Lab 1: SAML Service Provider (SP) Lab

The purpose of this lab is to configure and test a SAML Service Provider. Students will configure the various aspects of a SAML Service Provider, import and bind to a SAML Identity Provider and test SP‑Initiated SAML Federation.

Objective:

  • Gain an understanding of SAML Service Provider(SP) configurations and its component parts
  • Gain an understanding of the access flow for SP-Initiated SAML

Estimated completion time: 25 minutes

Task 1 - Setup Lab Environment

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH). #. Click DEPLOYMENT located on the top left corner to display the environment

  1. Click ACCESS next to jumphost.f5lab.local

    image001

  2. Select your RDP resolution.

  3. The RDP client on your local host establishes a RDP connection to the jumphost.

  4. Login with the following credentials:

    • User: f5lab\user1
    • Password: user1

  5. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

  6. Click the Classes tab at the top of the page.

    image002

  7. Scroll down the page until you see 301 SAML Federation on the left

    image003

  8. Hover over tile SAML Service Provider (SP) Lab. A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

    image039 image004

  9. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    image005

TASK 2 ‑ Configure the SAML Service Provider (SP)

SP Service

  1. Begin by selecting: Access -> Federation -> SAML Service Provider -> Local SP Services

  2. Click the Create button (far right)

    image028

  3. In the Create New SAML SP Service dialog box click General Settings in the left navigation pane and key in the following as shown:

    Name: sp.acme.com
    Entity ID: https://sp.acme.com

  4. Click Security Settings

  5. Click Sign Authentication Request

  6. From the Message Signing Private Key dropdown select /Common/sp.acme.com

  7. From the Message Signing Certificate dropdown select /Common/sp.acme.com

    image035

  8. Click OK on the dialogue box

    image029

    Note

    The yellow box on Host will disappear when the Entity ID is entered.

IdP Connector

  1. Click on Access ‑> Federation ‑> SAML Service Provider ‑> External IdP Connectors or click on the SAML Service Provider tab in the horizontal navigation menu and select External IdP Connectors

  2. Click specifically on the Down Arrow next to the Create button (far right)

  3. Select From Metadata from the drop down menu

    image030

  4. In the Create New SAML IdP Connector dialogue box, click Browse and select the idp_acme_com.xml file from the Desktop of your jump host.

  5. In the Identity Provider Name field enter idp.acme.com:

  6. Click OK on the dialog box

    image031

    Note

    The idp_acme_com.xml was created previously. Oftentimes, IdP providers will have a metadata file representing their IdP service. This can be imported to save object creation time as it has been done in this lab

  7. Click on the Local SP Services from the SAML Service Providers tab in the horizontal navigation menu

  8. Click the checkbox next to the previously created sp.acme.com and click Bind/Unbind IdP Connectors at the bottom of the GUI

    image032

  9. In the Edit SAML IdP’s that use this SP dialogue box, click the

    Add New Row button

    image033

  10. In the added row, click the Down Arrow under SAML IdP Connectors and select the /Common/idp.acme.com SAML IdP Connector previously created

    image034

  11. Click the Update button and the OK button at the bottom of the dialog box

    image006

  12. Under the Access ‑> Federation ‑> SAML Service Provider ‑> Local SP Services menu you should now see the following (as shown):

    Name: sp.acme.com
    SAML IdP Connectors: idp.acme.com

    image007

TASK 3 ‑ Configure the SAML SP Access Policy

  1. Begin by selecting Access ‑> Profiles/Policies ‑> Access Profiles (Per‑Session Policies)

  2. Click the Create button (far right)

    image008

  3. In the New Profile window, key in the following:

    Name: sp.acme.com‑psp
    Profile Type: All (from drop down)
    Profile Scope: Profile (default)

    image009

  4. Scroll to the bottom of the New Profile window to the Language Settings

  5. Select English from the Factory Built‑in Languages on the right, and click the Double Arrow (<<), then click the Finished button.

    image010

  6. From the Access ‑> Profiles/Policies ‑> Access Profiles (Per‑Session Policies) screen, click the Edit link on the previously created sp.acme.com-psp line

    image011

  7. In the Visual Policy Editor window for /Common/sp.acme.com-psp, click the Plus (+) Sign between Start and Deny

    image012

  8. In the pop‑up dialog box, select the Authentication tab and then click the Radio Button next to SAML Auth

  9. Once selected, click the Add Item button

    image013

  10. In the SAML Auth configuration window, select /Common/sp.acme.com from the AAA Server drop down menu

  11. Click the Save button at the bottom of the window

    image014

  12. In the Visual Policy Editor window for /Common/sp.acme.com‑psp, click the Plus (+) Sign on the Successful branch following SAML Auth

    image015

  13. In the pop-up dialog box, select the Assignment tab, and then click the Radio Button next to Variable Assign

  14. Once selected, click the Add Item buton

    image016

  15. In the Variable Assign configuration window, click the Add New Entry button

    image017

  16. Under the new Assignment row, click the Change link

    image018

  17. In the pop‑up window, configure the following:

    Left Pane
    Variable Type: Custom Variable
    Security: Unsecure
    Value: session.logon.last.username
    Right Pane
    Variable Type: Session Variable
    Session Variable: session.saml.last.attr.name.emailaddress

  18. Click the Finished button at the bottom of the configuration window

    image019

  19. Click the Save button at the bottom of the Variable Assign dialog window

    image020

  20. In the Visual Policy Editor select the Deny ending along the fallback branch following the Variable Assign

    image021

  21. From the Select Ending dialog box, select the Allow button and then click Save

    image022

  22. In the Visual Policy Editor click Apply Access Policy (top left) and close the Visual Policy Editor

    image023

TASK 4 ‑ Create the SP Virtual Server & Apply the SP Access Policy

  1. Begin by selecting Local Traffic >> Virtual Servers >> + (Plus Symbol)

    image024

  2. In the New Virtual Server window, key in the following as shown:

    General Properties
    Name: sp.acme.com
    Destination Address/Mask: 10.1.10.103
    Service Port: 443

    image025

    Configuration
    HTTP Profile: http (drop down)
    SSL Profile (Client) wilcard.acme.com
    Source Address Translation auto Map

    image026

    Access Policy
    Access Profile: sp.acme.com-psp

    image027

    Access Policy
    Default Pool sp-pool

  3. Click Finished

    image036

TASK 5 ‑ Test the SAML SP

  1. Using your browser from the jump host, navigate to https://sp.acme.com

  2. You are redirected to https://idp.acme.com

  3. Log in to the IdP with the credentials:

    • username: user1
    • password: user1

    image037

  4. You are redirected back to https://sp.acme.com and successfully logged on.

    image038

  5. Review your Active Sessions (Access ‑> Overview ‑> Active Sessions­­­)

Task 6 - Lab Cleanup

  1. From a browser on the jumphost navigate to https://portal.f5lab.local

  2. Click the Classes tab at the top of the page.

    image002

  3. Scroll down the page until you see 301 SAML Federation on the left

    image003

  4. Hover over tile SAML Service Provider (SP) Lab. A start and stop icon should appear within the tile. Click the Stop Button to trigger the automation to remove any prebuilt objects from the environment

    image039 image998

  5. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    image999

  6. This concludes the lab.

    image000