Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

momahdy
F5 Employee
F5 Employee

on ‎02-Oct-2023 05:00 - edited on ‎04-Oct-2023 16:04 by Community Manager

Introduction

In the following guide we are configuring Federated AWS Console Access through BIG-IP APM as Identity Provider (IdP). With AWS console we need to be very careful about granting access, checking endpoint and apply Multi-Factor Authentication (MFA). 

Architecture

The expected traffic flow follows the below path, 

  • User Access F5 APM portal.
  • F5 APM applies EndPoint inspection and user authentication.
  • Once the user is authenticated, APM redirects user browser to AWS Console with SAML assertion.
  • AWS Console verifies the assertion, the assigned role and allow the proper access to the user.

momahdy_1-1695375665143.png

Configurations steps

let's list the steps to perform the configurations.

F5 APM Configurations

  • Head to Access > Access Guided Configurations > Select SAML Identity provider template

momahdy_0-1695381587820.png

  • Configure IdP settings.

momahdy_1-1695381738452.png

  • Configure Virtual Server settings or select one that's already created.

momahdy_2-1695381801879.png

  • Specify Authentication and MFA settings.

momahdy_3-1695381859143.png

  • Select proper SaaS Application template (Amazon Web Services in our case)

momahdy_4-1695382104279.png

  • Configure the AWS Application settings,
    • Mention IdP name configured at AWS console.
    • Mention IdP role name created at AWS console. 

momahdy_5-1695382260950.png

  • EndPoint checks and inspection

momahdy_0-1695393781213.png

  • Then adjust session management parameters as per requirements and customization for the web portal and Deploy.

Here's how the final policy should look like,

momahdy_1-1695397201953.png

Note, you can make use of authentication part to fetch the proper role per user and communicate that to AWS Console, so each user is assigned to the proper role.

AWS Console Configurations

  • Create IdP settings from AWS Console > IAM > Identity Providers

momahdy_2-1695397394012.png

  • Make sure to assign proper roles to the Identity Provider and make sure the role got "sts:AssumeRoleWithSAML" Allow.

momahdy_3-1695397492144.png

 

Conclusion

Using Access Guided Configurations, it's easy to secure and simplify access to AWS Console and we can extend our existing Identity services to facilitate and authorize access to AWS Console.

In addition to authorizing users, you can make use of F5 APM endpoint inspection and further integrations with 3rd parties through HTTP connectors and iRules.

Related Contents

 

0 Kudos
Version history
Last update:
‎04-Oct-2023 16:04
Updated by:
Community Manager
Contributors
Copyright © 2023 Khoros, LLC