The NSX Advanced Load Balancer administrators can use PingAccess Agent of Ping Identity to control client access to a virtual service.

Interaction And Workings Of NSX Advanced Load Balancer and the PingAccess Agent



In the above image, the numbered arrows correspond with the following numbered steps. This scenario assumes that the client has not yet authenticated itself, i.e., has no cookie that would indicate it had previously logged into PingFederate.

  1. The client accesses the virtual service running on the SE. For this particular VS, the SE has been configured to check with the PingFederate Agent for both authentication and authorization purposes. If the Agent determines that the client has already been authenticated, it continues with step 5.

  2. Assume the PingAccess Agent has no record in its cache of authenticating this client. It directs the NSX Advanced Load Balancer to temporarily park the request. The following happens next:

    1. The PingAccess agent asks the PingAccess server for instructions.

    2. The PingAccess server checks its URL policy and determines that access has been requested to one of its protected resources. It responds to the PingAccess agent with a code that the SE passes back to the client, without interpreting it. The client interprets the code as a redirect for the purpose of establishing a session with PingFederate.

  3. Upon receipt of that code, the client sends a request to PingFederate. If PingFederate determines that the client should be validated, it creates the session.

  4. The client is then redirected back to the resource, i.e., back to the NSX Advanced Load Balancer SE. The request now includes a cookie identifying it as a legitimate user. The PingAccess Agent caches the authentication information of the client.

  5. The PingAccess Agent recognizes that the client has been authenticated.

    1. While the NSX Advanced Load Balancer has parked the request, the PingAccess Agent asks the PingAccess Server for authorization instructions.

    2. PingAccess Server checks its URL policy and determines that it is a protected resource. It checks the session token, determines that it is valid, and replies back to the Agent that the client is authorized to access the resource.

  6. Not applicable to NSX Advanced Load Balancer , but if session revocation is enabled, the PingAccess Server checks and updates the central session revocation list maintained by PingFederate. If the session is valid, the Agent is instructed to re-establish identity HTTP headers.

  7. The SE passes the authenticated and authorized request through to a selected back-end server.

Note:

All request logs for a virtual service configured with PingAccessAgent contain evidence of the PingAccess subrequests through which the PingAccess agent obtains the information needed. The log entries include a “PaaLog” string for easy identification.

Configuring a Virtual Service to Use the PingAccess Agent

  1. Navigate to Templates > Security > PingAccess Agent and click Create.

  2. In the New PingAccess Agent window, enter a Name for the agent.

  3. For Import or Paste PingAccess Agent Properties field, the PingAccess agent properties can be imported in the following two ways:

    1. click Import File and upload the agent.properties file.

    2. Paste the content of the PingAccess Agent properties file in the text area.

  4. Click Save.

About the .properties file: The PingAccess administrator can use the the PingAccess UI to download a properties file from the PingAccess Server to his workstation file system. This properties file contains the shared secrets needed by the SE PingAccess Agent. Its file name has the form <agent_name>_agent.properties. By placing the file in the current directory, the administrator can refer to it through a path name comprised solely of the file name, i.e., AviAgent_agent.properties.

Note:

It is not possible to modify the properties of the PingAccess Agent once it is installed. Instead, one needs to delete the previous Agent and upload a new one.

5. Navigate to Templates > Security > Auth Profile and click Create.

6. In the New Auth Profile window, give the new profile a name. Select Type PING. Select the agent created in Step 2 from the PingAccess Agent drop-down menu. Click Save.

7. Use the following CLI to define the SSO policy that will be needed in Step 8.

[admin:ctrlr-1]: > configure ssopolicy ExampleSSO
[admin:ctrlr-1]: ssopolicy> authentication_policy default_auth_profile ExampleAuthProfile
[admin:ctrlr-1]: ssopolicy:authentication_policy> save
[admin:ctrlr-1]: ssopolicy> save

8. Navigate to Applications > Virtual Services and launch the editor for the virtual service access to which PingFederate will oversee. Associate the SSO policy just defined with the Virtual Service.

Note:

  • If you intend to use TLS version strings, the following must be separated by a comma, as shown below.

    agent.ssl.protocols=TLSv1.1, TLSv1.2

  • TLSv1.3 is currently not supported for PingAccessAgent.