Privileged User Access (PUA) is basically federation without SAML or the requirement for applications to support some sort of exotic method of authentication. It's able to extend the principles of zero-trust to legacy apps as well as support modern, web-based applications.
This solution is based on the ability of F5 Access Policy Manager (APM) to act as a credential proxy along with its capability to automatically general ephemeral credentials. In a nutshell, users are authenticated against a corporate credential store (domain controller, LDAP) and then APM generates ephemeral credentials that can be used to log in to the protected system.
docker (or compatible) - Installation Instructions
There are a few options to download the application
- Download the docker-compose.yaml and env.sample files
# Download via shel
wget https://github.com/f5devcentral/privileged-user-access/blob/main/docker-compose.yml
wget https://github.com/f5devcentral/privileged-user-access/blob/main/env.sample
# Edit the following file with device secrets as required (see "Configure .env" below)
cp env.sample .env- Clone the repo
# Clone the repo
git clone https://github.com/f5devcentral/privileged-user-access.git
cd privileged-user-access
# Edit the following file with device secrets as required (see "Configure .env" below)
cp env.sample .env- Download latest source tarball from the release section.
# Clone the repo
wget https://github.com/f5devcentral/privileged-user-access/releases/download/v2.1.4/source.tar.gz
tar -zxf source.tar.gz
cd source
# Edit the following file with device secrets as required (see "Configure .env" below)
cp env.sample .env# Clone the repo
git clone https://github.com/f5devcentral/privileged-user-access.git
cd privileged-user-access
# Edit the following file with device secrets as required (see "Configure .env" below)
cp env.sample .env
# Start the tool
docker-compose upThe PUA tool default configuration relies on environment variables which contain device access credentials. There are a number of ways to manage and inject secrets into a container environment (modifications to the docker-compose file to support your preferred management process are encouraged), but for simplicity, the .env file in the root project directory is mounted.
When declaring a device secret, you must create an key/value pair in .env file for which
-
the key has the form "BIGIP_A_B_C_D". Where "A_B_C_D can be one of the following with the "." replaced by "_" a. Device IP b. Device Hostname
-
the value is a. username:password - provide the username and password separated by ":" b. iControlRest (iCR) Token - Proved the Alphanumneric string generated by BigIP
Note : When using an iCR Token, please be aware of the token timeout
Please reference the following examples:
# Example 1: For BigIP with IP[10.10.10.1], username[userfoo] & password[bar123]
BIGIP_10_10_10_1=userfoo:
# Example 2 : For BigIP with IP[20.20.20.1] and iCR Token [UE6X6OYOX343434343XGY2MYCKR]
BIGIP_20_20_20_1=UE6X6OYOX343434343XGY2MYCKR
# Example 1: For BigIP with hostname[bigip.acme.com], username[userfoo] & password[bar123]
BIGIP_bigip_acme_com=userfoo:
The variable name (the part on the left of the equal sign) must contain the IP address of the BigIP separated by "_"
Since the tool will configure the BigIP, read-write access is required.
PUA expects a valid TLS cert bundle. The configuration parameter BIGIP_VERIFY_CERT defaults to true. Installers that would like to opt-in to run in an insecure TLS mode must set BIGIP_VERIFY_CERT: false and understand that the connection between the PUA Applicator and the BIG-IP does not have secure TLS termination.
If the device has an internally signed certificate, you can mount and use your CA file, you must copy the CA cert file into the directory specified by the PUA_USER_CERTS directory
Once the above configurations have been made, the tool can be started with:
docker compose up
The Applicator UI can be accessed at
http://<hostname>:8080/ui.
Instructions on how to configure PUA can be found in Configuring PUA
For support, please open a GitHub issue. Note, the code in this repository is community supported and is not supported by F5 Networks. For a complete list of supported projects please reference SUPPORT.md.
Please refer to the F5 DevCentral Community Code of Conduct.
Copyright 2014-2024 F5 Networks Inc.
Before you start contributing to any project sponsored by F5 Networks, Inc. (F5) on GitHub, you will need to sign a Contributor License Agreement (CLA).
If you are signing as an individual, we recommend that you talk to your employer (if applicable) before signing the CLA since some employment agreements may have restrictions on your contributions to other projects. Otherwise by submitting a CLA you represent that you are legally entitled to grant the licenses recited therein.
If your employer has rights to intellectual property that you create, such as your contributions, you represent that you have received permission to make contributions on behalf of that employer, that your employer has waived such rights for your contributions, or that your employer has executed a separate CLA with F5.
If you are signing on behalf of a company, you represent that you are legally entitled to grant the license recited therein. You represent further that each employee of the entity that submits contributions is authorized to submit such contributions on behalf of the entity pursuant to the CLA.