cancel
Showing results for 
Search instead for 
Did you mean: 

Keycloak as IDP for F5 APM via SAML

Pisitpong_vis
Nimbostratus
Nimbostratus

I have a requirement from our customer to do MFA authentication on F5 APM module and use Keycloak as Identity provider to control their access to web application. Since the keycloak is operate by different team, the internal operation team don’t have an authorize to do MFA on keycloak. They will use F5 APM to perform MFA instead.

Existing environment.

Pisitpong_vis_0-1655716791229.png

Solution

Protect your web application by deploy F5 as web proxy.

Pisitpong_vis_1-1655716812831.png

Configuration

Import your SAML metadata to F5 APM

Start by login to your keycloak console and downlond SAML metadata

Make sure you have right realm selected.

Pisitpong_vis_2-1655717054782.png

Save as you metadata

Pisitpong_vis_3-1655717054790.png

Navigate to External IDP connector

Pisitpong_vis_4-1655717054796.png

Create External IDP connector

Pisitpong_vis_5-1655717054807.png

Upload your Metadata previously downloaded and name your SAML IDP connector

Pisitpong_vis_6-1655717054809.png

Create your web.f5test.com certificate.

Navigate to SSL Certificate list console

Pisitpong_vis_7-1655717214878.png

Create your new certificate

Pisitpong_vis_8-1655717214894.png

Configuration your parameter and click finish

Pisitpong_vis_9-1655717214904.png

Create your Local SP Service

Navigate to local SP service console

Pisitpong_vis_10-1655717808041.png

Click create new SP service

Pisitpong_vis_11-1655717808053.png

Input name, EntityID and SP name setting

Pisitpong_vis_12-1655717808062.png

Config POST as assertion consumer service binding

Pisitpong_vis_13-1655717808070.png

Configuration security setting with certificate generated earlier and click OK

Pisitpong_vis_14-1655717808080.png

Binding your SP service with IDP connector

Select your newly SP service created

Pisitpong_vis_15-1655717808087.png

Add new row and select you IDP connector profile.

Pisitpong_vis_16-1655717808098.png

Import your SP service to Keycloak

Export your SP service

Pisitpong_vis_17-1655718161400.png

Create new client on Keycloak

Pisitpong_vis_18-1655718161410.png

Select file downloaded from previous section

Pisitpong_vis_19-1655718161417.png

Click save

Pisitpong_vis_20-1655718161423.png

 

 

1 REPLY 1

Pisitpong_vis
Nimbostratus
Nimbostratus

Create Access policy

Navigate to Access policy console

Pisitpong_vis_23-1655718919316.png

Name Access policy, language and click finish

Pisitpong_vis_24-1655718945228.png

Pisitpong_vis_25-1655718945237.png

Edit your newly created Policy

Pisitpong_vis_26-1655718945248.png

Click add

Pisitpong_vis_27-1655718945254.png

Add SAML Auth

Pisitpong_vis_28-1655718945263.png

Config SAML Auth with SP service created earlier.

Pisitpong_vis_29-1655718945270.png

Add OTP Generate

Pisitpong_vis_30-1655718945279.png

Config OTP with 6 digital and click finish

Pisitpong_vis_31-1655718977126.png

Click add

Pisitpong_vis_32-1655718977135.png

Add logon page

Pisitpong_vis_33-1655718977146.png

Change username to NONE and config GUI interface and save

Pisitpong_vis_34-1655718977160.png

Click add

Pisitpong_vis_35-1655718977168.png

Add OTP verify

Pisitpong_vis_36-1655718977181.png

Use the default setting

Pisitpong_vis_37-1655718977190.png

Click add

Pisitpong_vis_38-1655718977199.png

Add email to send your OTP

Pisitpong_vis_39-1655718977213.png

Configuration email setting

Pisitpong_vis_40-1655718977223.png

Apply your Access policy

Pisitpong_vis_42-1655719017328.png

Create New VIP

Navigate to Virtual server console

Pisitpong_vis_43-1655719069288.png

Config parameter for your VIP

Pisitpong_vis_44-1655719069298.png

Apply Access policies and pool. Click finish

Pisitpong_vis_45-1655719069304.png

Test your application by access https://web.f5test.com

Pisitpong_vis_46-1655719069312.png