BIG-IP Access Policy Manager (APM) License
Simple, Secure, and Seamless Access to Any Application, Anywhere
Applications are gateways to your critical and sensitive data. Simple, secure access to your applications is paramount, but application access today is extremely complex. Apps can be hosted anywhere—in the public cloud, in a private cloud, on-premises, or in a data center. Ensuring users have secure, authenticated access anytime, anywhere, to only the applications they are authorized to access is now a significant challenge. There are different application access methods to deal with these complexities. There are various sources for authorized user identity, as well as dealing with applications that require modern or traditional authentication and authorization methods, single sign-on (SSO), federation, and more, in addition to the user access experience to support and consider. With digital transformation touching every part of an enterprise today, native cloud and Software as a Service (SaaS) applications are now the enterprise application standard. Many organizations, though, find that they are unable or unwilling to migrate all of their applications to the cloud. There may be mission-critical classic or custom applications that should not or cannot support being migrated to the public cloud or be easily replaced by a SaaS application. Applications are being hosted in a variety of locations, with differing and many times disparate authentication and authorization methods that are unable to communicate with each other and can’t work seamlessly across existing SSO or federated identity, that are unable to support the newest identity means like Identity as a Service (IDaaS), and are not equipped to support multi-factor authentication (MFA). F5® BIG-IP® Access Policy Manager® (APM) is a secure, flexible, high-performance access management proxy solution managing global access to your network, the cloud, applications, and application programming interfaces (APIs). Through a single management interface, BIG-IP APM consolidates remote, mobile, network, virtual, and web access. With BIG-IP APM, you can create, enforce, and centralize simple, dynamic, intelligent application access policies for all of your apps, regardless of where or how they are hosted.
BRIDGING SECURE APPLICATION ACCESS
Modern authentication and authorization protocols—including Secure Assertion Markup Language (SAML), and OAuth with OpenID Connect (OIDC)—reduce user dependency on passwords, increase security, and improve user experience and productivity. However, not all applications support modern authentication and authorization protocols. Many applications, such as classic applications or custom-built applications, support classic authentication and authorization methods, such as Kerberos, NT LAN Manager (NTLM), RADIUS, headerbased, and more. This further complicates application access and security. The need to support different, disparate protocols unable to share user authentication and authorization information inhibits the use of SSO and MFA. That in turn negatively impacts user experience and application security. It also makes it difficult to adapt modern corporate password policy of periodic password changes, and increases organizational costs as multiple access methods become necessary. BIG-IP APM serves as a bridge between modern and classic authentication and authorization protocols and methods. For applications which are unable to support modern authentication and authorization protocols, like SAML and OAuth with OIDC, but which do support classic authentication methods, BIG-IP APM converts user credentials to the appropriate authentication standard supported by the application. BIG-IP APM ensures that users or organizations can use SSO to access any application anywhere—regardless of its location (on-premises, in a data center, in a private cloud, or in the public cloud as a native cloud or SaaS application), or whether or not it supports modern or classic authentication and authorization. This helps decrease the number of passwords users have to create, remember, and use, helping to stem the tide of credential-based attacks. It enables compliance with modern corporate policies of periodic password changes to combat stolen credentials. It also decreases the cost to organizations of having to purchase and maintain separate access solutions for applications hosted on-premises, in a data center, and in a private cloud, versus native cloud and SaaS apps. BIG-IP APM supports identity federation and SSO options by supporting connections initiated by both SAML identity providers (IdP) and service providers (SP) leveraging SAML 2.0. It empowers administrators to centrally enable and disable user authorized access to any identity-enabled applications, regardless of where they are hosted, saving time and boosting administrative productivity. Support for OAuth 2.0 open-standard for authorization enables BIG-IP APM to serve as a client, as an authorization delegate for SaaS applications, and can enhance protection for and authorization of APIs for web services.
SUPPORT FOR IDa aS
With support for SSO and Kerberos ticketing across multiple domains, BIG-IP APM enables additional types of authentication, such as U.S. Federal Government Common Access Cards (CAC) and the use of IDaaS—such as Microsoft Azure Active Directory, Okta, and others— to access all applications regardless of location or modern authentication and authorization support. For instance, users can be automatically signed on to back-end applications and services that are part of a Kerberos realm. This provides a seamless authentication flow once a user has been authenticated through a supported user-authentication mechanism. BIG-IP APM also supports smart cards with credential providers, so users can connect their devices to their network before signing in.
SUPPORT FOR MFA
Through F5’s extensive partner ecosystem, BIG-IP APM( BIG-IP Access Policy Manager (APM) License) also integrates with most leading MFA solutions, including those from Cisco Duo, Okta, Microsoft Azure Active Directory, and others. By integrating with your existing MFA solution, BIG-IP APM enables adaptive authentication, allowing various forms of single-, two-, or multi-factor authentication to be employed based on user identity, context, and application access. In addition, to help you deploy MFA, BIG-IP APM includes one-time password (OTP) authentication via email or SMS. After the user has logged into an application, an additional means of authentication may be required to ensure secure access to mission-critical or particularly sensitive applications and files. This is commonly referred to as step-up authentication. BIG-IP APM supports step-up authentication for single- and multi-factor authentication. Any session variable may be used to trigger step-up authentication, and you can use additional authentication capabilities or select from our partner offerings. In addition, any session variable may be part of access policy branching (such as URL branching) per request policy. Step-up authentication policies may be based on applications, secure portions of applications, sensitive web URIs, extending sessions, or any session variable. Many authentication solutions use application coding, separate web server agents, or specialized proxies that present significant management, cost, and scalability issues. With AAA control, BIG-IP APM enables you to apply customized access policies across many applications and gain centralized visibility of your authorization environment. You can consolidate your AAA infrastructure, eliminate redundant tiers, and simplify management to reduce capital and operating expenses.
- Simplify access to all apps
Bridge secure access to onpremises and cloud apps with a single login via SSO. It even works for applications unable to support modern authentication such
as Security Assertion Markup Language (SAML), or OAuth and OpenID Connect (OIDC).
- Zero Trust application access
Identity Aware Proxy (IAP) delivers a Zero Trust model validation for application access based on identity-awareness and granular context, securing every app access request without the need of a VPN.
- Secure web access
Control access to web-based applications and web content centralizing authentication, authorization, and endpoint inspection via web app proxy.
- Centralize and manage access control
Consolidate management of remote, mobile, network, virtual,and web access in a single contro interface with adaptive identity federation, SSO, and MFA viadynamically enforced, contextbased and identity-aware policies.
- Streamlined authentication and authorization
Adaptive identity federation,SSO, and MFA employing SAML, OAuth, and OIDC for a seamless and secure user experience across all apps.
- Defend your weakest links
Protect against data loss, malware, and rogue device access with comprehensive, continuous endpoint integrity and security checks.
- Protect APIs
Enable secure authentication for REST and SOAP APIs and integrate OpenAPI or “swagger” files to ensure appropriate authentication actions while saving time and cost.
- Do it all at scale
Support all users easily, quickly, and cost-effectively with no performance trade-offs for security, even in the most demanding environments.
F5 BIG-IP Platforms
Please refer to the BIG-IP System Hardware, VIPRION, and Virtual Edition data sheets for more details. For information about specific module support for each platform, see the latest release notes on AskF5. For the full list of supported hypervisors, refer to the VE Supported Hypervisors Matrix. F5 platforms can be managed via a single pane of glass with BIG-IQ Centralized Management.