CONFIDENTIAL

Lloyd Webb

lw@f5.com

07889 641911

F5 APM & SECURITY ASSERTION MARKUP LANGUAGE ‘SAM-EL’

Enable Simplified Application Access with BIG-IP Access Policy Manager (APM)

BIG-IP Access Policy Manager (APM) Unified Access and Control for BIG-IP

BIG-IP® APM Features: • Centralizes single sign on and access control services

• Full proxy L4 – L7 access control at BIG-IP speeds

• Adds endpoint inspection to the access policy

• Visual Policy Editor (VPE) provides policy based access control

• VPE Rules – programmatic interface for custom access policies

BIG-IP® APM ROI Benefits: • Consolidates auth. infrastructure

• Reduces AAA management costs

• Simplifies remote, web and

application access control

*AAA = Authentication, Authorization and Accounting (or Auditing)

What is the problem?

• Users authenticate to their enterprise, but more and more resources are hosted elsewhere….

• How do we maintain control of those credentials, policies and their lifecycle?

What is SAML?

• Security Assertion Markup Language

• Solid standard current version 2.0 (March 2005)

• Strong commercial and open source support

• An XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider (iDP) and a service provider (SP).”

What is SAML? Now in English

• Its ‘Internet/Web’ SSO

• Eliminates Need for Multiple Passwords/Password Databases in Multiple Locations

• Enables Enterprise in the ‘Cloud’

What is SAML – Components

• A ‘SAML Assertion’ is a Token/Cookie used to communicate the successful authentication of users

• Uses SSL Certificates to:

• Sign the Assertion

• Encrypt the Assertion

• Still require an authentication database, LDAP/AD/Radius/Two factor etc

What is SAML – Components

• SAML IdP (Identity Provider)

• The device that authenticates the user

• The device that creates, signs, encrypts and inserts the Assertion

• The device that redirects the user to the target application with the Assertion

User

Authentication

Database

What is SAML – Components

• SAML SP (Service Provider)

• The device that redirects the user request to the IdP for authentication

• The device that consumes the Assertion and validates it

• The device that redirects the authenticated user to the application (APM does not require a redirect as it the proxy for the app)

Application

What is SAML – Trust

• SAML SP and IdP

• Trust relationships are built using Certificates

Trust Relationship

Who uses SAML?

• SaaS Providers

• E.g. Google, SalesForce, Office365

• Public Sector

• Universities/Schools

• Enterprises that want to host apps in a Cloud Provider but want to keep their user accounts DB internal!

APM as IDP

Auth server

SP

user

1. APM is used to create an assertion, either upfront, or after trying to access a

protected resource without a required assertion

2. User now uses assertion to access SP , where assertion is validated, and

access provided

1

2

iDP

APM as IDP – IDP initiated When the user goes directly to the IDP (APM) to authenticate,

A logon page will normally be provided

And a webtop displayed

• The webtop will have one or more SAML resources

• Allows the user to select the resource on a given SP.

APM as IDP - IDP initiated

Auth server

SP

user

1. User first visits APM, since no session exists, the access policy runs.

2. The Access Policy, authenticates the user, and presents a webtop with

SAML resources.

3. Once a resource is selected an assertion is created and the user is

redirected to the ACS on the SP.

1

3 iDP

2

APM as IDP - SP initiated The user goes to the SP first

Tries to access a resource that is protected

The SP will send an authentication request to the IDP to authenticate the user

And then have them redirected back with an assertion.

APM as IDP - SP initiated

Auth server

SP

user

1. User first visits the SP, and tries to access a protected resource.

2. The SP redirects the user with an authentication request via a redirect to

the APM SSO URL (a well known path off a VS).

3. The Access Policy, takes the SAML AUTHn request and validates it

4. Using the entity-id, it finds an SAML SSO object and creates an assertion.

5. The user is redirected to the ACS on the SP with the assertion.

1

3

IDP 2

4

5

APM as SP Introduction A user is authenticated to SAML IDP (APM)

They access a resource behind the APM

They don’t need to authenticate again.

APM uses (consumes) a SAML assertion (claims) and validates its trustworthiness

This allows the user to access to the resource.

APM as SP - SP initiated When the user directly accesses a SP (APM) resource

The user will be directed to the IDP to authenticate

And get an assertion.

APM as SP - SP initiated

IDP

Server

User

1. The SP (APM) is contacted to access a resource.

2. Since no session exists, the Access Policy runs.

3. The access policy will typically send an SAML authn request to the IDP.

4. The IDP authenticates the user and redirects the user back to the APM

ACS.

5. APM will then validate the assertion and parse it, populating session

variables from fields in the assertion. The access policy can then provide

access to the resource (typically via a pool).

2

1

5

SP

3

4

APM as SP - IDP initiated When the user directly accesses an IDP resource

The user is redirected back to APM with an assertion.

In this case APM just consumes the assertion.

APM as SP - IDP initiated

IDP

server

user

1. IDP is contacted upfront, for authentication. a) The user is authenticated and the user is redirected to the ACS on the SP with

the assertion.

2. APM receives assertion and validates it, parses it

3. Access is now provided

SP 2

1

3