Lab 1.1 - Create an Access Security Policy

Creating a security policy with signed SAML assertion

  1. Access BIG-IP Next Central Manager if you’re not already logged in.
../../_images/lab2-cmlogin.png
  1. Click on the Workspace icon and select Security
../../_images/lab1-securitybtn.png
  1. Under Security you will find all the security modules such as Access, WAF, and SSLO for example. The module may need to be enabled for the feature menu to show up on the Security list. For this lab we have already enabled Access module.

Click on Access from the Security menu, this should default to Policies.

../../_images/lab1-accessbtn.png
  1. Click Start Creating button to create a new Access policy, or click create on top right
../../_images/lab1-createapbtn.png
  1. This will open Access Visual Policy Design screen. Select Per-Session and using a policy template. Select template SAML as Service Provider
../../_images/lab1-selecttemplate.png
  1. In the Create Per-Session Policy screen, this is where you set the different properties of the policy, such as, logging, language, Single Sign On, etc… Let’s start configuring the policy by setting a policy name and policy parameters.

In the General Properties screen set the following parameters, for the rest of the settings you may leave it as default.

  • Policy Name: okta_signed_policy
  • Cookie Option: check the Secure box
  • Click Continue

Note

As you continue the rest of the policy creation process, see the screen shot in each section for a visual example of the configuration.

../../_images/lab1-oktageneral.png
  1. Session Properties screen, you can specify session specific settings in this screen. For this lab we will keep the default settings. Click Continue.
../../_images/lab1-oktasession.png
  1. Logging screen you can adjust the logging level to help with debugging or troubleshooting. For this lab we will keep the default settings. Click Continue.
../../_images/lab1-oktalogging.png
  1. Single Sign On screen, you can set the Single Sign On configuration with an IDP. For this lab we will not use any SSO. Click Continue.
../../_images/lab1-oktasso.png
  1. Endpoint Security screen, you can setup Endpoint Security such as ensuring firewall is enabled on a client workstation before access is granted. For this lab we will not use this feature. Click Continue.
../../_images/lab1-oktaendpoint.png
  1. Resources screen, you can set additional capabilities and features such as Network Access, and Webtops in this screen. For this lab we will not use these capabilities. Click Continue.
../../_images/lab1-oktaresources.png
  1. Connectivity you can set the SSL VPN (Network Access) connectivity settings. Keep as default and click Continue
  2. Policy Endings screen, you can define additional policy ending logic as needed for your use case here. For this lab we will accept the default settings. Click Finish.
../../_images/lab1-oktapolicyendings.png

After clicking on Finish it should bring you back to the Create Policy screen. Now, we will use the Visual Policy Designer (VPD) to build the policy.

In Next Access we have two terms in the Visual Policy Designer (VPD); Flows and Rules. We set the Flows in the Visual Policy Designer (VPD) and within each Flow we can define multiple Rules.

../../_images/lab1-vpd-flow.png
  1. As we use a template, the flow is already there. We must configure it now.
  2. Click on the Collapse button to see the content of the flow. You can see 2 rules.
../../_images/lab1-flowrules.png
  1. Edit inside the SAML-Federation Rule box
../../_images/lab1-oktasamlrule1.png

This will open the SAML Federation Rule properties screen. Please follow the images below for each section.

  1. In the Rule Configuration, Rule Properties screen, add SAML-Federation-Okta-Rule as the name of the rule, leave the rest as default. Click Continue.
../../_images/lab1-oktasamlrule2.png
  1. In the Rule Configuration, Providers screen, this is where you can configure Service Provider and Identity Provider. A generic SP is already set. Edit it
../../_images/lab1-saml-provider.png ../../_images/lab1-oktasamlrule4.png
  1. In the Identity Provider section, click on the Start Creating button.
../../_images/lab1-oktasamlidentity.png
  1. In the Add Idnentity Provider screen add the following parameters:
  1. Below is a summary of the completed Providers screen confirm you have both a Service Provider and Identity Provider configured, then Click Continue.
../../_images/lab1-oktasamlconfirm.png
  1. In the Branches screen, keep the default. Click Finish.
../../_images/lab1-oktasamlrule6.png
  1. Click Save button at the top right hand corner to save the policy. After the policy is saved, click Exit to close the policy.

You have completed creating a security policy. Next we will deploy an Application and assigned the access policy.