Azure Active Directory and BIG-IP APM Integration
Introduction Security is one of the primary considerations for organizations in determining whether or not to migrate applications to the public cloud. The problem for organizations with applications in the cloud, in a data center, managed, or as a service, is to create a cost-effective hybrid architecture that produces secure application access and a great experience that allows users to access apps easily, have consistent user experiences, and enjoy easy access with single-sign-on (SSO) tied to a central identity and authentication strategy. Some applications are not favorable to modernization. There are applications that are not suited for, or incapable of, cloud migration. Many on-premises apps do not support modern authentication and authorization, including standards and protocols such as SAML, OAuth, or OpenID Connect (OIDC). An organization may not have the staff talent or time to perform application modernization for their on-premises apps. With thousands of apps in use daily, hosted in all or any combination of these locations, how can organizations ensure secure, appropriate user access without requiring users to login in multiple times? In addition, how can organizations terminate user access to each application without having to access each app individually? By deploying Microsoft Azure Active Directory, Microsoft’s comprehensive cloud-based identity platform, along with F5’s trusted application access solution, Access Policy Manager (APM), organizations are able to federate user identity, authentication, and authorization and bridge the identity gap between cloud-based (IaaS), SaaS, and on-premises applications. Figure 1 Secure hybrid application access This guide discusses the following use cases: · Users use single sign-on to access applications requires Kerberos-based authentication. · Users use single sign-on to access applications requires header-based authentication. Microsoft Azure Active Directory and F5 BIG-IP APM Design For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required. The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing Kerberos based, header based or variety of authentication methods. The solution has these components: • BIG-IP Access Policy Manager (APM) • Microsoft Domain Controller/ Active Directory (AD) • Microsoft Azure Active Directory (AAD) • Application (Kerberos-/header-based authentication) Figure 2 APM bridge SAML to Kerberos/header authentication components Figure 3 APM bridge SAML to Kerberos authentication process flow Deploying Azure Active Directory and BIG-IP APM integration The joint Microsoft and F5 solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header- or Kerberos-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and legacy applications, delivering SSO and securing the app with MFA. Adding F5 from the gallery To configure the integration of BIG-IP APM into Azure AD, you need to add F5 from the gallery to your list of managed SaaS apps. Sign-on to the Azure portal using either a work or school account, or a personal Microsoft account. On the left navigation pane, select the Azure Active Directory service. Navigate to Enterprise Applications and then select All Applications. To add new application, select New application. In the Add from the gallery section, type F5 in the search box. Select F5 from results panel and then add the app. Wait a few seconds while the app is added to your tenant. Configuring Microsoft Azure Active Directory Configure and test Azure AD SSO with F5 using a test user called A.Vandelay. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in F5. To configure and test Azure AD SSO with F5, complete the following building blocks: Configure Azure AD SSO - to enable your users to use this feature. Create an Azure AD test user - to test Azure AD single sign-on with A.Vandelay. Assign the Azure AD test user - to enable A.Vandelay to use Azure AD single sign-on. Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal. In the Azure portal, on the F5 application integration page, find the Manage section and select single sign-on. On the Select a single sign-on method page, select SAML. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, enter the values for the following fields: In the Identifier text box, type a URL using the following pattern: https://<YourCustomFQDN>.f5.com/ In the Reply URL text box, type a URL using the following pattern: https://<YourCustomFQDN>.f5.com/ Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated mode: In the Sign-on URL text box, type a URL using the following pattern: https://<YourCustomFQDN>.f5.com/ Note These values are for only used for illustration. Replace these them with the actual Identifier, Reply URL and Sign-on URL. Refer to the patterns shown in the Basic SAML Configuration section in the Azure portal. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer. On the Set up F5 section, copy the appropriate URL(s) based on your requirement. Create an Azure AD test user In this section, you'll create a test user in the Azure portal called A.Vandelay. