Archive for AAA

Shared Authentication Domains on BIG-IP APM

Posted in security, f5, big-ip, application delivery, authentication, AAA, devcentral, access by psilva on February 14th, 2017

How to share an APM session across multiple access profiles.

A common question for someone new to BIG-IP Access Policy Manager (APM) is how do I configure BIG-IP APM so the user only logs in once.

By default, BIG-IP APM requires authentication for each access profile.

domain_value.jpg

 

This can easily be changed by sending the domain cookie variable is the access profile’s SSO authentication domain menu.

Let’s walk through how to configure App1 and App2 to only require authentication once.

We’ll start with App1’s Access Profile.

dv1.jpg

 

Once you click through to App1’s settings, in the Top menu, select SSO/Auth Domains.

dv2.jpg

 

We’re prompted for authentication and enter our credentials and luckily, we have a successful login.

dv4.jpg

 

And then we’ll try to login to App2. And when we click it, we’re not prompted again for authentication information and gain access without prompts.

dv5.jpg

Granted this was a single login request for two simple applications but it can be scaled for hundreds of applications. If you‘d like to see a working demo of this, check it out here.

ps

 

 

 

 

 

 

 

 

 

 




Would You Put Corporate Applications in the Cloud?

Posted in security, f5, big-ip, cloud, cloud computing, silva, application delivery, AAA, federation, access, saas by psilva on February 23rd, 2016

apmicon.png

There once was a time when organizations wouldn’t consider deploying critical applications in the cloud. It was too much of a business risk from both an access and an attack perspective—and for good reason, since 28 percent of enterprises have experienced more security breaches in the public cloud than with on-premises applications. This is changing, however. Over the last few years, cloud computing has emerged as a serious option for delivering enterprise applications quickly, efficiently, and securely. Today almost 70 percent of organizations are using some cloud technology. And that approach continues to grow. According to the latest Cisco Global Cloud Index report, global data center IP traffic will nearly triple over the next five years. Overall, data center IP traffic will grow at a compound annual growth rate of 25 percent from 2012 to 2017.

This growth is to support our on-demand, always connected lifestyle, where content and information must be accessible/available anytime, anywhere, and on any screen. Mobility is the new normal, and the cloud is the platform to deliver this content. No wonder enterprises are scrambling to add cloud components to their existing infrastructure to provide agility, flexibility, and secure access to support the overall business strategy. Applications that used to take months to launch now take minutes, and organizations can take advantage of innovations quickly. But most IT organizations want the cloud benefits without the risks. They want the economics and speed of the cloud without worrying about the security and integration challenges.

Use of the corporate network itself has become insecure, even with firewalls in place. Gone are the days of “trusted” and “untrusted,” as the internal network is now dangerous. It'll only get worse once all those IoT wearables hit the office. Even connecting to the corporate network via VPN can be risky due to the network challenges. Today, almost anything can pose a potential security risk, and unauthorized access is a top data security concern.

Going against the current trend, some organizations are now placing critical applications in the cloud and facing the challenge of providing secure user access. This authentication is typically handled by the application itself, so user credentials are often stored and managed in the cloud by the provider. Organizations, however, need to keep close control over user credentials, and for global organizations, the number of identity systems can be in the thousands, scattered across geographies, markets, brands, or acquisitions. It becomes a significant challenge for IT to properly authenticate the person (whether located inside or outside the corporate network) to a highly available identity provider (such as Active Directory) and then direct them to the proper resources. The goal is to allow access to corporate data from anywhere with the right device and credentials. Speed and productivity are key.

Authentication, authorization, and encryption help provide the fine-grained access, regardless of the user’s location and network. Employee access is treated the same whether the user is at a corporate office, at home, or connected to an open, unsecured Wi-Fi network at a bookstore. This eliminates the traditional VPN connection to the corporate network and also encrypts all connections to corporate information, even from the internal network.

In this scenario, an organization can deploy the BIG-IP platform, especially virtual editions, in both the primary and cloud data centers. BIG-IP intelligently manages all traffic across the servers. One pair of BIG-IP devices sits in front of the servers in the core network; another pair sits in front of the directory servers in the perimeter network. By managing traffic to and from both the primary and directory servers, the F5 devices ensure the availability and security of cloud resources—for both internal and external (federated) employees. In addition, directory services can stay put as the BIG-IP will simply query those to determine appropriate access.

While there are some skeptics, organizations like GE and Google are already transitioning their corporate applications to cloud deployments and more are following. As Jamie Miller, President & CEO at GE Transportation, says, 'Start Small, Start Now.'

ps

Related:

Technorati Tags: cloud,big-ip,authentication,saas,f5
Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Ask the Expert – Why Identity and Access Management?

