Transcript F5 Rethink - F5 Company Default - CONFIDENTIAL

CONFIDENTIAL
F5 APM &
SECURITY ASSERTION MARKUP LANGUAGE
‘SAM-EL’
Jason Smith
[email protected]
07798 534 592
Agenda
What is SAML?
Who uses it and why use it?
F5 APM 11.3 Implementation
SAML Use Cases
Demo
Roadmap
What is the problem?
• Users authenticate to their enterprise, but
more and more resources are hosted
elsewhere….
• How do we maintain control of those
credentials, policies and their lifecycle?
What is SAML?
• Security Assertion Markup Language
• Solid standard current version 2.0 (March
2005)
• Strong commercial and open source
support
• An XML-based open standard data format
for exchanging authentication and
authorization data between parties, in
particular, between an identity provider
(iDP) and a service provider (SP).”
What is SAML? Now in English
• Its ‘Internet/Web’ SSO
• Eliminates Need for Multiple
Passwords/Password Databases
in Multiple Locations
• Enables Enterprise in the ‘Cloud’
What is SAML – Components
• A ‘SAML Assertion’ is a Token/Cookie
used to communicate the successful
authentication of users
• Uses SSL Certificates to:
• Sign the Assertion
• Encrypt the Assertion
• Still require an authentication database,
LDAP/AD/Radius/Two factor etc
What is SAML – Components
• SAML IdP (Identity Provider)
• The device that authenticates the user
• The device that creates, signs, encrypts and
inserts the Assertion
• The device that redirects the user to the target
application with the Assertion
User
Authentication
Database
What is SAML – Components
• SAML SP (Service Provider)
• The device that redirects the user request to the
IdP for authentication
• The device that consumes the Assertion and
validates it
• The device that redirects the authenticated user
to the application (APM does not require a redirect
as it the proxy for the app)
Application
What is SAML – Trust
• SAML SP and IdP
• Trust relationships are built using Certificates
Trust Relationship
SP-Initiated SSO: Redirect/POST
Get attributes
(optional)
User DB
Authenticate
Validate token &
Establish session
(create
session variables)
POST SAML response
SAML responseRedirect with SAML request Request
Resourceresource
Who uses SAML?
• SaaS Providers
• E.g. Google, SalesForce, Office365
• Public Sector
• Universities/Schools
• Enterprises that want to host apps in a
Cloud Provider but want to keep their
user accounts DB internal!
SAML Use Cases - Authenticating to the App without User/Pass
•
SAML Assertion replaces the requirement for Password
•
APM SSO to the Application will be Kerberos (KCD) or Custom Auth via
Headers or something similar
• Service Provider
OWA.f5se.com
• You must understand how the
Application identifies the user and
creates a session
• Any mechanism requiring a password
will not work e.g.
• NTLM – Basic – Forms Post etc…
SharePoint
Apache/Tomcat
CONFIDENTIAL
FEDERATING APM
SAML Use Cases - Federating APM’s
Authenticating to the App (With and Without Password)
• Client requests access to an Internal
Application where the APM VIP
Requires SAML Authentication
Data Center 1
Login.f5se.com
Portal.f5se.com
ActiveDirectory
Data Center 2
OWA.f5se.com
Sharepoint.f5se.com
Internal Application
SAML Use Cases - Federating APM’s
Authenticating to the App (With and Without Password)
• The BIG-IP VIP should be
configured to redirect to the
Corporate SAML IdP
Data Center 1
Login.f5se.com
Portal.f5se.com
ActiveDirectory
Data Center 2
OWA.f5se.com
Sharepoint.f5se.com
Internal Application
SAML Use Cases - Federating APM’s
Authenticating to the App (With and Without Password)
• An SP Initiated Post is sent back to the
client in the form of a redirect to the IdP
• Client is presented with a
Username/Password Form from the IdP
(Including 2 factor based on policy)
Data Center 1
Login.f5se.com
Portal.f5se.com
ActiveDirectory
Data Center 2
OWA.f5se.com
Sharepoint.f5se.com
Internal Application
SAML Use Cases - Federating APM’s
Authenticating to the App (With and Without Password)