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users. Select New user at the top of the screen. In the User properties, follow these steps: In the Name field, enter A.Vandelay. In the User name field, enter the username@companydomain.extension. For example, A.Vandelay@contoso.com. Select the Show password check box, and then write down the value that's displayed in the Password box. Click Create. Assign the Azure AD test user In this section, you'll enable A.Vandelay to use Azure single sign-on by granting access to F5. In the Azure portal, select Enterprise Applications, and then select All applications. In the applications list, select F5. In the app's overview page, find the Manage section and select Users and groups. Select Add user, then select Users and groups in the Add Assignment dialog. In the Users and groups dialog, select A.Vandelay from the Users list, then click the Select button at the bottom of the screen. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate role for the user from the list and then click the Select button at the bottom of the screen. In the Add Assignment dialog, click the Assign button. Configure F5 BIG-IP APM Configure your on-premise applications based on the authentication type. Configure F5 single sign-on for Kerberos-based application Open your browser and access BIG-IP. You need to import the Metadata Certificate into the F5 (Kerberos) which will be used later in the setup process. Go to System > Certificate Management > Traffic Certificate Management >> SSL Certificate List. Click on Import of the right-hand corner. Additionally you also need an SSL Certificate for the Hostname (Kerbapp.superdemo.live), in this example we used Wildcard Certificate. Go to – F5 BIG-IP Click Access > Guided Configuration > Federation > SAML Service Provider. Specify the Entity ID (same as what you configured on the Azure AD Application Configuration). Create a new Virtual Server, Specify the Destination Address. Choose the Wild Card Certificate (or Cert you uploaded for the Application) that we uploaded earlier and the Associated Private Key. Upload the Configuration Metadata and Specify a new Name for SAML IDP Connector and you will also need to specify the Federation Certificate that was uploaded earlier. Create New Backend App Pool, specify the IP Address(s) of the Backend Application Servers. Under Single Sign-on Settings, choose Kerberos and Select Advanced Settings. The request needs to be created in user@domain.suffix. Under the username source specify session.saml.last.attr.name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname. Refer Appendix for complete list of variables and values. Account Name Is the F5 Delegation Account Created ( Check F5 Documentation). Under Endpoint Checks Properties , click Save & Next. Under Timeout Settings, leave default settings and click Save & Next. Review Summary and click on Deploy. Configure F5 single sign-on for Header-based application Open your browser and access BIG-IP. You need to import the Metadata Certificate into the F5 (Header Based) which will be used later in the setup process. Go to System > Certificate Management > Traffic Certificate Management >> SSL Certificate List. Click on Import of the right-hand corner. Additionally you also need an SSL Certificate for the Hostname (headerapp.superdemo.live), in this example we used Wildcard Certificate. Go to – F5 (Header Based) BIG-IP Click Access > Guided Configuration > Federation > SAML Service Provider. Specify the Entity ID (same as what you configured on the Azure AD Application Configuration). Create a new Virtual Server, Specify the Destination Address, Redirect Port is Optional. Choose the Wild Card Certificate (or Cert you uploaded for the Application) that we uploaded earlier and the Associated Private Key. Upload the Configuration Metadata and Specify a new Name for SAML IDP Connector and you will also need to specify the Federation Certificate that was uploaded earlier. Create New Backend App Pool, specify the IP Address(s) of the Backend Application Servers. Under Single Sign-on, Choose HTTP header-based. You can add other Headers based on your application. See the Appendix for the list of SAMLSession Variables. Under Endpoint Checks Properties , click Save & Next. Under Timeout Settings, leave default settings and click Save & Next. Review Summary and click on Deploy. Resources BIG-IP Knowledge Center BIG-IP APM Knowledge Center Configuring Single Sign-On with Access Policy Manager Summary By centralizing access to all your applications, you can manage them more securely. Through the F5 BIG-IP APM and Azure AD integration, you can centralize and use single sign-on (SSO) and multi-factor authentication for on-premise applications. Validated Products and Versions Product BIG-IP APM Version 15.0Azure Active Directory and BIG-IP APM Integration with PeopleSoft using Easy Button (Introduced in 16.0)
