or Custom Auth via Headers or something similar Service Provider OWA.f5se.com You must understand how the Application identifies the user and creates a session Any mechanism requiring a password will not work e.g. NTLM – Basic – Forms Post etc… SharePoint Insert SE question here: What about authenticating to the back-end using other STS? (Secure Ticket Service) I can wee conditions where my customer Apache/Tomcat

13 Federating APM

14 SAML Use Cases - Federating APM’s Authenticating to the App (With and Without Password)
Client requests access to an Internal Application where the APM VIP Requires SAML Authentication Data Center 1 Login.f5se.com Portal.f5se.com ActiveDirectory Data Center 2 OWA.f5se.com Sharepoint.f5se.com Internal Application

15 SAML Use Cases - Federating APM’s Authenticating to the App (With and Without Password)
The BIG-IP VIP should be configured to redirect to the Corporate SAML IdP Data Center 1 Login.f5se.com Portal.f5se.com ActiveDirectory Data Center 2 OWA.f5se.com Sharepoint.f5se.com Internal Application

16 SAML Use Cases - Federating APM’s Authenticating to the App (With and Without Password)
An SP Initiated Post is sent back to the client in the form of a redirect to the IdP Client is presented with a Username/Password Form from the IdP (Including 2 factor based on policy) Data Center 1 Login.f5se.com Portal.f5se.com ActiveDirectory Data Center 2 OWA.f5se.com Sharepoint.f5se.com Internal Application

17 SAML Use Cases - Federating APM’s Authenticating to the App (With and Without Password)
The APM Policy is run to Authenticate the user against their user store The user browser is presented with a SAML Assertion Data Center 1 Login.f5se.com Portal.f5se.com ActiveDirectory Data Center 2 OWA.f5se.com Sharepoint.f5se.com Internal Application

18 SAML Use Cases - Federating APM’s Authenticating to the App (With and Without Password)
Client is redirected to the VIP and APM successfully logs the user on to an Internal Application Data Center 1 Login.f5se.com Portal.f5se.com ActiveDirectory Data Center 2 OWA.f5se.com Sharepoint.f5se.com Internal Application

19 SAML Use Cases - Federating APM’s Authenticationg to the App (With and Without Password)
Let’s look at how the applications authenticate the users OWA authenticates Users VIA Kerberos so no Password is required Data Center 1 Login.f5se.com Portal.f5se.com ActiveDirectory Data Center 2 Sharepoint uses NTLM. F5 APM as an IdP can be configured to insert ${session.logon.last.password into the Assertion as a SAML Variable… The APM functioning as SP can use this when creating the Session for the user OWA.f5se.com Sharepoint.f5se.com Internal Application The Internal Application authenticates the user via HTTP Header and [Trusts] the BIG-IP … The variable ${session.logon.last.password is not required to be inserted by the IdP for use at the SP

20 Putting it all together

21 SAML Lab Overall Use Cases
Domain User makes a SAML Supported request for a resource Data Center 1 Login.f5se.com Portal.f5se.com ActiveDirectory Data Center 2 OWA.f5se.com Sharepoint.f5se.com Inventory App Business Partners SaaS - PaaS ADFS

22 SAML Lab Overall Use Cases
An SP Initiated Post is sent back to the client in the form of a redirect to the IdP Client is presented with a Username/Password Form (Including 2 factor based on policy) Data Center 1 Login.f5se.com Portal.f5se.com Public/Private ActiveDirectory Data Center 2 OWA.f5se.com Sharepoint.f5se.com Inventory App Business Partners SaaS - PaaS ADFS

23 SAML Lab Overall Use Cases
Client Posts Credentials to Login… Credentials are Validated with Active Directory Data Center 1 A SAML Assertion is generated, passed back to the client with a redirect to the requested application Login.f5se.com Portal.f5se.com ActiveDirectory Data Center 2 OWA.f5se.com Sharepoint.f5se.com Inventory App Business Partners SaaS - PaaS ADFS

24 SAML Lab Overall Use Cases
Client successfully logs on to Application with SAML Assertion Data Center 1 Login.f5se.com Portal.f5se.com Public/Private ActiveDirectory Data Center 2 OWA.f5se.com Sharepoint.f5se.com Invenntory App Business Partners SaaS - PaaS ADFS

25 Questions How is APM different from other SAML Gateways as an IdP?
More concurrent & logons per second than any competitor Tightly integrated to other APMs as an SP for federated auth Can convert assertion attributes into session variables How is APM different from other SAML Gateways as an SP? BIG-IP is a proxy so no requirement for redirects to the application Other SPs are out of band and not in the path Huge advantages having the VPE after SAML auth

26 Demo

27 Roadmap Update

28 Edge Gateway (APM) Access Security 11.3
Authentication and SSO SAML (Service and Identity Provider) NTLM End-User Authentication RSA Adaptive Authentication Integration Account Protection SMS/ Passcode Two-Factor Support Integrated CAPTCHA Support Policy Synchronization

29 Edge Gateway (APM) 11.3 Agents
Date and Time License Check OTP IP Reputation IP Subnet VPE Looping Macro Server Side Rate Shaping Loop no more that 3 times

30 Edge Gateway (APM) Access Security 11.4
Authentication and SSO Local User Authentication Database Account Protection User Account Lockout Random Delay on Auth Failures Endpoint Security Recurring Endpoint Checks IP Reputation Checks Health & Patch Levels Secure Edge Proxy VMware View Edge Client Always-On Mode (Locked)

31

Download ppt "F5 APM & Security Assertion Markup Language ‘sam-el’"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
SAML CCOW Work Item: Task 2

SAML CCOW Work Item: Task 2
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Similar presentations

Ads by Google