Azure Active Directory and BIG-IP APM Integration
Introduction
Security is one of the primary considerations for organizations in determining whether or not to migrate applications to the public cloud. The problem for organizations with applications in the cloud, in a data center, managed, or as a service, is to create a cost-effective hybrid architecture that produces secure application access and a great experience that allows users to access apps easily, have consistent user experiences, and enjoy easy access with single-sign-on (SSO) tied to a central identity and authentication strategy.
Some applications are not favorable to modernization. There are applications that are not suited for, or incapable of, cloud migration. Many on-premises apps do not support modern authentication and authorization, including standards and protocols such as SAML, OAuth, or OpenID Connect (OIDC). An organization may not have the staff talent or time to perform application modernization for their on-premises apps.
With thousands of apps in use daily, hosted in all or any combination of these locations, how can organizations ensure secure, appropriate user access without requiring users to login in multiple times? In addition, how can organizations terminate user access to each application without having to access each app individually?
By deploying Microsoft Azure Active Directory, Microsoft’s comprehensive cloud-based identity platform, along with F5’s trusted application access solution, Access Policy Manager (APM), organizations are able to federate user identity, authentication, and authorization and bridge the identity gap between cloud-based (IaaS), SaaS, and on-premises applications.
Figure 1 Secure hybrid application access
This guide discusses the following use cases:
· Users use single sign-on to access applications requires Kerberos-based authentication.
· Users use single sign-on to access applications requires header-based authentication.
Microsoft Azure Active Directory and F5 BIG-IP APM Design
For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required.
The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing Kerberos based, header based or variety of authentication methods. The solution has these components:
• BIG-IP Access Policy Manager (APM)
• Microsoft Domain Controller/ Active Directory (AD)
• Microsoft Azure Active Directory (AAD)
• Application (Kerberos-/header-based authentication)
Figure 2 APM bridge SAML to Kerberos/header authentication components
Figure 3 APM bridge SAML to Kerberos authentication process flow
Deploying Azure Active Directory and BIG-IP APM integration
The joint Microsoft and F5 solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header- or Kerberos-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and legacy applications, delivering SSO and securing the app with MFA.
Adding F5 from the gallery
To configure the integration of BIG-IP APM into Azure AD, you need to add F5 from the gallery to your list of managed SaaS apps.
- Sign-on to the Azure portal using either a work or school account, or a personal Microsoft account.
- On the left navigation pane, select the Azure Active Directory service.
- Navigate to Enterprise Applications and then select All Applications.
- To add new application, select New application.
- In the Add from the gallery section, type F5 in the search box.
- Select F5 from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
Configuring Microsoft Azure Active Directory
Configure and test Azure AD SSO with F5 using a test user called A.Vandelay. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in F5.
To configure and test Azure AD SSO with F5, complete the following building blocks:
- Configure Azure AD SSO - to enable your users to use this feature.
- Create an Azure AD test user - to test Azure AD single sign-on with A.Vandelay.
- Assign the Azure AD test user - to enable A.Vandelay to use Azure AD single sign-on.
Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
- In the Azure portal, on the F5 application integration page, find the Manage section and select single sign-on.
- On the Select a single sign-on method page, select SAML.
- On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.
- On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, enter the values for the following fields:
- In the Identifier text box, type a URL using the following pattern: https://<YourCustomFQDN>.f5.com/
- In the Reply URL text box, type a URL using the following pattern: https://<YourCustomFQDN>.f5.com/
- Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated mode:
- In the Sign-on URL text box, type a URL using the following pattern: https://<YourCustomFQDN>.f5.com/
Note
These values are for only used for illustration. Replace these them with the actual Identifier, Reply URL and Sign-on URL. Refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
- On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer.
- On the Set up F5 section, copy the appropriate URL(s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called A.Vandelay.
- From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
- Select New user at the top of the screen.
- In the User properties, follow these steps:
- In the Name field, enter A.Vandelay.
- In the User name field, enter the username@companydomain.extension. For example, A.Vandelay@contoso.com.
- Select the Show password check box, and then write down the value that's displayed in the Password box.
- Click Create.
Assign the Azure AD test user
In this section, you'll enable A.Vandelay to use Azure single sign-on by granting access to F5.
- In the Azure portal, select Enterprise Applications, and then select All applications.
- In the applications list, select F5.
- In the app's overview page, find the Manage section and select Users and groups.
- Select Add user, then select Users and groups in the Add Assignment dialog.
- In the Users and groups dialog, select A.Vandelay from the Users list, then click the Select button at the bottom of the screen.
- If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate role for the user from the list and then click the Select button at the bottom of the screen.
- In the Add Assignment dialog, click the Assign button.
Configure F5 BIG-IP APM
Configure your on-premise applications based on the authentication type.
