Single Sign-On (SSO) to Legacy Web Apps Using BIG-IP & VMware Workspace ONE

A few months back VMware announced a joint collaborative effort on delivering even more applications to their Workspace One suite utilizing F5 BIG-IP APM to act as an authentication translator from SAML to legacy Kerberos and header-based web applications.  

How does it work?
VMware Workspace ONE acts as an identity provider (IDP) that provides SSO access to cloud, mobile and SAML applications.  F5 BIG-IP APM extends that functionality and as a service provider (SP) to Workspace ONE for Kerberos and header-based web applications. BIG-IP APM can take in a user’s SSO authentication credential (SAML assertion) from Workspace ONE and authenticate as that user into BIG-IP APM.  Once the Authentication is completed BIG-IP APM will create a Kerberos Constrained Delegation (KCD) or header-based authentication using the user’s Realm (Domain).  BIG-IP APM will then pass the authentication token to the legacy web application on behalf of the user. This will prevent the pop-up login dialog boxes from appearing and providing a seamless authentication from Workspace ONE to the legacy web application.


BIG-IP can provide intelligent traffic management, high availability, secure SSL access through bridging or offloading, and monitoring using BIG-IP Local Traffic Manager (LTM) and BIG-IP DNS (Formerly BIG-IP GTM). BIG-IP's Access Policy Manager (APM) can also provide secure access to the apps and resources accessible through the Workspace ONE portal.

You can now download the updated step-by-step guide for integrating VMware Workspace ONE and BIG-IP APM for Legacy Web applications. https://www.vmware.com/pdf/vidm_implementing_SSO_to_kdc-and-hb_apps.pdf
You can also read more about this integration from VMware’s publishing’s from Ben Siler discussing the integration.
https://blogs.vmware.com/euc/2016/10/single-sign-on-sso-legacy-apps-workspace-one-f5.html 
F5 has also provided a brief video talking and showing this integration in action Click the link below to see the video.
https://devcentral.f5.com/s/articles/lightboard-lessons-sso-to-legacy-web-applications-24410

Here is an snipping from the documentation on setting up Kerberos within F5 APM.

Setting up Kerberos Constrained Delegation (KCD) in BIG-IP APM
If you are integrating a KCD app, you should now set up KCD in APM.

  1. Open the F5 BIG-IP admin console.
  2. Click Access Policy > SSO Configurations > Kerberos > plus icon ( +).
  3. In the New SSO Configuration menu, click Kerberos.
    1. Enter a unique name for your KDC SSO Configuration
    2. Set the Username Source field to session.sso.token.last.username
    3. Set the User Realm Source field to session.ad.last.actualdomain
    4. Set the Kerberos Realm field to your active directory domain (in CAPS).
    5. Set the Account Name field to your Kerberos service account and enter your account password.
      Note: If a Kerberos Service Account hasn’t been created it is recommended to create one via the following documentation.
      https://www.f5.com/pdf/deployment-guides/kerberos-constrained-delegation-dg.pdf
    6. Set the Account Password and Confirm Account Password fields with the Password associated to the Kerberos service account.
    7. Leave all other non-required fields with the default settings. (Required fields have a blue line) . Click Finished.

Setting up Domain Authentication

  1. In the BIG-IP admin console, click Access Policy > AAA Servers > Active Directory > plus Icon ( + ).
  2. Enter a friendly name in the Name field.
    1. Set the Domain Name field to your Active Directory Domain Name (FQDN).
    2. Set the Server Connection radio button to Use Pool to increase resiliency.
    3. Set the Domain Controller Pool Name to a friendly name for your pool (no spaces allowed).
    4. Set the IP Address field to the IP Address of your domain controller.
    5. Set the Hostname field to the short name for your domain controller.
    6. Click Add, to add the domain controller to your pool.
    7. Repeat steps iv, v, and vi for each domain controller you want to add to the pool.
    8. Set the server pool monitor drop-down to gateway_icmp.
    9. Set the Admin Name field to your domain admin user.
    10. Set the Admin Password field to your domain admin’s password.
    11. Set the Group Cache Lifetime field to 30 days.
    12. Set the Password Security Object Cache Lifetime to 30 days.
    13. Click Finished.

Special Thanks to Ben Siler, Paul Pindell, Peter Silva and Cody Green for all of their assistance putting this together!

 

Published Jun 27, 2017
Version 1.0
application delivery
BIG-IP Access Policy Manager (APM)
euc
kerberos
LTM
saml
security
vmware
No CommentsBe the first to comment