f5 apm - westconbe.security.westcon.com/documents/47407/6_v11 seminar_saml.pdf · [email protected] 07889...
TRANSCRIPT
CONFIDENTIAL
Lloyd Webb
07889 641911
F5 APM & SECURITY ASSERTION MARKUP LANGUAGE ‘SAM-EL’
Enable Simplified Application Access with BIG-IP Access Policy Manager (APM)
BIG-IP Access Policy Manager (APM) Unified Access and Control for BIG-IP
BIG-IP® APM Features: • Centralizes single sign on and access control services
• Full proxy L4 – L7 access control at BIG-IP speeds
• Adds endpoint inspection to the access policy
• Visual Policy Editor (VPE) provides policy based access control
• VPE Rules – programmatic interface for custom access policies
BIG-IP® APM ROI Benefits: • Consolidates auth. infrastructure
• Reduces AAA management costs
• Simplifies remote, web and
application access control
*AAA = Authentication, Authorization and Accounting (or Auditing)
What is the problem?
• Users authenticate to their enterprise, but more and more resources are hosted elsewhere….
• How do we maintain control of those credentials, policies and their lifecycle?
What is SAML?
• Security Assertion Markup Language
• Solid standard current version 2.0 (March 2005)
• Strong commercial and open source support
• An XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider (iDP) and a service provider (SP).”
What is SAML? Now in English
• Its ‘Internet/Web’ SSO
• Eliminates Need for Multiple Passwords/Password Databases in Multiple Locations
• Enables Enterprise in the ‘Cloud’
What is SAML – Components
• A ‘SAML Assertion’ is a Token/Cookie used to communicate the successful authentication of users
• Uses SSL Certificates to:
• Sign the Assertion
• Encrypt the Assertion
• Still require an authentication database, LDAP/AD/Radius/Two factor etc
What is SAML – Components
• SAML IdP (Identity Provider)
• The device that authenticates the user
• The device that creates, signs, encrypts and inserts the Assertion
• The device that redirects the user to the target application with the Assertion
User
Authentication
Database
What is SAML – Components
• SAML SP (Service Provider)
• The device that redirects the user request to the IdP for authentication
• The device that consumes the Assertion and validates it
• The device that redirects the authenticated user to the application (APM does not require a redirect as it the proxy for the app)
Application
What is SAML – Trust
• SAML SP and IdP
• Trust relationships are built using Certificates
Trust Relationship
Who uses SAML?
• SaaS Providers
• E.g. Google, SalesForce, Office365
• Public Sector
• Universities/Schools
• Enterprises that want to host apps in a Cloud Provider but want to keep their user accounts DB internal!
APM as IDP
Auth server
SP
user
1. APM is used to create an assertion, either upfront, or after trying to access a
protected resource without a required assertion
2. User now uses assertion to access SP , where assertion is validated, and
access provided
1
2
iDP
APM as IDP – IDP initiated When the user goes directly to the IDP (APM) to authenticate,
A logon page will normally be provided
And a webtop displayed
• The webtop will have one or more SAML resources
• Allows the user to select the resource on a given SP.
APM as IDP - IDP initiated
Auth server
SP
user
1. User first visits APM, since no session exists, the access policy runs.
2. The Access Policy, authenticates the user, and presents a webtop with
SAML resources.
3. Once a resource is selected an assertion is created and the user is
redirected to the ACS on the SP.
1
3 iDP
2
APM as IDP - SP initiated The user goes to the SP first
Tries to access a resource that is protected
The SP will send an authentication request to the IDP to authenticate the user
And then have them redirected back with an assertion.
APM as IDP - SP initiated
Auth server
SP
user
1. User first visits the SP, and tries to access a protected resource.
2. The SP redirects the user with an authentication request via a redirect to
the APM SSO URL (a well known path off a VS).
3. The Access Policy, takes the SAML AUTHn request and validates it
4. Using the entity-id, it finds an SAML SSO object and creates an assertion.
5. The user is redirected to the ACS on the SP with the assertion.
1
3
IDP 2
4
5
APM as SP Introduction A user is authenticated to SAML IDP (APM)
They access a resource behind the APM
They don’t need to authenticate again.
APM uses (consumes) a SAML assertion (claims) and validates its trustworthiness
This allows the user to access to the resource.
APM as SP - SP initiated When the user directly accesses a SP (APM) resource
The user will be directed to the IDP to authenticate
And get an assertion.
APM as SP - SP initiated
IDP
Server
User
1. The SP (APM) is contacted to access a resource.
2. Since no session exists, the Access Policy runs.
3. The access policy will typically send an SAML authn request to the IDP.
4. The IDP authenticates the user and redirects the user back to the APM
ACS.
5. APM will then validate the assertion and parse it, populating session
variables from fields in the assertion. The access policy can then provide
access to the resource (typically via a pool).
2
1
5
SP
3
4
APM as SP - IDP initiated When the user directly accesses an IDP resource
The user is redirected back to APM with an assertion.
In this case APM just consumes the assertion.
APM as SP - IDP initiated
IDP
server
user
1. IDP is contacted upfront, for authentication. a) The user is authenticated and the user is redirected to the ACS on the SP with
the assertion.
2. APM receives assertion and validates it, parses it
3. Access is now provided
SP 2
1
3