•
•
The APM Policy is run to Authenticate
the user against their user store
The user browser is presented with a
SAML Assertion
Data Center 1
Login.f5se.com
Portal.f5se.com
ActiveDirectory
Data Center 2
OWA.f5se.com
Sharepoint.f5se.com
Internal Application
SAML Use Cases - Federating APM’s
Authenticating to the App (With and Without Password)
•
Client is redirected to the VIP and APM
successfully logs the user on to an
Internal Application
Data Center 1
Login.f5se.com
Portal.f5se.com
ActiveDirectory
Data Center 2
OWA.f5se.com
Sharepoint.f5se.com
Internal Application
SAML Use Cases - Federating APM’s
Authenticationg to the App (With and Without Password)
•
Let’s look at how the applications
authenticate the users
•
OWA authenticates Users VIA Kerberos so no
Password is required
Data Center 1
Login.f5se.com
Portal.f5se.com
ActiveDirectory
Data Center 2
Sharepoint uses NTLM. F5 APM as an IdP can be configured
to insert ${session.logon.last.password into the Assertion
as a SAML Variable… The APM functioning as SP can use
this when creating the Session for the user
OWA.f5se.com
Sharepoint.f5se.com
Internal Application
The Internal Application authenticates the user via HTTP
Header and [Trusts] the BIG-IP … The variable
${session.logon.last.password is not required to be inserted
by the IdP for use at the SP
CONFIDENTIAL
PUTTING IT ALL TOGETHER
SAML Lab Overall Use Cases
• Domain User makes a SAML
Supported request for a resource
Data Center 1
Login.f5se.com
Portal.f5se.com
ActiveDirectory
Data Center 2
OWA.f5se.com
Sharepoint.f5se.com
Inventory App
SaaS - PaaS
Business
Partners
ADFS
SAML Lab Overall Use Cases
•
•
An SP Initiated Post is sent back to the client in
the form of a redirect to the IdP
Client is presented with a Username/Password
Form (Including 2 factor based on policy)
Data Center 1
Login.f5se.com
Portal.f5se.com
ActiveDirectory
Public/Private
Data Center 2
OWA.f5se.com
Sharepoint.f5se.com
Inventory App
SaaS - PaaS
Business
Partners
ADFS
SAML Lab Overall Use Cases
Client Posts Credentials to Login… Credentials
are Validated with Active Directory
Data Center 1
Login.f5se.com
A SAML Assertion is generated, passed back to
the client with a redirect to the requested
application
Portal.f5se.com
ActiveDirectory
Data Center 2
OWA.f5se.com
Sharepoint.f5se.com
Inventory App
SaaS - PaaS
Business
Partners
ADFS
SAML Lab Overall Use Cases
Client successfully logs on to Application
with SAML Assertion
Data Center 1
Login.f5se.com
Portal.f5se.com
ActiveDirectory
Public/Private
Data Center 2
OWA.f5se.com
Sharepoint.f5se.com
Invenntory App
SaaS - PaaS
Business
Partners
ADFS
Questions
- How is APM different from other SAML Gateways
as an IdP?
-
More concurrent & logons per second than any competitor
Tightly integrated to other APMs as an SP for federated
auth
Can convert assertion attributes into session variables
- How is APM different from other SAML Gateways
as an SP?
-
BIG-IP is a proxy so no requirement for redirects to the
application
Other SPs are out of band and not in the path
Huge advantages having the VPE after SAML auth
CONFIDENTIAL
DEMO
CONFIDENTIAL
ROADMAP UPDATE
Edge Gateway (APM) Access Security 11.3
Authentication and SSO
• SAML (Service and Identity Provider)
• NTLM End-User Authentication
• RSA Adaptive Authentication Integration
• Account Protection
• SMS/E-Mail Passcode Two-Factor Support
• Integrated CAPTCHA Support
• Policy Synchronization
Edge Gateway (APM) 11.3 Agents
•
•
•
•
•
•
•
•
Date and Time
Email
License Check
OTP
IP Reputation
IP Subnet
VPE Looping Macro
Server Side Rate Shaping
Loop no more that 3 times
Edge Gateway (APM) Access Security 11.4
• Authentication and SSO
• Local User Authentication Database
• Account Protection
• User Account Lockout
• Random Delay on Auth Failures
• Endpoint Security
• Recurring Endpoint Checks
• IP Reputation Checks
• Health & Patch Levels
• Secure Edge Proxy
• VMware View
• Edge Client
• Always-On Mode (Locked)