Azure Active Directory and BIG-IP APM Integration
Introduction Security is one of the primary considerations for organizations in determining whether or not to migrate applications to the public cloud. The problem for organizations with applications in the cloud, in a data center, managed, or as a service, is to create a cost-effective hybrid architecture that produces secure application access and a great experience that allows users to access apps easily, have consistent user experiences, and enjoy easy access with single-sign-on (SSO) tied to a central identity and authentication strategy. Some applications are not favorable to modernization. There are applications that are not suited for, or incapable of, cloud migration. Many on-premises apps do not support modern authentication and authorization, including standards and protocols such as SAML, OAuth, or OpenID Connect (OIDC). An organization may not have the staff talent or time to perform application modernization for their on-premises apps. With thousands of apps in use daily, hosted in all or any combination of these locations, how can organizations ensure secure, appropriate user access without requiring users to login in multiple times? In addition, how can organizations terminate user access to each application without having to access each app individually? By deploying Microsoft Azure Active Directory, Microsoft’s comprehensive cloud-based identity platform, along with F5’s trusted application access solution, Access Policy Manager (APM), organizations are able to federate user identity, authentication, and authorization and bridge the identity gap between cloud-based (IaaS), SaaS, and on-premises applications. Figure 1 Secure hybrid application access This guide discusses the following use cases: · Users use single sign-on to access applications requires Kerberos-based authentication. · Users use single sign-on to access applications requires header-based authentication. Microsoft Azure Active Directory and F5 BIG-IP APM Design For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required. The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing Kerberos based, header based or variety of authentication methods. The solution has these components: • BIG-IP Access Policy Manager (APM) • Microsoft Domain Controller/ Active Directory (AD) • Microsoft Azure Active Directory (AAD) • Application (Kerberos-/header-based authentication) Figure 2 APM bridge SAML to Kerberos/header authentication components Figure 3 APM bridge SAML to Kerberos authentication process flow Deploying Azure Active Directory and BIG-IP APM integration The joint Microsoft and F5 solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header- or Kerberos-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and legacy applications, delivering SSO and securing the app with MFA. Adding F5 from the gallery To configure the integration of BIG-IP APM into Azure AD, you need to add F5 from the gallery to your list of managed SaaS apps. Sign-on to the Azure portal using either a work or school account, or a personal Microsoft account. On the left navigation pane, select the Azure Active Directory service. Navigate to Enterprise Applications and then select All Applications. To add new application, select New application. In the Add from the gallery section, type F5 in the search box. Select F5 from results panel and then add the app. Wait a few seconds while the app is added to your tenant. Configuring Microsoft Azure Active Directory Configure and test Azure AD SSO with F5 using a test user called A.Vandelay. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in F5. To configure and test Azure AD SSO with F5, complete the following building blocks: Configure Azure AD SSO - to enable your users to use this feature. Create an Azure AD test user - to test Azure AD single sign-on with A.Vandelay. Assign the Azure AD test user - to enable A.Vandelay to use Azure AD single sign-on. Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal. In the Azure portal, on the F5 application integration page, find the Manage section and select single sign-on. On the Select a single sign-on method page, select SAML. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, enter the values for the following fields: In the Identifier text box, type a URL using the following pattern: https://<YourCustomFQDN>.f5.com/ In the Reply URL text box, type a URL using the following pattern: https://<YourCustomFQDN>.f5.com/ Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated mode: In the Sign-on URL text box, type a URL using the following pattern: https://<YourCustomFQDN>.f5.com/ Note These values are for only used for illustration. Replace these them with the actual Identifier, Reply URL and Sign-on URL. Refer to the patterns shown in the Basic SAML Configuration section in the Azure portal. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer. On the Set up F5 section, copy the appropriate URL(s) based on your requirement. Create an Azure AD test user In this section, you'll create a test user in the Azure portal called A.Vandelay. