Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Kai_Chung
F5 Employee
F5 Employee

Introduction

Edge Client 7.2.1 supports OAuth 2.0 authentication flow for native applications. When this feature is configured by the administrators of the BIG-IP system, authentication is entirely performed in the browser. The user does not have to sign-in again when accessing a web application on a browser that uses the same authentication method.

This feature also allows the use of any multi-factor or passwordless authentication that is supported by the browser.


Deploying Okta YubiKey Authentication and BIG-IP APM integration

Supports Yubikey and other U2F/FIDO based authentication systems Edge Client 7.2.1 for macOS and Windows can now behave as an OpenID Connect (OIDC) client, obtain a bearer token and present it to APM for authentication. Rather than using Edge Client’s embedded browser, the OIDC support provides consistent authentication experience by invoking an external browser, default browser for the OS, using the Edge Client to enable multi-factor verification (MFA) and Single Sign-On across multiple applications.

Beginning BIG-IP version 16.0.0, the connectivity profile has OAuth Settings that allow administrators to specify the OIDC server discovery endpoint, Client ID, Scopes, and the Complete Redirection URI. With this release, Edge Client provides the following abilities:

·     Use security keys such as Yubikey, U2F, and FIDO authentication systems as an additional factor of authentication

·     Support password-less authentication through public key registration and authentication

·     Single Sign-On for Edge Client and other enterprise apps that share a common IDP

Figure below shows how external bowser redirected OAuth authentication to authorization endpoint, or IDP, and how second factor authentication is achieved using token endpoint.

0151T000003pnGFQAY.png

In this document, the focus is using YubiKey for MFA as the endpoint token and Okta for IDP service.

YubiKey is a hardware-based multi-factor and passwordless authentication. By adding on YubiKey authentication, the application is protected by another layer of security to verify the identity of the user. For more information, visit Yubico’s website: https://www.yubico.com/products/

0151T000003pnGKQAY.png

For YubiKey and Okta MFA configuration, please follow the instructions in this document:

https://devcentral.f5.com/s/articles/Application-access-using-YubiKey-Authentication-with-APM-and-Ok...

Requirements

The following software versions are minimum versions required to perform the following configuration, and also Identity Provider (IDP) account is required:

·     BIG-IP version:           16.0

·     Edge Client version:   7.2.1

·     IDP:                            Okta account


Configure F5 BIG-IP APM and Okta

Use this section to configure APM to for VPN to use OAuth authentication and to be used with Okta as IDP for YubiKey factor authentication.

To configure and test YubiKey using Okta Multi-factor with APM, enter the following tasks:

·     Configure VPN Network Access

·     Configure Access Profile

·     Configure Virtual Server

·     Configure Applications in Okta

·     Configure Authorization Server Access Policy in Okta

·     Configure Edge Client OAuth Settings

·     Configure Access Profile Visual Policy Editor

Configure VPN Network Access

Step 1:    Navigate to Access>Connectivity/VPN>Network (VPN)>+ sign, enter the following information and click Finished:

·     Name—VPNDefault

·     Caption—VPN_Default

0151T000003pnGGQAY.png

Step 2:    Click on Networking Settings tab and click on the + sign next to IPV4 Lease Pool.

0151T000003pnGPQAY.png

Step 3:    In the New IPV4 Lease Pool window, enter the following information click Add and then click Finished:

·     Name—NAT_Pool

·     IP Address Range—select

·     Start IP Address—192.168.1.100

·     Ending IP Address—192.168.1.200

·     Add—click

0151T000003pnGLQAY.png

Step 4:    Click DNS/Hosts tab, enter the following information and click Update.

·     IPV4 Primary Name Server—1.1.1.10151T000003pnGMQAY.png

Step 5:    Navigate to Access>Weptops>Weptop Lists>+ sign, enter the following information and click on Fished.

·     Name—VPN_Weptops

·     Type—Full

·     Customization Type—Modern

0151T000003pnGHQAY.png


Configure Access Profile

Step 6:    Navigate to Access>Profiles/Policies>Access Profile (Per-Session Policies)>+ sign, select All for Profile Type option.

0151T000003pnGUQAY.png

Step 7:    In Languages option, select English (EN) click << and click Finished.

