cancel
Showing results for 
Search instead for 
Did you mean: 
Kai_Chung
F5 Employee
F5 Employee

Overview

This guide is written for IT professionals designing an F5 network. These IT professionals can fill a variety of roles:

  • Systems engineers requiring a standard set of procedures for implementing solutions
  • Project managers creating statements of work for F5 implementations
  • F5 partners selling technology or creating implementation documentation

This guide covers using single sign-on to access the Oracle PeopleSoft application requiring header-based authentication.0151T000003phsSQAQ.png

Figure 1 Secure hybrid application access

Microsoft Azure Active Directory and F5 BIG-IP APM Design

For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required.

The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing header based, header based or variety of authentication methods. The solution has these components:

  • BIG-IP Access Policy Manager (APM)
  • Microsoft Domain Controller/ Active Directory (AD)
  • Microsoft Azure Active Directory (AAD)
  • PeopleSoft Application (header-based authentication)

0151T000003phsXQAQ.png
Figure 2 APM bridge SAML to header authentication components

Deploying Azure Active Directory and BIG-IP APM integration

The joint Microsoft and APM solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and PeopleSoft applications, delivering SSO and securing the app with MFA.

Configuring Microsoft Azure Active Directory

These instructions configure Azure AD SSO with APM to be used with PeopleSoft. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in F5.

To configure and test Azure AD SSO with APM, complete the following tasks:
  • Create an Azure AD user – to add users to Azure AD.
  • Assign the Azure AD user - to enable users to use Azure AD single sign-on.
  • Configure Azure AD SSO - to enable your users to use this feature.

Create an Azure AD user

In this section, you will create a test user in the Azure portal named Harvey Winn.

  1. From the left pane in the Azure portal, click Users, and then select All users.
  2. Click + New user at the top of the screen.
  3. In the User properties, follow these steps:
  • Username: harvey@aserracorp.com
  • Name: Harvey Winn
  • Select the Show password check box, and then write down the value that's displayed in the Password box.
  • Click Create.

Assign Azure AD users to application

Step 1: In the search field, type “enterprise applications” and click on Enterprise applications.

0151T000003phsYQAQ.png



Step 2: Click on “New applications

0151T000003phsZQAQ.png



Step 3: In the search field under Add from the gallery, type “f5” and click on Oracle PeopleSoft - Protected by F5 Networks BIG-IP and then Add.

0151T000003phsLQAQ.png


 

Step 4: In the Oracle PeopleSoft - Protected by F5 Networks BIG-IP | OverviewClick window, click 1. Assign users and groups, and in the next screen, click + Add user.


Step 5: In Home > Oracle PeopleSoft - Protected by F5 Networks BIG-IP | Users and groups > Add Assignment page, click Users and groups.


Step 6: In the search field under Users and groups, search “harvey” and click on the user Harvey Winn, click on Select and then click on Assign.

0151T000003phsMQAQ.png


Configure Azure AD SSO

Step 1: Click on Single sign-on.

0151T000003phsaQAA.png

 

Step 2: Click on SAML.

0151T000003phscQAA.png

 

Step 3: In Home > Oracle PeopleSoft - Protected by F5 Networks BIG-IP | Single sign-on > SAML-based Sign-on page, under Basic SAML Configuration, click the edit icon.

0151T000003phsTQAQ.png


 

Step 4: Complete the following information and click Save.

  • Identifier (Entity ID): https://peoplesoft.aserracorp.com/
  •  Reply URL (Assertion Consumer Service URL): https://peoplesoft.aserracorp.com/saml/sp/profile/post/acs
  • Relay State: https://peoplesoft.aserracorp.com/irj/portal
  • Logout Url: https://peoplesoft.aserracorp.com/saml/sp/profile/redirect/slo


Step 5: In Home > Oracle PeopleSoft - Protected by F5 Networks BIG-IP | Single sign-on > SAML-based Sign-on page, under User Attributes & Claims, click the edit icon, and click + Add new claim.


