This guide is written for IT professionals designing an F5 network. These IT professionals can fill a variety of roles:
Figure 1 Secure hybrid application access
For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required.
The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing Kerberos based, header based or variety of authentication methods. The solution has these components:
Figure 2 APM bridge SAML to Kerberos authentication components
Figure 3 APM bridge SAML to Kerberos authentication process flow
The joint Microsoft and APM solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header- or Kerberos-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and SAP ERP applications, delivering SSO and securing the app with MFA.
In version 16.0 of F5 BIG-IP, Access Guided Configuration v7.0 (AGC) for APM has added the ability for administrators to simply onboard and operationally manage mission-critical applications to Azure AD. The administrator no longer needs to go back and forth between Azure AD and BIG-IP as the end-to-end operation policy management has been integrated directly into the APM AGC console. This integration between BIG-IP APM and Azure AD delivers an automated “easy button” to ensure applications can quickly, easily support identity federation, SSO, and MFA. This seamless integration between BIG-IP APM and Azure AD reduces management overhead, meaning that the integration now also enhances the administrator experience.
These instructions configure APM to be used with Azure AD SSO for SAP ERP application access.
For SSO to work, you need to establish a link relationship between APM and Azure AD in relation to the SAP ERP.
Step 1: In BIG-IP click Access > Guided Configuration > Microsoft Integration > Azure AD Application.
Step 2: Click Next.
Step 3: In the Configuration Properties page, configure the following information, leave default settings and click Save & Next.
Step 4: In the Service Provider page, configure the following information, leave default settings and click Save & Next.
Step 5: In the Azure Active Directory page, double click SAP ERP Central Component
Step 6: In the Azure Active Directory page, complete the following information then click Add button in User And Groups.
Step 7: in User And Groups section, select the following click Close and then Save & Next at the bottom of the page.
Step 8: In the Virtual Server Properties page, configure the following information, leave default settings and click Save & Next.
Step 9: In the Pool Properties page, configure the following information, leave default settings and click Save & Next.
Step 10: In the Single Sign-On Settings page, click Enable Single Sign-On, and then click on Show Advanced Settings, configure the following information, leave default settings and click Save & Next.
Step 11: In the Session Management Properties page, leave default settings and click Save & Next.
Step 12: In the Your application is ready to be deployed page, click Deploy.
This completes APM configuration.