on 30-Apr-2020 14:29
Despite recent advances in security and identity management, controlling and managing access to applications through the web—whether by onsite employees, remote employees or contractors, customers, partners, or the public—is as difficult as ever. IT teams are challenged to control access based on granular characteristics such as user role while still providing fast authentication and, preferably, unified access with single sign-on (SSO) capabilities. The ability to audit access and recognize and stop attempts at unauthorized access are also critical in today’s security environment.
F5® BIG-IP® Local Traffic Manager™ (LTM) and F5 BIG-IP® Access Policy Manager® (APM) address these challenges, providing extended access management capabilities when used in conjunction with the Microsoft Azure Active Directory (AAD) identity management platform. The integrated solution allows AAD to support applications with header-based and Kerberos based authentication and multifactor authentication using a variety of factor types. In addition, the BIG-IP system can act as a reverse proxy for publishing on-premises applications beyond the firewall, where they can be accessed through AAD.
This document will discuss the process of configuring AAD and F5 Big-IP to meet this requirement while still providing the flexibility and power of the cloud.
This guide is written for IT professionals who need to design an F5 network. These IT professionals can fill a variety of roles:
· Systems engineers who need a standard set of procedures for implementing solutions
· Project managers who create statements of work for F5 implementations
· F5 partners who sell technology or create implementation documentation
Security is one of the primary considerations for organizations in determining whether or not to migrate applications to the public cloud. The problem for organizations with applications in the cloud, in a data center, managed, or as a service, is to create a cost-effective hybrid architecture that produces secure application access and a great experience that allows users to access apps easily, have consistent user experiences, and enjoy easy access with single-sign-on (SSO) tied to a central identity and authentication strategy.
Some applications are not favorable to modernization. There are applications that are not suited for, or incapable of, cloud migration. Many on-premises apps do not support modern authentication and authorization, including standards and protocols such as SAML, OAuth, or OpenID Connect (OIDC). An organization may not have the staff talent or time to perform application modernization for their on-premises apps.
With thousands of apps in use daily, hosted in all or any combination of these locations, how can organizations ensure secure, appropriate user access without requiring users to login in multiple times? In addition, how can organizations terminate user access to each application without having to access each app individually?
By deploying Microsoft Azure Active Directory, Microsoft’s comprehensive cloud-based identity platform, along with F5’s trusted application access solution, Access Policy Manager (APM), organizations are able to federate user identity, authentication, and authorization and bridge the identity gap between cloud-based (IaaS), SaaS, and on-premises applications.
Figure 1 Secure hybrid application access
This guide discusses the following use cases:
· Users use single sign-on to access SAP ERP application that requires Kerberos-based authentication.
For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required.
The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing Kerberos based, header based or variety of authentication methods. The solution has these components:
• BIG-IP Access Policy Manager (APM)
• Microsoft Domain Controller/ Active Directory (AD)
• Microsoft Azure Active Directory (AAD)
• SAP ERP Application (Kerberos-based authentication)
Figure 2 APM bridge SAML to Kerberos authentication components
Figure 3 APM bridge SAML to Kerberos authentication process flow
The joint Microsoft and APM solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header- or Kerberos-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and SAP ERP applications, delivering SSO and securing the app with MFA.
These instructions configure Azure AD SSO with APM to be used with SAP ERP. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in F5.
To configure and test Azure AD SSO with APM, complete the following tasks:
· Create an Azure AD user – to add users to Azure AD.
· Assign the Azure AD user - to enable users to use Azure AD single sign-on.
· Configure Azure AD SSO - to enable your users to use this feature.
In this section, you'll create a test user in the Azure portal named Harvey Winn.
1. In the search field, type “enterprise applications” and click on Enterprise applications.
2. Click on “New applications
3. In the search field under Add from the gallery, type “f5” and click on SAP ERP Central Component (ECC) and then Add.
4. In the SAP ERP Central Component (ECC) - Protected by F5 Networks BIG-IP APM | OverviewClick window, click 1. Assign users and groups, and in the next screen, click + Add user.
5. In Home > SAP ERP Central Component (ECC) - Protected by F5 Networks BIG-IP APM | Users and groups > Add Assignment page, click Users and groups.
