Lab 2: SAML Identity Provider (IdP) - AD Auth

The purpose of this lab is to configure and test a SAML Identity Provider. Students will configure the various aspect of a SAML Identity Provider, import and bind to a SAML Service Provider and test IdP-Initiated SAML Federation.

Objective:

  • Gain an understanding of SAML Identity Provider(IdP) configurations and its component parts
  • Gain an understanding of the access flow for IdP-Initiated SAML

Estimated completion time: 25 minutes

Task 1 - Setup Lab Environment

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

  1. Click DEPLOYMENT located on the top left corner to display the environment

  2. Click ACCESS next to jumphost.f5lab.local

    image001

  3. Select your RDP resolution.

  4. The RDP client on your local host establishes a RDP connection to the jumphost.

  5. Login with the following credentials:

    • User: f5lab\user1
    • Password: user1

  6. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

  7. Click the Classes tab at the top of the page.

    image002

  8. Scroll down the page until you see 301 SAML Federation on the left

    image003

  9. Hover over tile SAML Identity Provider (IdP) - AD Auth. A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

    image057 image004

  10. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    image005

TASK 2 ‑ Configure the SAML Identity Provider (IdP)

IdP Service

  1. Begin by selecting: Access ‑> Federation ‑> SAML Identity Provider ‑> Local IdP Services

  2. Click the Create button (far right)

    image006

  3. In the Create New SAML IdP Service dialog box, click General Settngs in the left navigation pane and key in the following:

    IdP Service Name: idp.acme.com
    IdP Entity ID: https://idp.acme.com

    image007

    Note

    The yellow box on “Host” will disappear when the Entity ID is entered

  4. In the Create New SAML IdP Service dialog box, click Assertion Settings in the left navigation pane and key in the following:

    Assertion Subject Type: Persistent Identifier (drop down)
    Assertion Subject Value: %{session.logon.last.username} (drop down)

    image008

  5. In the Create New SAML IdP Service dialog box, click SAML Attributes in the left navigation pane and click the Add button as shown

    image009

  6. In the Name field in the resulting pop-up window, enter the following: emailaddress

  7. Under Attribute Values, click the Add button

  8. In the Values line, enter the following: %{session.ad.last.attr.mail}

  9. Click the Update button

  10. Click the OK button

    image010

  11. In the Create New SAML IdP Service dialog box, click Security Settings in the left navigation pane and key in the following:

    Signing Key: /Common/idp.acme.com (drop down)
    Signing Certificate: /Common/idp.acme.com (drop down)

    Note

    The certificate and key were previously imported

  12. Click OK to complete the creation of the IdP service

    image011

SP Connector

  1. Click on External SP Connectors (under the SAML Identity Provider tab) in the horizontal navigation menu

  2. Click specifically on the Down Arrow next to the Create button (far right)

  3. Select From Metadata from the drop down menu

    image012

  4. In the Create New SAML Service Provider dialogue box, click Browse and select the sp_acme_com.xml file from the Desktop of your jump host

  5. In the Service Provider Name field, enter the following: sp.acme.com

  6. Click OK on the dialog box

    image013

    Note

    The sp_acme_com.xml file was created previously. Oftentimes SP providers will have a metadata file representing their SP service. This can be imported to save object creation time as has been done in this lab.

  7. Click on Local IdP Services (under the SAML Identity Provider tab) in the horizontal navigation menu

    image014

  8. Select the Checkbox next to the previously created idp.acme.com and click the Bind/Unbind SP Connectors button at the bottom of the GUI

    image015

  9. In the Edit SAML SP’s that use this IdP dialog, select the /Common/sp.acme.com SAML SP Connection Name created previously

  10. Click the OK button at the bottom of the dialog box

    image016

  11. Under the Access ‑> Federation ‑> SAML Identity Provider ‑> Local IdP Services menu you should now see the following (as shown):

    Name: idp.acme.com
    SAML SP Connectors: sp.acme.com

    image017

TASK 3 - Create a SAML Resource

  1. Begin by selecting Access ‑> Federation ‑> SAML Resources >> **+ (Plus Button)

    image018

  2. In the New SAML Resource window, enter the following values:

    Name: sp.acme.com
    SSO Configuration: idp.acmem.com
    Caption: sp.acme.com

  3. Click Finished at the bottom of the configuration window

    image019

Task 4 - Create a Webtop

  1. Select Access ‑> Webtops ‑> Webtop Lists >> + (Plus Button)

    image020

  2. In the resulting window, enter the following values:

    Name: full_webtop
    Type: Full (drop down)
    Minimize To Tray uncheck

  3. Click Finished at the bottom of the GUI

    image021

Task 5 - Create a SAML IdP Access Policy

  1. Select Access ‑> Profiles/Policies ‑> Access Profiles (Per-Session Policies)

  2. Click the Create button (far right)

    image022

  3. In the New Profile window, enter the following information:

    Name: idp.acme.com‑psp
    Profile Type: All (drop down)
    Profile Scope: Profile (default)
    Customization Type: modern (default)

    image023

  4. Scroll to the bottom of the New Profile window to the Language Settings section

  5. Select English from the Factory Built‑in Languages menu on the right and click the Double Arrow (<<), then click the Finished button.