Overview This guide is written for IT professionals designing an F5 network. These IT professionals can fill a variety of roles: Systems engineers requiring a standard set of procedures for implementing solutions Project managers creating statements of work for F5 implementations F5 partners selling technology or creating implementation documentation This guide covers using single sign-on to access an Oracle PeopleSoft application requiring header-based authentication. Figure 1 Secure hybrid application access Microsoft Azure Active Directory and F5 BIG-IP APM Design For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required. The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing header-based, header based or variety of authentication methods. The solution has these components: BIG-IP Access Policy Manager (APM) Microsoft Domain Controller/ Active Directory (AD) Microsoft Azure Active Directory (AAD) PeopleSoft Application (header-based authentication) Figure 2 APM bridge SAML to header-based authentication components Deploying Azure Active Directory and BIG-IP APM integration The joint Microsoft and APM solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and PeopleSoft application, delivering SSO and securing the app with MFA. Access Guided Configuration 7.0 – Azure AD Easy Button In version 16.0 of F5 BIG-IP, Access Guided Configuration v7.0 (AGC) for APM has added the ability for administrators to simply onboard and operationally manage mission-critical applications to Azure AD. The administrator no longer needs to go back and forth between Azure AD and BIG-IP as the end-to-end operation policy management has been integrated directly into the APM AGC console. This integration between BIG-IP APM and Azure AD delivers an automated “easy button” to ensure applications can quickly, easily support identity federation, SSO, and MFA. This seamless integration between BIG-IP APM and Azure AD reduces management overhead, meaning that the integration now also enhances the administrator experience. Configure F5 BIG-IP APM These instructions configure with APM to be used with Azure AD SSO for PeopleSoft application access. For SSO to work, you need to establish a link relationship between APM and Azure AD in relation to the PeopleSoft Step 1: In BIG-IP click Access > Guided Configuration > Microsoft Integration > Azure AD Application Step 2: Click Next. Step 3: In the Configuration Properties page, configure the following information, leave default settings and click Save & Next. Configuration Name: www Single Sign-On (SSO): On Copy Account Info from Existing Configuration: On Existing Configuration: portal Click Copy Click Test Connection Step 4: In the Service Provider page, configure the following information, leave default settings and click Save & Next. Host: www.aserracorp.com Entity ID: https://www.aserracorp.com/ Step 5: In the Azure Active Directory page, double click Oracle PeopleSoft Step 6: In the Azure Active Directory page, complete the following information then click Add button in User And Groups. Display Name: Corporate Site Signing Key: www.aserracorp.com Signing Certificate: www.aserracorp.com Signing Key Passphrase: <passphrase> Signing Option: Sign SAML assertion Signing Algorithm: RSA-SHA256 Step 7: in User And Groups section, select the following click Close and then click User Attribute and Claims tab at the top of the form. Type: User Group Legacy Application Users: Add Step 8: In the Azure Active Directory page, User Attribute and Claims tab click Add button. Step 9: In the Azure Active Directory page, User Attribute and Claims tab, Additional Claims section, complete the following information, click Done and then click Save & Next at the bottom of the page. Name: EMPLID Source Attribute: user.employeeid Step 10: In the Virtual Server Properties page, configure the following information, leave default settings and click Save & Next. Destination Address: 206.124.129.183 Service Port: 443 HTTPS (default) Enable Redirect Port: Checked (default) Redirect Port: 80 HTTP (default) Client SSL Profile: Create new Client SSL Certificate: Client SSL Certificate Associated Private Key: www.aserracorp.com Step 11: In the Pool Properties page, configure the following information, leave default settings and click Save & Next. Advanced Settings: On Select a Pool: Create new Health Monitors: /Common/http Load Balancing Method: Least Connections (member) IP Address/Node name: /Common/172.16.60.105 Port: 80 HTTP Step 12: In the Single Sign-On Settings page, click Enable Single Sign-On, and then click on Show Advanced Settings, configure the following information, leave default settings and click Save & Next. Select Single Sign-On Type: HTTP header-based Username Source: session.saml.last.identity SSO Headers Header Operation: replace Header Name: Authorization Header Value: %{session.saml.last.attr.sAMAcountName} Header Operation: insert Header Name: EMPLID Header Value: %{session.saml.last.attr.EMPLID} Header Operation: replace Header Name: Authorization Header Value: %{session.saml.last.attr.name.http://schemas.xmlsoap.org/ws/2005/identity/claims/givenname} Step 13: In the Session Management Properties page, leave default settings and click Save & Next. Step 14: In the Your application is ready to be deployed page, click Deploy. This completes APM configuration. Resources BIG-IP Knowledge Center BIG-IP APM Knowledge Center Configuring Single Sign-On with Access Policy Manager Validated Products and Versions BIG-IP APM 16,0Azure Active Directory and BIG-IP APM Integration with PeopleSoft
