The BIG-IP APM module must conform to FICAM-issued profiles.

From F5 BIG-IP Access Policy Manager 11.x Security Technical Implementation Guide

Associated with: CCI-002014

SV-74491r1_rule The BIG-IP APM module must conform to FICAM-issued profiles.

Vulnerability discussion

Without conforming to Federal Identity, Credential, and Access Management (FICAM)-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0 and OpenID 2.0.Use of FICAM-issued profiles addresses open identity management standards.This requirement only applies to components where this is specific to the function of the device or has the concept of a non-organizational user, (e.g., ALG capability that is the front end for an application in a DMZ).

Check content

If the BIG-IP APM module does not provide user authentication intermediary services to non-organizational users, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used to identify and authenticate non-organizational users. Verify the Access Profile is configured to conform to FICAM-issued profiles. If the BIG-IP APM module is not configured to conform to FICAM-issued profiles, this is a finding.

Fix text

If the BIG-IP APM module provides user authentication intermediary services to non-organizational users, configure a profile in the BIG-IP APM module that conforms to FICAM-issued profiles.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.