cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Kai_Chung
F5 Employee
F5 Employee

Overview

This guide is written for IT professionals designing an F5 network. These IT professionals can fill a variety of roles:

  • Systems engineers requiring a standard set of procedures for implementing solutions
  • Project managers creating statements of work for F5 implementations
  • F5 partners selling technology or creating implementation documentation

This guide covers using single sign-on to access an Oracle PeopleSoft application requiring header-based authentication.

0151T000003phs3QAA.png

Figure 1 Secure hybrid application access

Microsoft Azure Active Directory and F5 BIG-IP APM Design

For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required.

The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing header-based, header based or variety of authentication methods. The solution has these components:

  • BIG-IP Access Policy Manager (APM)
  • Microsoft Domain Controller/ Active Directory (AD)
  • Microsoft Azure Active Directory (AAD)
  • PeopleSoft Application (header-based authentication)

 

0151T000003phs4QAA.png

Figure 2 APM bridge SAML to header-based authentication components

 

 

Deploying Azure Active Directory and BIG-IP APM integration

The joint Microsoft and APM solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and PeopleSoft application, delivering SSO and securing the app with MFA.

Access Guided Configuration 7.0 – Azure AD Easy Button

In version 16.0 of F5 BIG-IP, Access Guided Configuration v7.0 (AGC) for APM has added the ability for administrators to simply onboard and operationally manage mission-critical applications to Azure AD. The administrator no longer needs to go back and forth between Azure AD and BIG-IP as the end-to-end operation policy management has been integrated directly into the APM AGC console. This integration between BIG-IP APM and Azure AD delivers an automated “easy button” to ensure applications can quickly, easily support identity federation, SSO, and MFA. This seamless integration between BIG-IP APM and Azure AD reduces management overhead, meaning that the integration now also enhances the administrator experience.

Configure F5 BIG-IP APM

These instructions configure with APM to be used with Azure AD SSO for PeopleSoft application access.
For SSO to work, you need to establish a link relationship between APM and Azure AD in relation to the PeopleSoft

Step 1: In BIG-IP click Access > Guided Configuration > Microsoft Integration > Azure AD Application

0151T000003phs8QAA.png

 

Step 2: Click Next.

0151T000003phsDQAQ.png



Step 3: In the Configuration Properties page, configure the following information, leave default settings and click Save & Next.

  • Configuration Name: www
  • Single Sign-On (SSO): On
  • Copy Account Info from Existing Configuration: On
  • Existing Configuration: portal
  • Click Copy
  • Click Test Connection

0151T000003phsEQAQ.png



Step 4: In the Service Provider page, configure the following information, leave default settings and click Save & Next.

0151T000003phsFQAQ.png

 

Step 5: In the Azure Active Directory page, double click Oracle PeopleSoft

0151T000003phs9QAA.png

 

Step 6: In the Azure Active Directory page, complete the following information then click Add button in User And Groups.

  • Display Name: Corporate Site
  • Signing Key: www.aserracorp.com
  • Signing Certificate: www.aserracorp.com
  • Signing Key Passphrase: <passphrase>
  • Signing Option: Sign SAML assertion
  • Signing Algorithm: RSA-SHA256

0151T000003phsAQAQ.png


 

Step 7: in User And Groups section, select the following click Close and then click User Attribute and Claims tab at the top of the form.

  • Type: User Group
  • Legacy Application Users: Add

0151T000003phsIQAQ.png

0151T000003phsJQAQ.png



Step 8: In the Azure Active Directory page, User Attribute and Claims tab click Add button.

0151T000003phsBQAQ.png

 

Step 9: In the Azure Active Directory page, User Attribute and Claims tab, Additional Claims section, complete the following information, click Done and then click Save & Next at the bottom of the page.

  • Name: EMPLID
  • Source Attribute: user.employeeid

0151T000003phsGQAQ.png



Step 10: In the Virtual Server Properties page, configure the following information, leave default settings and click Save & Next.

  • Destination Address: 206.124.129.183
  • Service Port: 443 HTTPS (default)
  • Enable Redirect Port: Checked (default)
  • Redirect Port: 80 HTTP (default)
  • Client SSL Profile: Create new
  • Client SSL Certificate: Client SSL Certificate
  • Associated Private Key: www.aserracorp.com

0151T000003phsCQAQ.png

 

Step 11: In the Pool Properties page, configure the following information, leave default settings and click Save & Next.

  • Advanced Settings: On
  • Select a Pool: Create new
  • Health Monitors: /Common/http
  • Load Balancing Method: Least Connections (member)
  • IP Address/Node name: /Common/172.16.60.105
  • Port: 80 HTTP

0151T000003phsHQAQ.png

 

Step 12: In the Single Sign-On Settings page, click Enable Single Sign-On, and then click on Show Advanced Settings, configure the following information, leave default settings and click Save & Next.

  • Select Single Sign-On Type: HTTP header-based
  • Username Source: session.saml.last.identity
  • SSO Headers
    • Header Operation: replace
    • Header Name: Authorization
    • Header Value: %{session.saml.last.attr.sAMAcountName}
    • Header Operation: insert
    • Header Name: EMPLID
    • Header Value: %{session.saml.last.attr.EMPLID}
    • Header Operation: replace
    • Header Name: Authorization
    • Header Value: %{session.saml.last.attr.name.http://schemas.xmlsoap.org/ws/2005/identity/claims/givenname}

0151T000003phsKQAQ.png

 

Step 13: In the Session Management Properties page, leave default settings and click Save & Next.

Step 14: In the Your application is ready to be deployed page, click Deploy.

0151T000003phsNQAQ.png

This completes APM configuration.

Resources

Validated Products and Versions

  • BIG-IP APM 16,0
Comments
ravi281278
Nimbostratus
Nimbostratus

Hello Kai_Chug, Is this achivable only with above steps and no modificatio is required at PeopleSoft application. we are planning to implement the same for one of our client.

Version history
Last update:
‎04-Sep-2020 12:04
Updated by:
Contributors