0151T000003pnGVQAY.png


Configure Virtual Server

Step 8:    Navigate to Access>Virtual Servers>Virtual Server List>+ sign, enter the following information and then move to the next step:

·     Name—VPN_VS

·     Destination Address/Mask—10.1.10.10

·     Service Port—443 HTTPS

0151T000003pnGNQAY.png

Step 9:    In HTTP Profile (Client) option, select http and then move to the next step.

0151T000003pnGWQAY.png

Step 10: In SSL Profile (Client) option, select clientssl-secure, click << and then move to the next step:

0151T000003pnGOQAY.png

Step 11: In Access Profile option, select VPN_Access and click on the + sign next to Connectivity Profile.

0151T000003pnGZQAY.png

0151T000003pnGXQAY.png

Step 12: In the Create New Connectivity Profile pop-up window, enter the following information and click OK.

·     Profile Name—VPN_Cnnectivity

·     Parent Profile—/Common/connectivity

·     FEC Profile—None

0151T000003pnGaQAI.png

Step 13: Back to the New Virtual Server window, click Finished.

0151T000003pnGbQAI.png


Configure OAuth Server

Step 14: Log onto Okta account and navigate to API>Authorization Server, click Add Authorization Server.

0151T000003pnGYQAY.png

Step 15:  In Add Authorized Server pop-up window, enterer the following information and click Save.

·     Name—F5_VPN

·     Audience—api://default

0151T000003pnGQQAY.png

Step 16: In the F5_VPN Settings window, highlight the following information and copy it.

·     Issuer—https://dev-779340.okta.com/oauth2/ausqyzymejeyI9UmX4x6

0151T000003pnGeQAI.png

Step 17: Go back to BIG-IP APM and navigate to Federation>OAuth Client / Resource Server>Provider>+ sign, enter the following information and move to the next step.

·     Name—VPN_OAuth

·     Type—Okta

0151T000003pnGfQAI.png

Step 18: In OpenID URI option, replace the following part of URI using Issuer copied from Step 5 and click Save.

·     Replace—https://okta-oauth.local/

·     With—https://dev-779340.okta.com/oauth2/ausqyzymejeyI9UmX4x6 (copied from Step 15)

·     Retain—.well-known/openid-configuration

·     Final URI—https://dev-779340.okta.com/oauth2/ausqyzymejeyI9UmX4x6/.well-known/openid-configuration

0151T000003pnGjQAI.png

Step 19: Navigate to Access>Federation>JSON Web Token>Provider List>+ sign, enter the following information and click Save.

·     Name—VPN_JWT

·     Access Token Expires in—60

·     Provider—/Common/VPN_OAuth (click Add)

0151T000003pnGkQAI.png

Step 20: Navigate to Access>Federation>JSON Web Token>Token Configuration click auto_jwt_VPN_OAuth, enter the following information click Add and then click Save.

·     Audience—api://default (click Add)

0151T000003pnGcQAI.png

Step 21: Log onto Okta and navigate to Applications, and then click Add Applications.

0151T000003pnGmQAI.png

Step 22: In the Create New Application 1 Platform window, select Native iOS Android and then click Next.

0151T000003pnGIQAY.png

Step 23: In the Create New Application 2 Settings window, leave the defaults, enter the following information and click Done.

·     Name—Edge Client

·     Login redirect URIs—http://localhost:8000/

·     Logout redirect URIs—Blank

0151T000003pnGJQAY.png

Step 24: Click on Sign On tab and then click on Add Rule.

0151T000003pnGnQAI.png

Step 25: In the App Sign On Rule pop-up window, leave the defaults, enter the following information and click Save.

·     When all the conditions above are met…—Prompt for factor · Multifactor Settings

·     Prompt for factor · Multifactor Settings—Every sign on

0151T000003pnGdQAI.png


Configure Authorization Server Access Policy in Okta

Step 26: Navigate to API>Authorization Servers click on F5_VPN.

0151T000003pnGoQAI.png

Step 27: In the F5_VPN window, click on the Access Policies tab and then click on Add New Access Policy.

0151T000003pnGtQAI.png

Step 28: In the Add Policy pop-up window, enter the following information and click Create Policy.