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users. Select New user at the top of the screen. In the User properties, follow these steps: In the Name field, enter A.Vandelay. In the User name field, enter the username@companydomain.extension. For example, A.Vandelay@contoso.com. Select the Show password check box, and then write down the value that's displayed in the Password box. Click Create. Assign the Azure AD test user In this section, you'll enable A.Vandelay to use Azure single sign-on by granting access to F5. In the Azure portal, select Enterprise Applications, and then select All applications. In the applications list, select F5. In the app's overview page, find the Manage section and select Users and groups. Select Add user, then select Users and groups in the Add Assignment dialog. In the Users and groups dialog, select A.Vandelay from the Users list, then click the Select button at the bottom of the screen. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate role for the user from the list and then click the Select button at the bottom of the screen. In the Add Assignment dialog, click the Assign button. Configure F5 BIG-IP APM Configure your on-premise applications based on the authentication type. Configure F5 single sign-on for Kerberos-based application Open your browser and access BIG-IP. You need to import the Metadata Certificate into the F5 (Kerberos) which will be used later in the setup process. Go to System > Certificate Management > Traffic Certificate Management >> SSL Certificate List. Click on Import of the right-hand corner. Additionally you also need an SSL Certificate for the Hostname (Kerbapp.superdemo.live), in this example we used Wildcard Certificate. Go to – F5 BIG-IP Click Access > Guided Configuration > Federation > SAML Service Provider. Specify the Entity ID (same as what you configured on the Azure AD Application Configuration). Create a new Virtual Server, Specify the Destination Address. Choose the Wild Card Certificate (or Cert you uploaded for the Application) that we uploaded earlier and the Associated Private Key. Upload the Configuration Metadata and Specify a new Name for SAML IDP Connector and you will also need to specify the Federation Certificate that was uploaded earlier. Create New Backend App Pool, specify the IP Address(s) of the Backend Application Servers. Under Single Sign-on Settings, choose Kerberos and Select Advanced Settings. The request needs to be created in user@domain.suffix. Under the username source specify session.saml.last.attr.name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname. Refer Appendix for complete list of variables and values. Account Name Is the F5 Delegation Account Created ( Check F5 Documentation). Under Endpoint Checks Properties , click Save & Next. Under Timeout Settings, leave default settings and click Save & Next. Review Summary and click on Deploy. Configure F5 single sign-on for Header-based application Open your browser and access BIG-IP. You need to import the Metadata Certificate into the F5 (Header Based) which will be used later in the setup process. Go to System > Certificate Management > Traffic Certificate Management >> SSL Certificate List. Click on Import of the right-hand corner. Additionally you also need an SSL Certificate for the Hostname (headerapp.superdemo.live), in this example we used Wildcard Certificate. Go to – F5 (Header Based) BIG-IP Click Access > Guided Configuration > Federation > SAML Service Provider. Specify the Entity ID (same as what you configured on the Azure AD Application Configuration). Create a new Virtual Server, Specify the Destination Address, Redirect Port is Optional. Choose the Wild Card Certificate (or Cert you uploaded for the Application) that we uploaded earlier and the Associated Private Key. Upload the Configuration Metadata and Specify a new Name for SAML IDP Connector and you will also need to specify the Federation Certificate that was uploaded earlier. Create New Backend App Pool, specify the IP Address(s) of the Backend Application Servers. Under Single Sign-on, Choose HTTP header-based. You can add other Headers based on your application. See the Appendix for the list of SAMLSession Variables. Under Endpoint Checks Properties , click Save & Next. Under Timeout Settings, leave default settings and click Save & Next. Review Summary and click on Deploy. Resources BIG-IP Knowledge Center BIG-IP APM Knowledge Center Configuring Single Sign-On with Access Policy Manager Summary By centralizing access to all your applications, you can manage them more securely. Through the F5 BIG-IP APM and Azure AD integration, you can centralize and use single sign-on (SSO) and multi-factor authentication for on-premise applications. Validated Products and Versions Product BIG-IP APM Version 15.0
How to generate the persistence cookie with an iRule
Problem this snippet solves: When you configure a cookie persistence profile to use the HTTP Cookie Insert or HTTP Cookie Rewrite method, the BIG-IP system inserts a cookie into the HTTP response. The cookie value contains the encoded IP address and port of the destination server. Exemple of a cookie value : 1677787402.36895.0000 (See SOL6917 for more information about this topic) Let's assume that you want your pool member to receive a copy of this cookie value in an HTTP header. Because for example you want your application to forge an url where the cookie value is in a GET parameter. (NOTE : I cannot modify the behavior of the application, I can only play with headers) Retrieving the cookie value is pretty easy with iRule : [HTTP::cookie value $cookie_name] But you'll notice that there is a little issue with this feature: when you are a new visitor, the persistence