Step 6: In Home > Oracle PeopleSoft - Protected by F5 Networks BIG-IP | Single sign-on > SAML-based Sign-on > User Attributes & Claims > Manage claim page, complete the following information and click Save.

  • Name: sAMAccountName
  • Source attribute: user.onpremisessamaccountname

0151T000003phsbQAA.png

 

Step 7: Click > SAML-based Sign-on > , to verify information

0151T000003phshQAA.png



Step 8: Under SAML Signing Certificate and next to Federation Metadata XML, click right click on Download and select Save Link As…

0151T000003phsiQAA.png0151T000003phsdQAA.png



Step 9: Rename File names to remove spaces.
Note: APM Guided Configuration will not accept spaces in the file name

This completes Azure AD configuration.

Configure F5 BIG-IP APM

These instructions configure with APM to be used with Azure AD SSO for PeopleSoft application access. For SSO to work, you need to establish a link relationship between APM and Azure AD in relation to the PeopleSoft.

To configure and test Azure AD SSO with APM, complete the following tasks:

  • Configure the Service Provider: Service Provider can sign authentication requests and decrypt assertions.
  • Configure a Virtual Server: When the clients send application traffic to a virtual server, the virtual server listens for that traffic, processes the configuration associated with the server, and directs the traffic according to the policy result and the settings in the configuration.
  • Configure External Identity Provider Connector: Define settings for an external SAML IdP. When acting as a SAML Service Provider, the BIG-IP system sends authentication requests to and consumes assertions from external SAML IdPs that you specify.
  • Configure the Pool Properties: enables you to configure a pool of one or more servers. If you have a suitable pool configured already, select it. Otherwise, create a new one. Add servers, select a load balancing method, and, optionally, assign a health monitor to the pool.
  • ConfigureSingle Sign-On: leverages credential caching and credential proxying technology so users can enter their credentials once to access their secured web applications.
 

Step 1: In BIG-IP click Access > Guided Configuration > Federation > SAML Service Provider.

0151T000003phsmQAA.png

 

Step 2: Click Next.

0151T000003phsjQAA.png

 

Step 3: In the Service Provider Properties page, configure the following information, leave default settings and click Save & Next.

0151T000003phseQAA.png

Step 4: In the Virtual Server Properties page, configure the following information, leave default settings and click Save & Next.

  • Destination Address: 206.124.129.124
  • Service Port: 443 HTTPS (default)
  • Enable Redirect Port: Checked (default)
  • Redirect Port: 80 HTTP (default)
  • Client SSL Profile: Use Exsisting
  • Common: peoplesoft.aserracorp.com_ssl

0151T000003phsfQAA.png

 

Step 5: In the External Identity Provider Connector Settings page, configure the following information, leave default settings and click Save & Next.

  • Select method to configure your IdP Connector: Metadata
  • Upload a file in the format name .xml: Choose File PeopleSoftAssaracorp.xml
  • Name: peoplesoft_aad_idp_connector

0151T000003phsnQAA.png

0151T000003phsoQAA.png

Step 6: In the Pool Properties page, configure the following information, leave default settings and click Save & Next.

  • Select a Pool: PeopleSoft_backend_pool

0151T000003phspQAA.png



Step 7: In the Single Sign-On Settings page, click Enable Single Sign-On, and then click on Show Advanced Settings, configure the following information, leave default settings and click Save & Next.

  • Select Single Sign-On Type: HTTP header-based
  • Username Source: session.saml.last.identity
  • SSO Headers
    • Header Operation: replace
    • Header Name: PS_SSO_UID
    • Header Value: %{session.saml.last.attr.name.EMPLID}

0151T000003phsgQAA.png

 

Step 8: In the Endpoint Checks Properties page, leave default settings and click Save & Next.

Step 9: In the Timeout Settings page, leave default settings and click Save & Next.

Step 10: In the Your application is ready to be deployed page, click Deploy.

0151T000003phsrQAA.png

This completes APM configuration.

Resources

Validated Products and Versions

  • BIG-IP APM 14.1
Version history
Last update:
‎04-Sep-2020 12:04
Updated by:
Contributors