cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Srikanth7
F5 Employee
F5 Employee

This article is the second in a two-part series.
Go to Part 1 here: Secure Access to Web Applications with F5 and Okta using SAML 2.0 (1 of 2)

Step 2: Configure F5 BIG-IP APM as SAML SP for the Application

Refer to the step by step instructions and screenshots below to configure F5 BIG-IP APM as SAML SA for a new application called app.f5sec.net.

2.1 Import Certificate for the Application

Import the certificate for app.f5sec.net. This certificate will be later referenced when configuring the application.

•   Log in to the F5 BIG-IP System.

•  On the F5 Configuration Utility (Web UI) Main menu, navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate List.

•   On the Traffic Certificate Management page, click the Import button on the right-hand corner.

•   On the SSL Certificate/Key Source page, select Key from the Import Type drop-down box.

•   Specify a Key Name and browse to the folder that contains the Key. After selecting the key file, click Import.

•   Back in the Traffic Certificate Management page, click on the imported Key name.

•   In the General Properties page, click on the Import button.

•   Browse to the folder that contains the Certificate. After selecting the certificate file, click Import.

0EM1T000001OPMM.png

Figure 9: Importing application certificate and key

2.2 Using Guided Configuration

The F5 BIG-IP APM Guided Configuration presents a completely new and streamlined user experience. This workflow-based architecture provides intuitive configuration steps tailored for a selected use case.

The steps below will walk through the Guided Configuration to build the application and configure F5 BIG-IP APM as SAML SP.

•   On the F5 Web UI Main menu, navigate to Access > Guided Configuration.

•   Click on the Federation tile. From the expanded option, click on the SAML Service Provider tile.

0EM1T000001OPMN.png

Figure 10: Guided configuration initial selection.

•   Take a moment to review the various configuration options on the SAML Service Provider page.

0EM1T000001OPMO.png

Figure 11: SAML Service Provider page

•   Satisfy any of the DNS, NTP, Interface, VLAN, Route, and Self IP configuration prerequisites from this initial configuration page.

•   Scroll down and click Next.

2.2.1 Configure Service Provider Properties

•   To configure these properties, follow the guidance below.

0EM1T000001OPMP.png

0EM1T000001OPMQ.png

Figure 12: Sample ‘Service Provider Properties’ configuration.

•   Accept the remaining default entries and click Save & Next.

2.2.2 Configure Virtual Server Properties

•   To configure a virtual server for the app, follow these steps.

0EM1T000001OPMR.png

0EM1T000001OPMS.png

Figure 13: Sample ‘Virtual Server Properties’ configuration.

•   Click Save & Next.

2.2.3 Configure Okta Identity Provider Connector

•   To configure Okta as the external SAML IdP provider, follow the steps below.

0EM1T000001OPO7.png

0EM1T000001OPMa.png

Figure 14: Sample Okta IdP configuration.

•   Click Save & Next.

2.2.4 Create a Pool

•   To create a load balancing pool of application servers, follow the steps below.

0EM1T000001OPMb.png

0EM1T000001OPMc.png

Figure 15: Sample ‘Pool Properties’ configuration.

•   Click Save & Next.

2.2.5 Configure Single Sign-On Settings

•   To configure Okta as the external SAML IdP provided, follow the steps below.

0EM1T000001OPO4.png

0EM1T000001OPMz.png

Figure 16: Sample ‘Single Sign-on Settings’ configuration.

•   Click Save & Next.

2.2.6 Endpoint Checks

Select the Enable Endpoint Checks radio button to enable endpoint checks. For this demonstration, we will leave this setting at default.

0EM1T000001OPN0.png

Figure 17: 'Endpoint Checks Properties' page to enable and configure endpoint checks.

•   Click Save & Next.

2.2.7 Session Management

Leave the Timeout Settings at default.

0EM1T000001OPN1.png

Figure 18: Default timeout settings

•   Click Save & Next.

2.2.8 Summary

Review the Summary screen. When done, scroll down and click Deploy.

0EM1T000001OPNT.png

Figure 20: Confirmation of a successful deployment.

•  Click on the Finish button.

This completes the F5 BIG-IP APM configuration.

Step 3: Verification

We will verify the solution by accessing app.f5sec.net.

•   Open a web browser on an end host and navigate to https://app.f5sec.net. Notice the request will be redirected to Okta.com for user authentication.

0EM1T000001OPNQ.png

Figure 21: Redirection to Okta for user authentication.

•   The application default web page prints all the headers. Notice that the HTTP_MYAUTHORIZATION header has been inserted with the appropriate value.

0EM1T000001OPNR.png

Figure 22: HTTP_MYAUTHORIZATION header inserted with user identity value.

 

Additional Resources

Part 1 - Secure Access to Web Applications with F5 and Okta using SAML 2.0

BIG-IP APM Product Information: Knowledge Center

Free Training Course: Getting Started with BIG-IP Access Policy Manager (APM)

Lightboard Lesson: F5 Access Policy Manager and Okta - Single Sign On and Multi-Factor Authentication

External Resource: F5 | Okta partnership

 

 

Version history
Last update:
‎03-Apr-2020 11:03
Updated by:
Contributors