cookie is inserted in the HTTP response ... Meaning that for the very first hit made by the visitor, there will be NO cookie value to retrieve ... In my scenario it was an issue to miss this cookie value on the first hit, so I had to come up with a solution to forge the cookie value based on pool member IP and port when the persistence cookie is missing. I chose to adapt the code found here and there (thanks !) EDIT : Well I figured out that if you are not using a default route-domain the persistence cookie value will be different (see https://support.f5.com/csp/article/K6917 ) Here is the alternative code bloc to use IPv4 non-default route domains: set ADDR "[format %02x $a][format %02x $b][format %02x $c][format %02x $d]" set PORT [LB::server port] set COOKIE "rd2o00000000000000000000ffff${ADDR}o${PORT}" How to use this snippet: To summarize what the iRule does : if the persistence cookie doesn't exist (most likely because it's the very first hit), then calculate it from member IP and PORT (it obviously has to be after the "When LB_SELECTED" statement) ; else just read the existing cookie. You can set the $cookie_name parameter manually, or let the iRule identify it Code : when LB_SELECTED { #set cookie_name SERVERID # following function could determine persistence cookie name being used if not manually set by the previous line if {not [info exists cookie_name]} { if { [set cookie_name [PROFILE::persist mode cookie cookie_name]] eq "" } { set cookie_name "BIGipServer[getfield [LB::server pool] "/" 3]" } #Default cookie name requires the getfield "/" 3 purge otherwise it's /Common/pool_name } if { [set COOKIE [HTTP::cookie value $cookie_name]] == "" } { scan [LB::server addr] {%d.%d.%d.%d} a b c d set ADDR [expr { $a + $b * 256 + $c * 65536 + $d * 16777216 }] set PORT [ntohs [LB::server port]] set COOKIE "${ADDR}.${PORT}.0000" ## Following bloc must be used instead if you are using non-default route domains, see K6917 #set ADDR "[format %02x $a][format %02x $b][format %02x $c][format %02x $d]" #set PORT [LB::server port] #set COOKIE "rd2o00000000000000000000ffff${ADDR}o${PORT}" ######### unset a b c d ADDR PORT #log local0. "$cookie_name = $COOKIE created for [HTTP::uri]" } else { #log local0. "$cookie_name = $COOKIE already exists for [HTTP::uri]" } HTTP::header insert X-F5-persist $COOKIE } Tested this on version: 11.5Using F5 as a Service Provider with Okta IdP
I've read part 1 and 2 of this article for how to connect F5 as a service provider to Okta: Secure Access to Web Applications with F5 and Okta... - DevCentral However, it doesn't provide instructions for how to get the Single sign on URL and the Audience URI for the app, and I also can't find an article for how to connect F5 to the application to pass the header or kerberos auth to. Could someone help me? I'm basically looking for what information I'll need to retrieve and give to the owners of the systems using legacy auth in order to connect those systems to F5 to use Okta auth with them.
How to validate receive string and set multiple send string
For one of the VIP below is the HTTP Send String I configured. GET /portal/portaladmin/healthCheck HTTP/1.1\r\nHost: TEST.TEST.Ca\r\nConnection: Close\r\n\r\n How to confirm what I am receiving in as receive string ? I need to set Receive String as 401. ? I used Curl and I see 401 is showed up ( marked Black ). So is it that I only need to write 401 in the Receive String of Monitor ? 2nd question I need to set multiple monitor for different services configured on same server. How to set multiple send string from a single Monitor Configuration. ? Let say if I am configuring 2 send string and 2 corresponding receive string how to set that when both of the String Condition need to be True as a condition to mark the VIP live. ? [admin@F5:Active:In Sync] ~ # curl -vk https://test.test.ca/portal/portaladmin/healthCheck * About to connect() to test.test.ca port 443 (#0) * Trying 10.8.16.62... connected * Connected to test.test.ca (10.8.16.62) port 443 (#0) * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-GCM-SHA384 * Server certificate: * subject: C=CA; ST=ns; L=Halifax; O=Nova Scotia Power Inc; OU=IT; CN=test.test.ca * start date: 2019-04-17 00:00:00 GMT * expire date: 2021-04-21 12:00:00 GMT * subjectAltName: test.test.ca matched * issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA * SSL certificate verify ok. > GET /portal/portaladmin/healthCheck HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1l zlib/1.2.3 libidn/1.18 > Host: test.test.ca > Accept: */* > < HTTP/1.1 401 Unauthorized < Content-Type: text/html < Server: Microsoft-IIS/10.0 < WWW-Authenticate: Negotiate < WWW-Authenticate: NTLM < X-Powered-By: ASP.NET < Date: Mon, 05 Aug 2019 18:41:27 GMT < Connection: close < Content-Length: 1293 < Vary: Accept-Encoding < <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>401 - Unauthorized: Access is denied due to invalid credentials.</title> <style type="text/css"> <!-- body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;} fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF; background-color:#555555;} #content{margin:0 0 0 2%;position:relative;} .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} --> </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2> <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3> </fieldset></div> </div> </body> </html> * Closing connection #0 * SSLv3, TLS alert, Client hello (1):
