Despite recent advances in security and identity management, controlling and managing access to applications through the web—whether by onsite/remote employees or contractors, partners, customers, or the public—is as difficult as ever. IT teams are challenged to control access based on granular characteristics such as user role while still providing fast authentication and, preferably, unified access with single sign-on (SSO) capabilities. The ability to recognize and stop attempts at unauthorized access is critical in today’s security environment.
The joint F5 BIG-IP® Access Policy Manager® (APM) and Okta identity management platform solution address these challenges. This solution provides extended access management capabilities across on-premises and cloud environments enabling organizations to secure web applications anywhere. In addition to authentication management and policy-based authorizations, the solution also supports applications with header-based and Kerberos based authentication.
The F5 and Okta Solution
In this SAML 2.0 integrated solution (shown in Figure 1),
• Okta is the Identity Provider (IdP). Users can be defined locally within Okta. In most cases, an on-premises Active Directory and/or LDAP is the source of identities and is integrated with Okta via Okta’s AD/LDAP agent.
• Between Okta and the F5 BIG-IP system, a SAML trust is built with the BIG-IP platform acting as a SAML service provider (SP).
• The target applications are protected behind the BIG-IP reverse proxy by header-based or Kerberos authentication.
• SAML assertion from Okta is consumed by the BIG-IP system, which then translates the assertion appropriately for the downstream application based on its authentication scheme.
Figure 1: The basic integration between the F5 BIG-IP system and Okta for single sign-on (SSO)
This procedure described below is based on a lab environment. The instructions below may be modified to match your specific needs or requirements.
• Refer to AskF5 for additional information, including how to initially set up a BIG-IP environment including basic BIG-IP® Local Traffic Manager® (LTM) and BIG-IP APM configurations. F5 BIG-IP TMOS® version 15.1 is used for this demonstration. However, these practices apply for versions 11.0 and later.
• For additional information about configuring the Okta portion of the solution, refer to Okta documentation.
Step 1: Configure Okta as SAML IDP for a New Application
Refer to the step by step instructions and screenshots below to configure Okta as a SAML IdP for a new application called app.f5sec.net.
1.1 Okta Classic User Interface
For this lab demonstration, we are using the Okta developer account. Click here to sign up for an Okta developer account, if you don’t already have one.
• Log in to the Okta developer portal using your username and password.
• For this demonstration, we will be using the Classic UI. On the top left corner of the developer portal, change the drop-down from Developer Console to Classic UI.
Figure 2: Switching the Okta user interface to the Classic option.
1.2 Build a New Application
We will build a new web application for SAML 2.0 integration.
• On the main menu, hover on the Applications tab and click on Applications.
• On the Applications page, click on the Add Application button.
• On the Add Application page, click on the Create New App button.
• In the Create a New Application Integration dialogue box, select the Web option in the Platform drop-down and SAML 2.0 as the Sign on method and click Create.
Figure 3: Creating a new application for SSO using SAML 2.0
• On the Create SAML Integration page, under the General Setting section, enter the app name and click Next.
Figure 4: Entering the app name
• In the SAML Settings section, under the GENERAL options, enter the Single sign on URL and the Audience URI.
Figure 5: Sample SAML configuration
• Leave all other values as default and click Next.
• In the next section, check the radio button that says, “I’m an OKTA customer adding an internal app”.
• In the expanded window, select “This is an internal app that we have created” for App Type and click on Finish.
Figure 6: Sample feedback configuration
• In the resulting application page for app.f5sec.net, navigate to the SAML 2.0 section.
• Right-click the Identity Provider Metadata hyperlink and click Save Link As.
• Save the metadata.xml to the local system. We will be using this file later when configuring F5 BIG-IP APM as SAML SP.
Figure 7: Exporting the IdP metadata
1.3 Assign Users to the Application
Next, we will assign users to the application, granting them access.
• Scroll up and click on the Assignments tab beneath app.f5sec.net.
• Click on the Assign button and then again click Assign to People from the drop-down.
• In the pop-up dialog box, click on the Assign button next to all the users that you want to assign access to app.f5sec.net web application.
• When finished, click Done.
Figure 8: Assigning users to the application
This completes the Okta configuration. Next, we will move on to F5 BIG-IP APM for SAML SP and web app configuration.