Overview This guide is written for IT professionals designing an F5 network. These IT professionals can fill a variety of roles: Systems engineers requiring a standard set of procedures for implementing solutions Project managers creating statements of work for F5 implementations F5 partners selling technology or creating implementation documentation This guide covers using single sign-on to access the Oracle PeopleSoft application requiring header-based authentication. Figure 1 Secure hybrid application access Microsoft Azure Active Directory and F5 BIG-IP APM Design For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required. The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing header based, header based or variety of authentication methods. The solution has these components: BIG-IP Access Policy Manager (APM) Microsoft Domain Controller/ Active Directory (AD) Microsoft Azure Active Directory (AAD) PeopleSoft Application (header-based authentication) Figure 2 APM bridge SAML to header authentication components Deploying Azure Active Directory and BIG-IP APM integration The joint Microsoft and APM solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and PeopleSoft applications, delivering SSO and securing the app with MFA. Configuring Microsoft Azure Active Directory These instructions configure Azure AD SSO with APM to be used with PeopleSoft. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in F5. To configure and test Azure AD SSO with APM, complete the following tasks: Create an Azure AD user – to add users to Azure AD. Assign the Azure AD user - to enable users to use Azure AD single sign-on. Configure Azure AD SSO - to enable your users to use this feature. Create an Azure AD user In this section, you will create a test user in the Azure portal named Harvey Winn. From the left pane in the Azure portal, click Users, and then select All users. Click + New user at the top of the screen. In the User properties, follow these steps: Username: harvey@aserracorp.com Name: Harvey Winn Select the Show password check box, and then write down the value that's displayed in the Password box. Click Create. Assign Azure AD users to application Step 1: In the search field, type “enterprise applications” and click on Enterprise applications. Step 2: Click on “New applications Step 3: In the search field under Add from the gallery, type “f5” and click on Oracle PeopleSoft - Protected by F5 Networks BIG-IP and then Add. Step 4: In the Oracle PeopleSoft - Protected by F5 Networks BIG-IP | OverviewClick window, click 1. Assign users and groups, and in the next screen, click + Add user. Step 5: In Home > Oracle PeopleSoft - Protected by F5 Networks BIG-IP | Users and groups > Add Assignment page, click Users and groups. Step 6: In the search field under Users and groups, search “harvey” and click on the user Harvey Winn, click on Select and then click on Assign. Configure Azure AD SSO Step 1: Click on Single sign-on. Step 2: Click on SAML. Step 3: In Home > Oracle PeopleSoft - Protected by F5 Networks BIG-IP | Single sign-on > SAML-based Sign-on page, under Basic SAML Configuration, click the edit icon. Step 4: Complete the following information and click Save. Identifier (Entity ID): https://peoplesoft.aserracorp.com/ Reply URL (Assertion Consumer Service URL): https://peoplesoft.aserracorp.com/saml/sp/profile/post/acs Relay State: https://peoplesoft.aserracorp.com/irj/portal Logout Url: https://peoplesoft.aserracorp.com/saml/sp/profile/redirect/slo Step 5: In Home > Oracle PeopleSoft - Protected by F5 Networks BIG-IP | Single sign-on > SAML-based Sign-on page, under User Attributes & Claims, click the edit icon, and click + Add new claim. Step 6: In Home > Oracle PeopleSoft - Protected by F5 Networks BIG-IP | Single sign-on > SAML-based Sign-on > User Attributes & Claims > Manage claim page, complete the following information and click Save. Name: sAMAccountName Source attribute: user.onpremisessamaccountname Step 7: Click > SAML-based Sign-on > , to verify information Step 8: Under SAML Signing Certificate and next to Federation Metadata XML, click right click on Download and select Save Link As… Step 9: Rename File names to remove spaces. Note: APM Guided Configuration will not accept spaces in the file name This completes Azure AD configuration. Configure F5 BIG-IP APM These instructions configure with APM to be used with Azure AD SSO for PeopleSoft application access. For SSO to work, you need to establish a link relationship between APM and Azure AD in relation to the PeopleSoft. To configure and test Azure AD SSO with APM, complete the