Ads 468x60px

14 October 2019

F5 BIG-IP APM - SAML



There are lots of companies which use software in the cloud. I mean, there are companies which use Software as a Service (SaaS) in the cloud instead of installing the software on site. This is a great advantage because it is usually cheaper and, what’s more, companies don’t have to be worried about upgrades and maintenance tasks. However, when companies have lots of users which have to access to this software, companies want to manage the user database to allow or deny users to the SaaS application.

OAuth, SAML and OpenID are some standards ready for the decentralized authentication. Therefore, thanks to these standards, companies can use SaaS applications while the user database is on site. For instance, this can be accomplished with SAML or the Security Assertion Markup Language where there are an Identity Provider (IdP) and many Service Providers (SP) as SaaS applications. The IdP could be configured in a pair of F5 BIG-IP APM while the SP would be Google Apps, AWS, Office 365, etc.

Fortinet SAML service

When we use a decentralized authentication as SAML with F5 APM, there are four steps. Firstly, user logs on to the IdP and is directed to a web portal. Secondly, user selects a SaaS application from the web portal. Thirdly, F5 APM may retrieve attributes from the user database to pass on with the SaaS service provider. Finally, APM directs the requests to the SaaS service with the SAML assertion and optional attributes via the user browser. However, there are another similar configuration with five steps, where the user access the the SaaS service in the first place. It’s up to you which one suit with your infrastructure.

Configuration example
 
There are SaaS services which may require attributes such as account ID, Role or whatever and these attributes have to be sent to the application from the IdP through the user web browser. For instance, AWS SAML assertions use two SAML attributes. The first is used to identify the Username that is associate with the session, and the second identifies the AWS Security Role that should be assigned to the session.

AWS SAML Attributes
 
F5 APM can be configured as an IdP as well as SP. Once you know the concepts, the SAML configuration is easy to deploy in F5 APM thanks to iApps and the Visual Policy Editor (VPE) where the IT engineer is going to answer many questions in the wizard and is going to modify the boxes in the VPE to fit the configuration to the infrastructure. The VPE is an useful tool which help us to add and delete boxes such as a webtop with many SaaS applications.

Visual Policy Editor
 
If you would like to test a configured federated domain with your F5 APM against AWS, you can do it with this Assertion Consumer service URL (https://signin.aws.amazon.com/saml). Once you type the Active Directory credentials, the BIG-IP system should issue SAML Assertion to the SaaS application. Nevertheless, if you have any issue, you can use the Firefox SAML Tracer Plugin, HTTP Watch or Fiddler to trace them.

Regards my friends. Keep learning! Keep studying!

7 October 2019

National Cybersecurity Strategy of Spain



Six years ago I wondered if Spain were sold because most security appliances installed in the public and private sector were made outside of Spain. Most of these technologies are even made outside of the European Union. Therefore, I thought Spain were sold in the cyber war because firewalls, SIEMs, antivirus, etc were out of control. Consequently, I’ve read many security strategies since then, such as the Security Directives for the European Union, DoD Cyber Strategy of the U.S. of America, the National Cyber Strategy of the U.S. of America or the Revue Stratégique Cyberdéfense de France, because I wanted to know how countries mitigate the risk of working without own IT technology.

This weekend I’ve read the National Cybersecurity Strategy of Spain where there are five goals and seven lines of action. For instance, the first goal is the security and resilience of the information and communications for the public sector and essential services. I think this is a very important goal due to the fact that essential services such as water and energy should be protected against cyber attacks.

The second goal highlights the cybercrime where the government of Spain are going to investigate illicit and malicious acts to encourage citizen trust in the cyberspace. This goal wants we trust in the cyberspace which is shared with malicious people. Therefore, we’ll use this space as long as we trust in the cyberspace. Cooperation, collaboration and participation will help to fight against cybercrime.

The third goal about protecting the business and social ecosystem and citizens is my favourite because it encourages companies to “develop cybersecurity products, services and systems specially those that uphold national interest needs to strengthen digital autonomy”. I really love this sentence because they have realised Spain needs to develop products, services and systems to protect them self.

A better cybersecurity culture and technological skills for people are in the fourth goal. This is also an important goal because people have to know there are risks in the cyberspace. Risks such as blackmail, theft, deception, etc are also in the cyberspace. In addition, this goal takes into account the improvement of technological skills which will also be useful to develop new cybersecurity activities.

The last and fifth goal is about the international cyberspace security where Spain gets collaboration and also shares information about best security practices and cybercrime. We can read in this goal lots of forum where Spain participates such as the Internet Governance Forum (IGF), the Organisation for Security and Cooperation in Europe (OSCE) and many more forums. This is also the goal where we can read the support to the European Union.

Regards my friends, drop me a line with the first thing you are thinking!!!
Related Posts Plugin for WordPress, Blogger...

Entradas populares