6. In the search field under Users and groups, search “harvey” and click on the user Harvey Winn, click on Select and then click on Assign.
1. Click on Single sign-on.
2. Click on SAML.
3. In Home > SAP ERP Central Component (ECC) - Protected by F5 Networks BIG-IP APM | Single sign-on > SAML-based Sign-on page, under Basic SAML Configuration, click the edit icon.
4. Complete the following information and click Save.
· Identifier (Entity ID): https://saperp.aserracorp.com/
· Reply URL (Assertion Consumer Service URL): https://saperp.aserracorp.com/saml/sp/profile/post/acs
· Relay State: https://saperp.aserracorp.com/irj/portal
· Logout Url: https://saperp.aserracorp.com/saml/sp/profile/redirect/slo
5. In Home > SAP ERP Central Component (ECC) - Protected by F5 Networks BIG-IP APM | Single sign-on > SAML-based Sign-on page, under User Attributes & Claims, click the edit icon, and click + Add new claim.
6. In Home > SAP ERP Central Component (ECC) - Protected by F5 Networks BIG-IP APM | Single sign-on > SAML-based Sign-on > User Attributes & Claims > Manage claim page, complete the following information and click Save.
· Name: sAMAccountName
· Source attribute: user.onpremisessamaccountname
7. Click > SAML-based Sign-on > , to verify information
8. Under SAML Signing Certificate and next to Federation Metadata XML, click right click on Download and select Save Link As…
9. Rename File name to SAPEP.xml and click Save.
Note: APM Guided Configuration will not accept spaces in the file name
10. Azure AD configuration completed.
These instructions configure with APM to be used with Azure AD SSO for SAP ERP application access. For SSO to work, you need to establish a link relationship between APM and Azure AD in relation to the SAP ERP.
To configure and test Azure AD SSO with APM, complete the following tasks:
1. In BIG-IP click Access > Guided Configuration > Federation > SAML Service Provider.
2. Click Next.
3. In the Service Provider Properties page, configure the following information, leave default settings and click Save & Next.
• Configuration Name: saperp
• Entity ID: https://saperp.aserracorp.com/
• Scheme: https
• Host: saperp.aserracorp.com
• Relay State: https://saperp.aserracorp.com/irj/portal
4. In the Virtual Server Properties page, configure the following information, leave default settings and click Save & Next.
• Destination Address: 206.124.129.129
• Service Port: 443 HTTPS (default)
• Enable Redirect Port: Checked (default)
• Redirect Port: 80 HTTP (default)
• Client SSL Profile: Create new
• Client SSL Certificate: asper.aserracorp.com
• Associated Private Key: saperp.aserracorp.com
5. In the External Identity Provider Connector Settings page, configure the following information, leave default settings and click Save & Next.
• Select method to configure your IdP Connector: Metadata
• Upload a file in the format name .xml: Choose File saper.xml
• Name: saperp_aad_idp
6. In the Pool Properties page, configure the following information, leave default settings and click Save & Next.
• Select a Pool: Create New
• Load Balancing Method: Least Connections (member)
• Pool Servers
• IP Address/Node Name: /Common/172.31.23.14
• Port: 50000
7. In the Single Sign-On Settings page, click Enable Single Sign-On, and then click on Show Advanced Settings, configure the following information, leave default settings and click Save & Next.
• Select Single Sign-On Type: Kerberos
• Credentials Source
• Username Source: session.saml.last.attr.name.sAMAccountName
• SSO Method Configuration
• Kerberos Realm: ASERRACORP.COM
• Account Name: sapsrvacc
• Account Password: password
• Confirm Account Password: password
• KDC: 172.16.60.5
• SPN Pattern: HTTP/sapsrv.aserracorp.com@ASERRACORP.COM
• Ticket Lifetime: 600 (default)
• Send Authorization: Always (default)
8. In the Endpoint Checks Properties page, leave default settings and click Save & Next.
9. In the Timeout Settings page, leave default settings and click Save & Next.
10. In the Your application is ready to be deployed page, click Deploy.
11. APM configuration completed.
Configuring Single Sign-On with Access Policy Manager
By centralizing access to all your applications, you can manage them more securely. Through the F5 BIG-IP APM and Azure AD integration, you can centralize and use single sign-on (SSO) and multi-factor authentication for SAP ERP.