following tasks: Configure the Service Provider: Service Provider can sign authentication requests and decrypt assertions. Configure a Virtual Server: When the clients send application traffic to a virtual server, the virtual server listens for that traffic, processes the configuration associated with the server, and directs the traffic according to the policy result and the settings in the configuration. Configure External Identity Provider Connector: Define settings for an external SAML IdP. When acting as a SAML Service Provider, the BIG-IP system sends authentication requests to and consumes assertions from external SAML IdPs that you specify. Configure the Pool Properties: enables you to configure a pool of one or more servers. If you have a suitable pool configured already, select it. Otherwise, create a new one. Add servers, select a load balancing method, and, optionally, assign a health monitor to the pool. ConfigureSingle Sign-On: leverages credential caching and credential proxying technology so users can enter their credentials once to access their secured web applications. Step 1: In BIG-IP click Access > Guided Configuration > Federation > SAML Service Provider. Step 2: Click Next. Step 3: In the Service Provider Properties page, configure the following information, leave default settings and click Save & Next. Configuration Name: PeopleSoft_AAD_APM Entity ID: https://peoplesoft.aserracorp.com/ Scheme: https Host: peoplesoft.aserracorp.com Step 4: In the Virtual Server Properties page, configure the following information, leave default settings and click Save & Next. Destination Address: 206.124.129.124 Service Port: 443 HTTPS (default) Enable Redirect Port: Checked (default) Redirect Port: 80 HTTP (default) Client SSL Profile: Use Exsisting Common: peoplesoft.aserracorp.com_ssl Step 5: In the External Identity Provider Connector Settings page, configure the following information, leave default settings and click Save & Next. Select method to configure your IdP Connector: Metadata Upload a file in the format name .xml: Choose File PeopleSoftAssaracorp.xml Name: peoplesoft_aad_idp_connector Step 6: In the Pool Properties page, configure the following information, leave default settings and click Save & Next. Select a Pool: PeopleSoft_backend_pool Step 7: In the Single Sign-On Settings page, click Enable Single Sign-On, and then click on Show Advanced Settings, configure the following information, leave default settings and click Save & Next. Select Single Sign-On Type: HTTP header-based Username Source: session.saml.last.identity SSO Headers Header Operation: replace Header Name: PS_SSO_UID Header Value: %{session.saml.last.attr.name.EMPLID} Step 8: In the Endpoint Checks Properties page, leave default settings and click Save & Next. Step 9: In the Timeout Settings page, leave default settings and click Save & Next. Step 10: In the Your application is ready to be deployed page, click Deploy. This completes APM configuration. Resources BIG-IP Knowledge Center BIG-IP APM Knowledge Center Configuring Single Sign-On with Access Policy Manager Validated Products and Versions BIG-IP APM 14.1Azure Active Directory and BIG-IP APM Integration with SAP ERP using Easy Button (Introduced in 16.0)
Overview This guide is written for IT professionals designing an F5 network. These IT professionals can fill a variety of roles: Systems engineers requiring a standard set of procedures for implementing solutions Project managers creating statements of work for F5 implementations F5 partners selling technology or creating implementation documentation This guide covers using single sign-on to access an SAP ERP application requiring Kerberos-based authentication. Figure 1 Secure hybrid application access Microsoft Azure Active Directory and F5 BIG-IP APM Design For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required. The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing Kerberos based, header based or variety of authentication methods. The solution has these components: BIG-IP Access Policy Manager (APM) Microsoft Domain Controller/ Active Directory (AD) Microsoft Azure Active Directory (AAD) SAP ERP Application (Kerberos-based authentication) Figure 2 APM bridge SAML to Kerberos authentication components Figure 3 APM bridge SAML to Kerberos authentication process flow Deploying Azure Active Directory and BIG-IP APM integration The joint Microsoft and APM solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header- or Kerberos-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and SAP ERP applications, delivering SSO and securing the app with MFA. Access Guided Configuration 7.0 – Azure AD Easy Button In version 16.0 of F5 BIG-IP, Access Guided Configuration v7.0 (AGC) for APM has added the ability for administrators to simply onboard and operationally manage mission-critical applications to Azure AD. The administrator no longer needs to go back and forth between Azure AD and BIG-IP as the end-to-end operation policy management has been integrated directly into the APM