·     Name—VPN

·     Description—VPN

·     Assigned to—The following clients: (Edge Client)

0151T000003pnGpQAI.png

Step 29: Back to F5_VPN window Access Policies tab, click Add Rule.

0151T000003pnGuQAI.png

Step 30: In Add Rule pop-up window, leave defaults, enter the following information and click Create Rule.

·     Name—vpn

·     IF Grant type is—Implicit (uncheck)

·     IF Grant type is—Resource Owner Password (uncheck)

·     AND Scope requested—The following scopes: (select)

·     The following scopes—openid profile (type in the field)

0151T000003pnGyQAI.png


Configure Edge Client OAuth Settings

Step 31: In Okta, navigate to Applications, click ACTIVE and copy  the following information under Edge Client.

·     Client ID—0oaqyxogtvilho6ST4x6

0151T000003pnGqQAI.png

Step 32: In APM, navigate to Access>Connectivity>Profile, select VPN_Connectivity and click Edit Profile.

0151T000003pnGrQAI.png

0151T000003pnGvQAI.png

Step 33: In the Edit Connectivity Profile pop-up window, paste the following information from step 29 and click OK.

·     Client ID—0oaqyxogtvilho6ST4x6

0151T000003pnGsQAI.png


Configure Access Profile Visual Policy Editor (VPE)

Step 34: Navigate to Access>Profiles / Policies>Access Profiles (Per-Session Polices) and click Edit for VPN_Acess under Per-Session Policy column to open VPE in a separate browser tab.

0151T000003pnH3QAI.png

Step 35: In VPE window, click on Deny.

0151T000003pnH4QAI.png

Step 36: In Select Ending: window, select the following and click Save.

·     Allow

0151T000003pnH5QAI.png

Step 37: Back to VPE window, click on the + sign between Start and Allow.

0151T000003pnH8QAI.png

Step 38: In the pop-up window, in the search field, type advanced, select the following and click Add Item.

·     Advanced Resources Assignment

0151T000003pnGzQAI.png

Step 39: In Properties* tab, click Add new entry and then click Add/Delete.

0151T000003pnH0QAI.png

Step 40: Click Network Access 1/1 tab*, select the following and then click Show 7 more tabs.

·     /Common/VPN_Default

0151T000003pnH1QAI.png

Step 41: Click Webtop 1/1* tab, select the following, click Update to close pop-up window and then click Save.

·     /Common/VPN_Webtops

0151T000003pnH2QAI.png

Step 42: In VPC window, click the + sign between Start and Advanced Resource Assign.

0151T000003pnGwQAI.png

Step 43: In the pop-up window, in the search field, type oauth, select the following and click Add Item.

·     OAuth Scope

0151T000003pnGxQAI.png

Step 44: Select the following information and click Save.

·     Token Validation Mode:        Internal

·     JWT Provider List:                  /Common/VPN_JWT

0151T000003pnHDQAY.png

Step 45: Back in VPE window, click Apply Access Policy.

0151T000003pnH9QAI.png

This section completes the configuration of APM and Okta.


Test VPN MFA with Mobile MFA or YubiKey

Step 1:    Install 7.2.1 Edge Client. Download and installation instruction can be found here:

·      BIG-IP Edge Client for Windows

·      BIG-IP Edge Client and F5 Access for macOS

Step 2:    Open Edge Client and click Connect to APM Virtual Server IP configured in Step 8 of previous section.

0151T000003pnGgQAI.png

Step 3:    Once connection is successful, default browser will open. In the browser, log in using user account (do not use admin account).

0151T000003pnHAQAY.png

Step 4:    If no YubiKey present, use Mobile MFA to log in.

0151T000003pnHBQAY.png

Step 5:    If YubiKey is present, touch the YubiKey.

0151T000003pnHEQAY.png

0151T000003pnGhQAI.png

Step 6:    If MFA is successful connection in the browser message.

0151T000003pnHFQAY.png


Resources

BIG-IP Knowledge Center

BIG-IP APM Knowledge Center

Configuring Single Sign-On with Access Policy Manager


Validated Products and VersionsProducersion

BIG-IP APM 16.0

Edge Client 7.2.1


What’s New in This Version

The following changes have been made since F5 last published this guide:

•     This is a new guide.

Version history
Last update:
‎16-Oct-2020 08:57
Updated by:
Contributors