  6. The Default Language should be automatically set

    image024

  7. From the Access ‑> Profiles/Policies ‑> Access Profiles (Per-Session Policies) screen, click the Edit link on the previously created idp.acme.com-psp line

    image025

  8. Click the Plus (+) Sign between Start and Deny

    image026

  9. In the pop-up dialog box, select the Logon tab and then select the Radio next to Logon Page, and click the Add Item button

    image027

  10. Click Save in the resulting Logon Page dialog box

    image028

  11. Click the Plus (+) Sign between Logon Page and Deny

    image029

  12. In the pop-up dialog box, select the Authentication tab and then select the Radio next to AD Auth, and click the Add Item button

    image030

  13. In the resulting AD Auth pop-up window, select /Common/f5lab.local from the Server drop down menu

  14. Click Save at the bottom of the window

    image031

  15. Click the Plus (+) Sign on the successful branch between AD Auth and Deny

    image032

  16. In the pop-up dialog box, select the Authentication tab and then select the Radio next to AD Query, and click the Add Item button

    image033

  17. In the resulting AD Query pop-up window, select /Common/f5lab.local from the Server drop down menu

    image034

  18. In the AD Query pop‑up window, select the Branch Rules tab

  19. Change the Name of the branch to Successful.

  20. Click the Change link next to the Expression

    image035

  21. In the resulting pop-up window, delete the existing expression by clicking the X as shown

    image036

  22. Create a new Simple expression by clicking the Add Expression button

    image037

  23. In the resulting menu, select the following from the drop down menus:

    Agent Sel: AD Query
    Condition: AD Query Passed

  24. Click the Add Expression Button

    image038

  25. Click the Finished button to complete the expression

    image039

  26. Click the Save button to complete the AD Query

    image040

  27. Click the Plus (+) Sign on the successful branch between AD Query and Deny

    image041

  28. In the pop-up dialog box, select the Assignment tab and then select the Radio next to Advanced Resource Assign, and click the Add Item button

    image042

  29. In the resulting Advanced Resource Assign pop-up window, click the Add New Entry button

  30. In the new Resource Assignment entry, click the Add/Delete link

    image043

  31. In the resulting pop-up window, click the SAML tab, and select the Checkbox next to /Common/sp.acme.com

    image044

  32. Click the Webtop tab, and select the Checkbox next to /Common/full_webtop

  33. Click the Update button at the bottom of the window to complete the Resource Assignment entry

    image045

  34. Click the Save button at the bottom of the Advanced Resource Assign window

    image046

  35. In the Visual Policy Editor, select the Deny ending on the fallback branch following Advanced Resource Assign

    image047

  36. In the Select Ending dialog box, selet the Allow radio button and then click Save

    image048

  37. In the Visual Policy Editor, click Apply Access Policy (top left), and close the Visual Policy Editor

    image049

TASK 6 - Create the IdP Virtual Server

  1. Begin by selecting Local Traffic ‑> Virtual Servers

  2. Click the Create button (far right)

    image050

  3. In the New Virtual Server window, enter the following information:

    General Properties
    Name: idp.acme.com
    Destination Address/Mask: 10.1.10.102
    Service Port: 443

    image051

    Configuration
    HTTP Profile: http (drop down)
    SSL Profile (Client) wildcard.acme.com

    image052

    Access Policy
    Access Profile: idp.acme.com-psp

    image053

  4. Scroll to the bottom of the configuration window and click Finished

TASK 7 - Test the SAML IdP

  1. Using your browser from the jump host, navigate to the SAML IdP you just configured at https://idp.acme.com

  2. Log in to the IdP with the credentials:

    • Username: user1
    • Password: user1

    image054

  3. Click on the sp.acme.com icon.

    image055

  4. You are successfully logged into https://sp.acme.com

image056
  1. Review your Active Sessions (Access ‑> Overview ‑> Active Sessions­­­)
  2. Review your Access Report Logs (Access ‑> Overview ‑> Access Reports)

Task 8 - Lab Cleanup

  1. From a browser on the jumphost navigate to https://portal.f5lab.local

  2. Click the Classes tab at the top of the page.

    image002

  3. Scroll down the page until you see 301 SAML Federation on the left

    image003

  4. Hover over tile SAML Identity Provider (IdP) - AD Auth. A start and stop icon should appear within the tile. Click the Stop Button to trigger the automation to remove any prebuilt objects from the environment

    image057 image998

  5. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    image999

  6. This concludes the lab.

    image000