AGC console. This integration between BIG-IP APM and Azure AD delivers an automated “easy button” to ensure applications can quickly, easily support identity federation, SSO, and MFA. This seamless integration between BIG-IP APM and Azure AD reduces management overhead, meaning that the integration now also enhances the administrator experience. Configure F5 BIG-IP APM These instructions configure APM to be used with Azure AD SSO for SAP ERP application access. For SSO to work, you need to establish a link relationship between APM and Azure AD in relation to the SAP ERP. Step 1: In BIG-IP click Access > Guided Configuration > Microsoft Integration > Azure AD Application. Step 2: Click Next. Step 3: In the Configuration Properties page, configure the following information, leave default settings and click Save & Next. Configuration Name: portal Single Sign-On (SSO): On Copy Account Info from Existing Configuration: On Existing Configuration: portal Click Copy Click Test Connection Step 4: In the Service Provider page, configure the following information, leave default settings and click Save & Next. Host: www.aserracorp.com Entity ID: https://www.aserracorp.com/ Step 5: In the Azure Active Directory page, double click SAP ERP Central Component Step 6: In the Azure Active Directory page, complete the following information then click Add button in User And Groups. Display Name: Corporate SAP ERP Signing Key: www.aserracorp.com Signing Certificate: www.aserracorp.com Signing Key Passphrase: <passphrase> Signing Option: Sign SAML assertion Signing Algorithm: RSA-SHA256 Step 7: in User And Groups section, select the following click Close and then Save & Next at the bottom of the page. Type: User Group Legacy Application Users: Add Step 8: In the Virtual Server Properties page, configure the following information, leave default settings and click Save & Next. Destination Address: 206.124.129.183 Service Port: 443 HTTPS (default) Enable Redirect Port: Checked (default) Redirect Port: 80 HTTP (default) Client SSL Profile: Create new Client SSL Certificate: Client SSL Certificate Associated Private Key: www.aserracorp.com Step 9: In the Pool Properties page, configure the following information, leave default settings and click Save & Next. Advanced Settings: On Select a Pool: Create new Health Monitors: /Common/http Load Balancing Method: Least Connections (member IP Address/Node name: /Common/172.16.60. Step 10: In the Single Sign-On Settings page, click Enable Single Sign-On, and then click on Show Advanced Settings, configure the following information, leave default settings and click Save & Next. Select Single Sign-On Type: Kerberos Credentials Source Username Source: session.saml.last.attr.name.sAMAccountName SSO Method Configuration Kerberos Realm: ASERRACORP.COM Account Name: sapsrvacc Account Password: password Confirm Account Password: password KDC: 172.16.60.5 SPN Pattern: HTTP/sapsrv.aserracorp.com@ASERRACORP.COM Ticket Lifetime: 600 (default) Send Authorization: Always (default) Step 11: In the Session Management Properties page, leave default settings and click Save & Next. Step 12: In the Your application is ready to be deployed page, click Deploy. This completes APM configuration. --- Resources BIG-IP Knowledge Center BIG-IP APM Knowledge Center Configuring Single Sign-On with Access Policy Manager Validated Products and Versions BIG-IP APM 16.0Azure Active Directory and BIG-IP APM Integration with SAP ERP
Introduction Despite recent advances in security and identity management, controlling and managing access to applications through the web—whether by onsite employees, remote employees or contractors, customers, partners, or the public—is as difficult as ever. IT teams are challenged to control access based on granular characteristics such as user role while still providing fast authentication and, preferably, unified access with single sign-on (SSO) capabilities. The ability to audit access and recognize and stop attempts at unauthorized access are also critical in today’s security environment. F5® BIG-IP® Local Traffic Manager™ (LTM) and F5 BIG-IP® Access Policy Manager® (APM) address these challenges, providing extended access management capabilities when used in conjunction with the Microsoft Azure Active Directory (AAD) identity management platform. The integrated solution allows AAD to support applications with header-based and Kerberos based authentication and multifactor authentication using a variety of factor types. In addition, the BIG-IP system can act as a reverse proxy for publishing on-premises applications beyond the firewall, where they can be accessed through AAD. This document will discuss the process of configuring AAD and F5 Big-IP to meet this requirement while still providing the flexibility and power of the cloud. Audience This guide is written for IT professionals who need to design an F5 network. These IT professionals can fill a variety of roles: · Systems engineers who need a standard set of procedures for implementing solutions · Project managers who