Configure F5 single sign-on for Kerberos-based application
- Open your browser and access BIG-IP.
- You need to import the Metadata Certificate into the F5 (Kerberos) which will be used later in the setup process. Go to System > Certificate Management > Traffic Certificate Management >> SSL Certificate List. Click on Import of the right-hand corner.
- Additionally you also need an SSL Certificate for the Hostname (Kerbapp.superdemo.live), in this example we used Wildcard Certificate.
- Go to – F5 BIG-IP Click Access > Guided Configuration > Federation > SAML Service Provider.
- Specify the Entity ID (same as what you configured on the Azure AD Application Configuration).
- Create a new Virtual Server, Specify the Destination Address. Choose the Wild Card Certificate (or Cert you uploaded for the Application) that we uploaded earlier and the Associated Private Key.
- Upload the Configuration Metadata and Specify a new Name for SAML IDP Connector and you will also need to specify the Federation Certificate that was uploaded earlier.
- Create New Backend App Pool, specify the IP Address(s) of the Backend Application Servers.
- Under Single Sign-on Settings, choose Kerberos and Select Advanced Settings. The request needs to be created in user@domain.suffix.
- Under the username source specify session.saml.last.attr.name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname. Refer Appendix for complete list of variables and values. Account Name Is the F5 Delegation Account Created ( Check F5 Documentation).
- Under Endpoint Checks Properties , click Save & Next.
- Under Timeout Settings, leave default settings and click Save & Next.
- Review Summary and click on Deploy.
Configure F5 single sign-on for Header-based application
- Open your browser and access BIG-IP.
- You need to import the Metadata Certificate into the F5 (Header Based) which will be used later in the setup process. Go to System > Certificate Management > Traffic Certificate Management >> SSL Certificate List. Click on Import of the right-hand corner.
- Additionally you also need an SSL Certificate for the Hostname (headerapp.superdemo.live), in this example we used Wildcard Certificate.
- Go to – F5 (Header Based) BIG-IP Click Access > Guided Configuration > Federation > SAML Service Provider.
- Specify the Entity ID (same as what you configured on the Azure AD Application Configuration).
- Create a new Virtual Server, Specify the Destination Address, Redirect Port is Optional. Choose the Wild Card Certificate (or Cert you uploaded for the Application) that we uploaded earlier and the Associated Private Key.
- Upload the Configuration Metadata and Specify a new Name for SAML IDP Connector and you will also need to specify the Federation Certificate that was uploaded earlier.
- Create New Backend App Pool, specify the IP Address(s) of the Backend Application Servers.
- Under Single Sign-on, Choose HTTP header-based. You can add other Headers based on your application. See the Appendix for the list of SAMLSession Variables.
- Under Endpoint Checks Properties , click Save & Next.
- Under Timeout Settings, leave default settings and click Save & Next.
- Review Summary and click on Deploy.
Resources
Configuring Single Sign-On with Access Policy Manager
Summary
By centralizing access to all your applications, you can manage them more securely. Through the F5 BIG-IP APM and Azure AD integration, you can centralize and use single sign-on (SSO) and multi-factor authentication for on-premise applications.
Validated Products and Versions
Product
- BIG-IP APM
Version
- 15.0
Nice article ! What about the new Azure AD guided configuration that is specificly for Azure AD?
https://clouddocs.f5.com/training/community/iam/html/class2/module4/lab01.html
- Kannan_ZenithNimbostratus
Can I use Azure SSO to login centrally to the BIG-IP console web page for managing it.
- Sam_NovakAltostratus
I utilize on-prem ADFS with the Azure MFA plugin to solve this, but I too have applications that I need to capture passwords for, but given the way SAML works (as I understand it) there isn't a way to capture/return a cleartext PW from the IdP (ADFS, Azure, etc) to the APM session for use in SSO configs.
This is makes things like NTLM auth, Peoplesoft/Oracle pages and simple form based sign-ins annoying because of the double auth, but it's what we have. I really wish Microsoft would provide an interface/snippets to integrate azure MFA directly into an APM sign-in form like DUO does; it's one of a handful of shortcomings we've found as we begin migrating from DUO to Azure MFA.
<soapbox>
The other big one for us is the Azure MFA authenticator app is very lacking when it comes to the user interface; with DUO, you see what app is being prompted for, and from where; authenticator is just 'Approve this, yes/no'.
</soapbox>
- PedroBastidasNimbostratus
Hi Kai Chung,
Excellent information. I had been able to deploy the integration between Azure AD and F5 APM for application with SSO like Kerberos or Headers. However, I need to deploy an application that requires SSO forms, so I need to keep the user's password in F5.
Do you know how to configure Azure AD as SAML IDP and F5 APM as SAML SP, but F5 can capture the password?
Thanks,
PB