on 18-Dec-2019 06:00
Security is one of the primary considerations for organizations in determining whether or not to migrate applications to the public cloud. The problem for organizations with applications in the cloud, in a data center, managed, or as a service, is to create a cost-effective hybrid architecture that produces secure application access and a great experience that allows users to access apps easily, have consistent user experiences, and enjoy easy access with single-sign-on (SSO) tied to a central identity and authentication strategy.
Some applications are not favorable to modernization. There are applications that are not suited for, or incapable of, cloud migration. Many on-premises apps do not support modern authentication and authorization, including standards and protocols such as SAML, OAuth, or OpenID Connect (OIDC). An organization may not have the staff talent or time to perform application modernization for their on-premises apps.
With thousands of apps in use daily, hosted in all or any combination of these locations, how can organizations ensure secure, appropriate user access without requiring users to login in multiple times? In addition, how can organizations terminate user access to each application without having to access each app individually?
By deploying Microsoft Azure Active Directory, Microsoft’s comprehensive cloud-based identity platform, along with F5’s trusted application access solution, Access Policy Manager (APM), organizations are able to federate user identity, authentication, and authorization and bridge the identity gap between cloud-based (IaaS), SaaS, and on-premises applications.
Figure 1 Secure hybrid application access
This guide discusses the following use cases:
· Users use single sign-on to access applications requires Kerberos-based authentication.
· Users use single sign-on to access applications requires header-based authentication.
For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required.
The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing Kerberos based, header based or variety of authentication methods. The solution has these components:
• BIG-IP Access Policy Manager (APM)
• Microsoft Domain Controller/ Active Directory (AD)
• Microsoft Azure Active Directory (AAD)
• Application (Kerberos-/header-based authentication)
Figure 2 APM bridge SAML to Kerberos/header authentication components
Figure 3 APM bridge SAML to Kerberos authentication process flow
The joint Microsoft and F5 solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header- or Kerberos-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and legacy applications, delivering SSO and securing the app with MFA.
To configure the integration of BIG-IP APM into Azure AD, you need to add F5 from the gallery to your list of managed SaaS apps.
Configure and test Azure AD SSO with F5 using a test user called A.Vandelay. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in F5.
To configure and test Azure AD SSO with F5, complete the following building blocks:
Follow these steps to enable Azure AD SSO in the Azure portal.
Note
These values are for only used for illustration. Replace these them with the actual Identifier, Reply URL and Sign-on URL. Refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
In this section, you'll create a test user in the Azure portal called A.Vandelay.
In this section, you'll enable A.Vandelay to use Azure single sign-on by granting access to F5.
Configure your on-premise applications based on the authentication type.
Configuring Single Sign-On with Access Policy Manager
By centralizing access to all your applications, you can manage them more securely. Through the F5 BIG-IP APM and Azure AD integration, you can centralize and use single sign-on (SSO) and multi-factor authentication for on-premise applications.
Hi Kai Chung,
Excellent information. I had been able to deploy the integration between Azure AD and F5 APM for application with SSO like Kerberos or Headers. However, I need to deploy an application that requires SSO forms, so I need to keep the user's password in F5.
Do you know how to configure Azure AD as SAML IDP and F5 APM as SAML SP, but F5 can capture the password?
Thanks,
PB
I utilize on-prem ADFS with the Azure MFA plugin to solve this, but I too have applications that I need to capture passwords for, but given the way SAML works (as I understand it) there isn't a way to capture/return a cleartext PW from the IdP (ADFS, Azure, etc) to the APM session for use in SSO configs.
This is makes things like NTLM auth, Peoplesoft/Oracle pages and simple form based sign-ins annoying because of the double auth, but it's what we have. I really wish Microsoft would provide an interface/snippets to integrate azure MFA directly into an APM sign-in form like DUO does; it's one of a handful of shortcomings we've found as we begin migrating from DUO to Azure MFA.
<soapbox>
The other big one for us is the Azure MFA authenticator app is very lacking when it comes to the user interface; with DUO, you see what app is being prompted for, and from where; authenticator is just 'Approve this, yes/no'.
</soapbox>
Can I use Azure SSO to login centrally to the BIG-IP console web page for managing it.
Nice article ! What about the new Azure AD guided configuration that is specificly for Azure AD?
https://clouddocs.f5.com/training/community/iam/html/class2/module4/lab01.html