create statements of work for F5 implementations · F5 partners who sell technology or create implementation documentation Customer Use Cases Security is one of the primary considerations for organizations in determining whether or not to migrate applications to the public cloud. The problem for organizations with applications in the cloud, in a data center, managed, or as a service, is to create a cost-effective hybrid architecture that produces secure application access and a great experience that allows users to access apps easily, have consistent user experiences, and enjoy easy access with single-sign-on (SSO) tied to a central identity and authentication strategy. Some applications are not favorable to modernization. There are applications that are not suited for, or incapable of, cloud migration. Many on-premises apps do not support modern authentication and authorization, including standards and protocols such as SAML, OAuth, or OpenID Connect (OIDC). An organization may not have the staff talent or time to perform application modernization for their on-premises apps. With thousands of apps in use daily, hosted in all or any combination of these locations, how can organizations ensure secure, appropriate user access without requiring users to login in multiple times? In addition, how can organizations terminate user access to each application without having to access each app individually? By deploying Microsoft Azure Active Directory, Microsoft’s comprehensive cloud-based identity platform, along with F5’s trusted application access solution, Access Policy Manager (APM), organizations are able to federate user identity, authentication, and authorization and bridge the identity gap between cloud-based (IaaS), SaaS, and on-premises applications. Figure 1 Secure hybrid application access This guide discusses the following use cases: · Users use single sign-on to access SAP ERP application that requires Kerberos-based authentication. Microsoft Azure Active Directory and F5 BIG-IP APM Design For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required. The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing Kerberos based, header based or variety of authentication methods. The solution has these components: • BIG-IP Access Policy Manager (APM) • Microsoft Domain Controller/ Active Directory (AD) • Microsoft Azure Active Directory (AAD) • SAP ERP Application (Kerberos-based authentication) Figure 2 APM bridge SAML to Kerberos authentication components Figure 3 APM bridge SAML to Kerberos authentication process flow Deploying Azure Active Directory and BIG-IP APM integration The joint Microsoft and APM solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header- or Kerberos-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and SAP ERP applications, delivering SSO and securing the app with MFA. Configuring Microsoft Azure Active Directory These instructions configure Azure AD SSO with APM to be used with SAP ERP. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in F5. To configure and test Azure AD SSO with APM, complete the following tasks: · Create an Azure AD user – to add users to Azure AD. · Assign the Azure AD user - to enable users to use Azure AD single sign-on. · Configure Azure AD SSO - to enable your users to use this feature. Create an Azure AD user In this section, you'll create a test user in the Azure portal named Harvey Winn. From the left pane in the Azure portal, click Users, and then select All users. Click + New user at the top of the screen. In the User properties, follow these steps: User name: harvey@aserracorp.com Name: Harvey Winn Select the Show password check box, and then write down the value that's displayed in the Password box. Click Create. Assign Azure AD users to application 1. In the search field, type “enterprise applications” and click on Enterprise applications. 2. Click on “New applications 3. In the search field under Add from the gallery, type “f5” and click on SAP ERP Central Component (ECC) and then Add. 4. In the SAP ERP Central Component (ECC) - Protected by F5 Networks BIG-IP APM | OverviewClick window, click 1. Assign users and groups, and in the next screen, click + Add user. 5. In Home > SAP ERP Central Component (ECC) - Protected by F5 Networks BIG-IP APM | Users and groups > Add Assignment page, click Users and groups. 6. In the search field under Users and groups, search “harvey” and click on the user Harvey Winn, click on Select and then click on Assign. Configure Azure AD SSO 1. Click on Single sign-on. 2. Click on SAML. 3. In Home > SAP ERP Central Component (ECC) - Protected by F5 Networks BIG-IP APM | Single sign-on > SAML-based Sign-on page, under Basic SAML Configuration, click the edit icon. 4. Complete the following information and click Save. · Identifier (Entity ID): https://saperp.aserracorp.com/ · Reply URL (Assertion Consumer Service URL): https://saperp.aserracorp.com/saml/sp/profile/post/acs · Relay State: https://saperp.aserracorp.com/irj/portal · Logout Url: https://saperp.aserracorp.com/saml/sp/profile/redirect/slo 5. In Home > SAP ERP Central Component (ECC) - Protected by F5 Networks BIG-IP APM | Single sign-on > SAML-based Sign-on page, under User Attributes & Claims, click the edit icon, and click + Add new claim. 