Posted in security, f5, big-ip, cloud computing, silva, video, authentication, AAA by psilva on November 4th, 2015

Michael Koyfman, Sr. Global Security Solution Architect, shares the access challenges organizations face when deploying SaaS cloud applications. Syncing data stores to the cloud can be risky so organizations need to utilize their local directories and assert the user identity to the cloud. SAML is a standardized way of asserting trust and Michael explains how BIG-IP can act either as an identity provider or a service provider so users can securely access their workplace tools. Integration is key to solve common problems for successful and secure deployments.

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]
Watch Now:



RSA 2014: Layering Federated Identity with SWG (feat Koyfman)

Posted in security, f5, big-ip, cloud computing, silva, video, application delivery, authentication, AAA, saml, access, saas by psilva on February 27th, 2014

While protecting employees from rogue sites and productivity hogs is critical, the employee’s ability to access SaaS applications is also critical for productivity. Sr. Global Security Solutions Architect Michael Koyfman shows how to layer SAML federated identity to Secure Web Gateway.

ps

Related

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



AWS re:Invent 2013 – Cloud Federation Reference Architecture (feat. Pearce)

Posted in security, f5, big-ip, cloud, cloud computing, silva, video, application delivery, AAA, cloud provider by psilva on November 15th, 2013

Nathan Pearce and I yuck it up on camera again, this time commiserating about Cloud Federation and the challenges associated with identity and access management in the cloud.

 

ps

Related:

 

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



BIG-IP Edge Client v1.0.6 for iOS 7

Posted in security, f5, big-ip, ssl vpn, silva, AAA, control, apple, iPhone, iPad, byod by psilva on September 19th, 2013

With all your other iOS 7 updates (if you've made the plunge), if you are running the BIG-IP Edge Client on your iPhone, iPod or iPad, you may have gotten an AppStore alert for an update.  If not, I just wanted to let you know that version 1.0.6 of the iOS Edge Client is available at the AppStore with iOS 7 support. 

Customers who use UDID in their access policies should have users update to this version.

The BIG-IP Edge Client application from F5 Networks secures and accelerates mobile device access to enterprise networks and applications using SSL VPN and optimization technologies. Access is provided as part of an enterprise deployment of F5 BIG-IP Access Policy Manager, Edge Gateway, or FirePass SSL-VPN solutions.  BIG-IP Edge Client for iOS Features:

    • Provides accelerated mobile access when used with F5 BIG-IP Edge Gateway.
    • Automatically roams between networks to stay connected on the go.
    • Full Layer 3 network access to all your enterprise applications and files.

iPhone Screenshot 1iPhone Screenshot 2

 

ps

Related:

 

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Pulse2013 – IBM Maximo Optimization & SSO with BIG-IP APM

Posted in security, f5, big-ip, acceleration, ssl vpn, silva, video, AAA by psilva on March 6th, 2013

It’s an all Nojan week at the Pulse2013 conference at the MGM Grand! This time, he shows Peter Silva how to deploy Maximo Asset Management with the new Maximo iApp from F5 found on DevCentral along with how to configure acceleration and SSO for Maximo users. Increased performance for remote users along with the ease of deployment for administrators. Got Maximo? Get BIG-IP APM.

 

ps

Related:

Technorati Tags: f5,ibm,pulse,ibmpulse,psilva,video,security, sso,maximo, optimized

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Inside Look - SAML Federation with BIG-IP APM

Posted in security, f5, big-ip, cloud computing, silva, video, authentication, AAA, saml, federation by psilva on January 31st, 2013

I get an Inside Look at BIG-IP's new #SAML #Federation functionality in v11.3 with Sr Security Solution Architect, Gary Zaleski. We cover BIG-IP as a SAML Service Provider (SP) and as a SAML Identity Provider (IdP). Watch how users can easily connect to Salesforce, SharePoint, Office365 and Google. Solving Substantiation with SAML.

 

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Solving Substantiation with SAML

Posted in security, f5, big-ip, ssl vpn, cloud, cloud computing, silva, application delivery, authentication, AAA, control by psilva on January 29th, 2013

Organizations are deploying distributed, hybrid architectures that can span multiple security domains. At any moment, a user could be accessing the corporate data center, the organization’s cloud infrastructure, or even a third party, #SaaS web application. #SAML can provide the identity information necessary to implement an enterprise-wide single sign-on solution.

Proving or asserting one’s identity in the physical world is often as simple as showing a driver’s license or state ID card. As long as the photo matches the face, that’s typically all that is needed to verify identity. This substantiation of identity is a physical form of authentication, and depending on the situation, the individual is then authorized either to receive something or to do something, for instance, enter a bar, complete a purchase, etc.

In the digital world, identity verification is not as easy as showing the computer monitor a driver’s license. To gain entry, you must provide information like a name, password, randomly generated token number—something you have, something you know, or something you are—to prove you are who you say you are.

