Lab 1.6: Configure the Access Profile

digraph breadcrumb { rankdir="LR" ranksep=.4 node [fontsize=10,style="rounded,filled",shape=box,color=gray72,margin="0.05,0.05",height=0.1] fontsize = 10 labeljust="l" subgraph cluster_provider { style = "rounded,filled" color = lightgrey height = .75 label = "BIG-IP APM" idp [label="IDP",color="palegreen"] spconnector [label="SP Connector",color="palegreen"] bind [label="Bind Connectors",color="palegreen"] resource [label="SAML Resource",color="palegreen"] webtop [label="Webtop",color="palegreen"] profile [label="Access Profile",color="steelblue1"] vs [label="VS"] test [label="Test"] idp -> spconnector -> bind -> resource -> webtop -> profile -> vs -> test } }

The Access Profile defines the characteristics of how we authenticate and authorize a user using the BIG-IP platform. It controls things like what type logon page is presented to the user (if any at all), what language any dialog messages should be presented in, and – most importantly – the flow through which we limit access and assign resources.

F5 BIG-IP Access Policy Manager supports two types of Access Policies:

  1. Per-Session access policies
  2. Per-Request access policies

The difference centers around how frequently a policy is evaluated, either once at time of initial logon or after every single HTTP request.

Task 1 - Create the Access Profile Object

  1. Navigate to Access ‣ Profiles/Policies ‣ Access Profiles (Per-Session Policies)

  2. Click the + sign

    image14

  3. Configure the following settings:

    Property Value
    Name idp.f5demo.com-policy
    Profile Type All
    Languages English (en)

    image15

    image16

  4. Click the Finished button.

Task 2 - Configure the Access Policy Using the Visual Policy Editor

The Visual Policy Editor (VPE) is where the administrator configures the heart of the Access Policy. Using a flow chart methodology, it is easy to create robust policies without adding burdensome management overhead. Even significant policies can be easily read and understood.

  1. Open the Visual Policy Editor

    1. Navigate to Access ‣ Profiles/Policies ‣ Access Profiles (Per-Session Policies)

    2. Click the Edit… link and the VPE will open in a new window

      image20

    We’ll build a policy like the one below:

    image17

  2. Add a Logon Page
    1. Click on the + link after the Start node
    2. Select the Logon Page tab and click the Add Item button
    3. Use the default settings and click the Save button
  3. Add an Authentication Mechanism
    1. Click on the + link after the Logon Page node
    2. Select the Authentication tab and select LocalDB Auth then click the Add Item button
    3. Configure the following settings:
    Property Value
    LocalDB Instance /Common/agility

    image18

    Note

    The administrator can select from a variety of Authentication Mechanisms, including Active Directory and LDAP, among others. In this lab, the LocalDB Auth has been pre-configured.

    1. Click the Save button.
  4. Add Advanced Resource Assign
    1. Click on the + link on the successful branch after the LocalDB Auth node
    2. Select the Assignment tab and select Advanced Resource Assign then click the Add Item button
    3. Click the Add New Entry button
    4. Click the Add/Delete link
    5. Select the Webtop tab and select the /Common/saml_webtop
    6. Select the SAML tab and select the /Common/app.f5demo.com
    7. Click the Update button, then click the Save button

    image19

  5. Change the ending to Allow
    1. Click on the Deny ending after the Advanced Resource Assign
    2. Select Allow
    3. Click Save
  6. Apply Policy Changes
    1. Click the Apply Access Policy in top left next to the F5 red ball
    2. Close browser tab
Previous Next