6. In Home > SAP ERP Central Component (ECC) - Protected by F5 Networks BIG-IP APM | Single sign-on > SAML-based Sign-on > User Attributes & Claims > Manage claim page, complete the following information and click Save. · Name: sAMAccountName · Source attribute: user.onpremisessamaccountname 7. Click > SAML-based Sign-on > , to verify information 8. Under SAML Signing Certificate and next to Federation Metadata XML, click right click on Download and select Save Link As… 9. Rename File name to SAPEP.xml and click Save. Note: APM Guided Configuration will not accept spaces in the file name 10. Azure AD configuration completed. Configure F5 BIG-IP APM These instructions configure with APM to be used with Azure AD SSO for SAP ERP application access. For SSO to work, you need to establish a link relationship between APM and Azure AD in relation to the SAP ERP. To configure and test Azure AD SSO with APM, complete the following tasks: Configure the Service Provider (SAP ERP): Service Provider can sign authentication requests and decrypt assertions. Configure a Virtual Server: When the clients send application traffic to a virtual server, the virtual server listens for that traffic, processes the configuration associated with the server, and directs the traffic according to the policy result and the settings in the configuration. Configure External Identity Provider Connector: Define settings for an external SAML IdP. When acting as a SAML Service Provider, the BIG-IP system sends authentication requests to and consumes assertions from external SAML IdPs that you specify. Configure the Pool Properties: enables you to configure a pool of one or more servers. If you have a suitable pool configured already, select it. Otherwise, create a new one. Add servers, select a load balancing method, and, optionally, assign a health monitor to the pool. Configure Single Sign-On: leverages credential caching and credential proxying technology so users can enter their credentials once to access their secured web applications. This SSO mechanism allows the user to get a Kerberos ticket and present it transparently to the IIS application. You must know the Kerberos Realm, Account Name, and Account Password before proceeding. 1. In BIG-IP click Access > Guided Configuration > Federation > SAML Service Provider. 2. Click Next. 3. In the Service Provider Properties page, configure the following information, leave default settings and click Save & Next. • Configuration Name: saperp • Entity ID: https://saperp.aserracorp.com/ • Scheme: https • Host: saperp.aserracorp.com • Relay State: https://saperp.aserracorp.com/irj/portal 4. In the Virtual Server Properties page, configure the following information, leave default settings and click Save & Next. • Destination Address: 206.124.129.129 • Service Port: 443 HTTPS (default) • Enable Redirect Port: Checked (default) • Redirect Port: 80 HTTP (default) • Client SSL Profile: Create new • Client SSL Certificate: asper.aserracorp.com • Associated Private Key: saperp.aserracorp.com 5. In the External Identity Provider Connector Settings page, configure the following information, leave default settings and click Save & Next. • Select method to configure your IdP Connector: Metadata • Upload a file in the format name .xml: Choose File saper.xml • Name: saperp_aad_idp 6. In the Pool Properties page, configure the following information, leave default settings and click Save & Next. • Select a Pool: Create New • Load Balancing Method: Least Connections (member) • Pool Servers • IP Address/Node Name: /Common/172.31.23.14 • Port: 50000 7. In the Single Sign-On Settings page, click Enable Single Sign-On, and then click on Show Advanced Settings, configure the following information, leave default settings and click Save & Next. • Select Single Sign-On Type: Kerberos • Credentials Source • Username Source: session.saml.last.attr.name.sAMAccountName • SSO Method Configuration • Kerberos Realm: ASERRACORP.COM • Account Name: sapsrvacc • Account Password: password • Confirm Account Password: password • KDC: 172.16.60.5 • SPN Pattern: HTTP/sapsrv.aserracorp.com@ASERRACORP.COM • Ticket Lifetime: 600 (default) • Send Authorization: Always (default) 8. In the Endpoint Checks Properties page, leave default settings and click Save & Next. 9. In the Timeout Settings page, leave default settings and click Save & Next. 10. In the Your application is ready to be deployed page, click Deploy. 11. APM configuration completed. Resources BIG-IP Knowledge Center BIG-IP APM Knowledge Center Configuring Single Sign-On with Access Policy Manager Summary By centralizing access to all your applications, you can manage them more securely. Through the F5 BIG-IP APM and Azure AD integration, you can centralize and use single sign-on (SSO) and multi-factor authentication for SAP ERP.
