F5 newbie - trying to work things out - help :)
Hi
my current poc ( first stages – main bit)
Web site https://demo.XYZ.com
With these url test
• /testsso/unprotected - No protection - just to check the SSO - there is no need for a SSO token and no security requirements needed
• /testsso/validsso - must be signed into the SSO - so no specific group membership just have a valid token
• /testsso/validgroup - must be signed in and be in the right group. Test with nested groups. user → groupA and groupA is member of GroupZ, allow groupZ access.
• /testsso/validip - must be member of group testIP and must also only be allowed from specific ip
• /testsso/mfasms - must be member of groupSMS and must pass the sms MFA
• /testsso/mfatotp - must be member of groupSMS and must pass the totp MFA (google auth)
• /testsso/mfacertificate - must be member of groupSMS and must pass the cert mfa - can we force the user to have a valid debts client cert
• /testsso/status - dump current status about sso and session token
• /testsso/logout - be able to log out of the sso - all token must be made invalid
So my test steps are open browser and go to
This is without any security
https://demo.XYZ.com this opens a menu page with the above url’s as links
https://demo.XYZ.com/testsso/unprotected - no security
https://demo.XYZ.com/testsso/validsso - have a valid SSO / Auth token … My presumption is that the F5 will redirect to the login page and make the user login
https://demo.XYZ.com/testsso/validgroup - be a member of a valid group … my presumption is that I have a SSO token from above and this will just test membership.
And the rest of the uri above in order with the specific tests
So I understand I need a different VS for each of the above
So i have a main vs with no resource pool
I use a policy to forward requests based on uri to specific VS
These VS have access profiles associated to them and I have attached them to a specific SSO multi-domain (look at the techdocs link below)
also have a vs which is the default which has no access profile
Looking at this https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/25.html , this seems to be the article to tie the above together.
From my reading with an SSO component and because each of the above are separate VS and separate ASM, I would have to log into each separately.
This section “Configuring an access policy for SSO multi-domain support” talks about solving that
The problem with this doc is its for version 11.I found a v15 version - basically the same
Part of this I am going to set a new url https://auth.XYZ.com I am going to use this as my login / logout hostname for the SSO.
I believe I need set this up as a new VP and attach my SSO there
So my testing would be
https://demo.XYZ.com this opens a menu page with the above url’s as links
https://demo.XYZ.com/testsso/unprotected - no security
https://demo.XYZ.com/testsso/validsso - have a valid SSO / Auth token … F5 will send me to https://auth.XYZ.com to login and once complete sends them back to https://demo.XYZ.com/testsso/validsso
https://demo.XYZ.com/testsso/validgroup - be a member of a valid group … my presumption is that I have a SSO token from above and this will just test membership.
I might need some help with setting up the access profile for the bottom two if I have an action that says login page will it know to go to https://auth.XYZ.com
How will this translate for our debts platform , or any resources protected by F5 in XYZ
User goes to https://www.XYZ.com
https://www.XYZ.com
clicks to https://www.XYZ.com/SomeProtectedArea
F5 send user to https://auth.XYZ.com where the user logins if they don’t have a valid sso
F5 send the user back to https://www.XYZ.com/SomeProtectedArea
So now my problem in testing
1) https://demo.XYZ.com this opens a menu page with the above url’s as links
2) https://demo.XYZ.com/testsso/unprotected - no security
3) https://demo.XYZ.com/testsso/validsso - have a valid SSO / Auth token … My presumption is that the F5 will redirect to the login page and make the user login
4) https://auth.XYZ.com/ this works login all good
5) https://demo.XYZ/F5Networks-SSO-Resp?SSO_ORIG_URI=XXXXXXXXX comes back 404
I believe, I think that is because /F5Networks-SSO-Resp is being routed to the default vs that has no access profile so the F5 doesn't know what do to.
So how do I fix that
Bigger question ... am i do this the right way ? Is there a better way to do it.