Gaining access to corporate assets is no different. Many organizations have multiple different resource portals, however, each requiring digital proof of identity. Their users may also need to access partner portals, cloud based Software as a Service (SaaS) applications, or distributed, hybrid infrastructures that span multiple data centers, each requiring a unique user name and password. In addition, the average employee must maintain about 15 different passwords for both her private and corporate identities, with many of those passwords also being used for social media and other risky entities. Statistics show that 35 to 50 percent of help desk calls are related to password problems, with each call costing a company between $25 and $50 per request.

Security Assertion Markup Language (SAML) is an XML-based standard that allows secure web domains to exchange user authentication and authorization data. It directly addresses the problem of how to provide the users of web browsers with single sign-on (SSO) convenience. With SAML, an online service provider can contact a separate online identity provider to authenticate users who are attempting to access secure content. For example, a user might need to log in to Salesforce.com, but Salesforce (the service provider) has no mechanism to validate the user. Salesforce would then send a request to an identity provider, such as F5 BIG-IP Access Policy Manager (APM), to validate the requesting user’s identity. BIG-IP APM version 11.3 supports SAML federation, acting as either a service provider or an identity provider, enhancing the employee’s online experience and potentially reducing password-related tickets at the help desk.

BIG-IP APM version 11.3 can act as either a SAML service provider or a SAML identity provider, enabling both federation and SSO within an enterprise.

BIG-IP APM as a Service Provider

When a user initiates a request from a SAML IdP and the resources, such as an internal SharePoint site, are protected by BIG-IP APM, BIG-IP APM consumes that SAML assertion (claim) and validates its trustworthiness. This ultimately allows the user access to the resource. If the user goes directly to BIG-IP APM (as an SP) to access a resource (like SharePoint), then the user will be directed to the IdP to authenticate and get an assertion. Once a user is authenticated with a SAML IdP and accesses a resource behind BIG-IP APM, he or she will not need to authenticate again.

BIG-IP APM as an Identity Provider

Provided there is an SP that accepts assertions, a user can authenticate with BIG-IP APM to create an assertion. BIG-IP APM authenticates the user and displays resources. When the user clicks on an application, BIG-IP APM generates an assertion. That assertion can be passed on to the SP, which allows access to the resource without further authentication. When the user visits the SP first, the process is SP initiated; when the user goes directly to the IdP (in this case, BIG-IP APM) first to authenticate, the process is IdP initiated.

BIG-IP APM in a SAML Federation

SAML can be used to federate autonomous BIG-IP APM systems. This allows a user to connect to one BIG-IP device, authenticate, and transparently move to other participating BIG-IPs devices. Session replication is not part of SAML, but administrators can populate session information on participating systems. This means that BIG-IP device federation does not enable the use of a single session within the federation; it only enables information exchange among multiple members of the federation.  Each participating BIG-IP device maintains its own independent session with the client, and each has its own access policy that executes separately and independently.

Participating federation members can exchange information with any other federation members outside of sessions where needed. A common configuration is to have a dedicated BIG-IP device as a primary member to which users are authenticated and that provides information to other members. This allows a number of other BIG-IP devices to work in conjunction with that primary member.  The primary member is dedicated as an IdP, while the other participating members operate as SPs

Benefits

The benefits of deploying BIG-IP APM as a SAML solution certainly include better password management, fewer help desk calls, and an improved user experience, but BIG-IP APM can also add additional context to requests. For instance, it can include endpoint inspection results as attributes to inform the application of the client’s security posture. In addition, IT administrators do not need to retrofit applications (e.g., .NET apps do not need a Kerberos claims plug-in). Another advantage is extensive session variable support, which allows organizations to

customize each user session. BIG-IP APM can bring SAML to resources and applications with minimal back-end changes—or none. These benefits all complement the values of BIG-IP APM to the overall traffic management of an organization’s IT infrastructure.

IT infrastructure has changed dramatically over the past few years, with many applications moving to cloud-based services. Corporate employees have also morphed into a mobile workforce that requires secure access to that infrastructure any time, from anywhere, and with any device. Bridging the identity gap between physically and logically separated services allows organizations to stay agile in this ever-changing environment and gives users the secure access they need around the clock.

BIG-IP APM version 11.3, in addition to delivering high availability and protecting organizations’ critical assets, provides a SAML 2.0 solution that offers the identity bridge needed to manage access across systems.

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1] o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Pulse2012 Partner Spotlight - PhoneFactor

Posted in security, f5, big-ip, application security, ssl vpn, silva, video, AAA by psilva on March 7th, 2012

I catch up with Brian Pfeffer, Director of Business Development for PhoneFactor.  PhoneFactor's phone-based two-factor authentication solutions integrate with BIG-IP APM and BIG-IP Edge Gateway and Brian shows how it works along with some of the new PhoneFactor mobile apps.

ps

Resources:

Technorati Tags: F5, video, Pete Silva, security, business, two-factor authentication, mobile, pulse, ibm, phonefactor, Maximo

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]




« Older episodes ·