Lab 3: SAML Identity Provider (IdP) - kerberos Auth

The purpose of this lab is to deploy and test a Kerberos to SAML configuration. Students will modify a previous built Access Policy and create a seamless access experience from Kerberos to SAML for connecting users. This lab will leverage the work performed previously in Lab 2. Archive files are available for the completed Lab 2.

Objective:

• Gain an understanding of the Kerberos to SAML relationship its component parts.
• Develop an awareness of the different deployment models that Kerberos to SAML authentication opens up

Lab Requirements:

• All Lab requirements will be noted in the tasks that follow

Estimated completion time: 25 minutes

Task 1 - Setup Lab Environment

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

1. Click DEPLOYMENT located on the top left corner to display the environment

2. Click ACCESS next to jumphost.f5lab.local

   

3. Select your RDP resolution.

4. The RDP client on your local host establishes a RDP connection to the Jump Host.

5. Login with the following credentials:

   • User: f5lab\user1
   • Password: user1

6. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

7. Click the Classes tab at the top of the page.

   

8. Scroll down the page until you see 301 SAML Federation on the left

   

9. Hover over tile SAML Identity Provider (IdP) - Kerberos Auth. A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

10. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    

TASK 2 ‑ Configure the SAML Identity Provider (IdP)

IdP Service

1. Begin by selecting: Access ‑> Federation ‑> SAML Identity Provider ‑> Local IdP Services

2. Click the Create button (far right)

   

3. In the Create New SAML IdP Service dialog box, click General Settngs in the left navigation pane and key in the following:

   IdP Service Name:	idp.acme.com
   IdP Entity ID:	https://idp.acme.com

   

   Note

   The yellow box on “Host” will disappear when the Entity ID is entered

4. In the Create New SAML IdP Service dialog box, click Assertion Settings in the left navigation pane and key in the following:

   Assertion Subject Type:	Persistent Identifier (drop down)
   Assertion Subject Value:	%{session.logon.last.username} (drop down)

   

5. In the Create New SAML IdP Service dialog box, click SAML Attributes in the left navigation pane and click the Add button as shown

   

6. In the Name field in the resulting pop-up window, enter the following: emailaddress

7. Under Attribute Values, click the Add button

8. In the Values line, enter the following: %{session.ad.last.attr.mail}

9. Click the Update button

10. Click the OK button

    

11. In the Create New SAML IdP Service dialog box, click Security Settings in the left navigation pane and key in the following:

    Signing Key:	/Common/idp.acme.com (drop down)
    Signing Certificate:	/Common/idp.acme.com (drop down)

    Note

    The certificate and key were previously imported

12. Click OK to complete the creation of the IdP service

    

SP Connector

1. Click on External SP Connectors (under the SAML Identity Provider tab) in the horizontal navigation menu

2. Click specifically on the Down Arrow next to the Create button (far right)

3. Select From Metadata from the drop down menu

   

4. In the Create New SAML Service Provider dialogue box, click Browse and select the sp_acme_com.xml file from the Desktop of your jump host

5. In the Service Provider Name field, enter the following: sp.acme.com

6. Click OK on the dialog box

   

   Note

   The sp_acme_com.xml file was created previously. Oftentimes SP providers will have a metadata file representing their SP service. This can be imported to save object creation time as has been done in this lab.

7. Click on Local IdP Services (under the SAML Identity Provider tab) in the horizontal navigation menu

   

8. Select the Checkbox next to the previously created idp.acme.com and click the Bind/Unbind SP Connectors button at the bottom of the GUI

   

9. In the Edit SAML SP’s that use this IdP dialog, select the /Common/sp.acme.com SAML SP Connection Name created previously

10. Click the OK button at the bottom of the dialog box

    

11. Under the Access ‑> Federation ‑> SAML Identity Provider ‑> Local IdP Services menu you should now see the following (as shown):

    Name:	idp.acme.com
    SAML SP Connectors:	sp.acme.com

    

TASK 3 - Create a SAML Resource

1. Begin by selecting Access ‑> Federation ‑> SAML Resources >> **+ (Plus Button)

   

2. In the New SAML Resource window, enter the following values:

   Name:	sp.acme.com
   SSO Configuration:	idp.acmem.com
   Caption:	sp.acme.com

3. Click Finished at the bottom of the configuration window

   

Task 4 - Create a Webtop

1. Select Access ‑> Webtops ‑> Webtop Lists >> + (Plus Button)

   

2. In the resulting window, enter the following values:

   Name:	full_webtop
   Type:	Full (drop down)
   Minimize To Tray	uncheck

3. Click Finished at the bottom of the GUI

   

Task 5 - Create a Kerberos AAA Object

1. From the jumphost, navigate to the command line enter the command below to generate a kerberos key tab file

   ktpass -princ HTTP/idp.acme.com@F5LAB.LOCAL -mapuser f5lab\krbtsrv -ptype KRB5_NT_PRINCIPAL -pass ’P@$$w0rd' -out C:\Users\user1\Desktop\out.keytab

   

2. From the BIG-IP GUI, navigate to Access >> Authentication >> Kerberos >> Click the + Plus Symbol

   

   Name:	idp.acme.com
   SPN Format:	Host-based service
   Auth Realm:	F5LAB.LOCAL
   Service Name:	HTTP
   Keytab File:	out.keytab

3. Click Finished

   

Task 6 - Create a SAML IdP Access Policy

1. Select Access ‑> Profiles/Policies ‑> Access Profiles (Per-Session Policies)

2. Click the Create button (far right)

   

3. In the New Profile window, enter the following information:

   Name:	idp.acme.com‑psp
   Profile Type:	All (drop down)
   Profile Scope:	Profile (default)
   Customization Type:	modern (default)

   

4. Scroll to the bottom of the New Profile window to the Language Settings section

5. Select English from the Factory Built‑in Languages menu on the right and click the Double Arrow (<<), then click the Finished button.

6. The Default Language should be automatically set

   

7. From the Access ‑> Profiles/Policies ‑> Access Profiles (Per-Session Policies) screen, click the Edit link on the previously created idp.acme.com-psp line

   

8. Click the Plus (+) Sign between Start and Deny

   

9. In the pop-up dialog box, select the Logon tab and then select the Radio next to HTTP 401 Response, and click the Add Item button

   

10. In the HTTP 401 Response dialog box, enter the following information:

    HTTP Auth Level:

    negotiate (drop down)

11. Click the Save button at the bottom of the dialog box

    

12. Click the Branch Rules tab

13. Click the X on the Basic Branch

    

14. Click Save

    

15. Click the + (Plus symbo) on the negotiate branch

    

16. Click the Authentication tab

17. Select Kerberos Auth

18. Click Add Item

    

19. In the Kerberos Auth dialog box, enter the following information:

    AAA Server:	/Common/idp.acme.com (drop down)
    Request Based Auth:	Enabled (drop down)

20. Click Save

    

21. Click the Plus (+) Sign on the Successful branch between Kerberos Auth and Deny

    

22. In the pop-up dialog box, select the Authentication tab and then select the Radio next to AD Query, and click the Add Item button

    

23. In the resulting AD Query pop-up window, select /Commmon/f5lab.local from the Server drop down menu

24. In the SearchFilter field, enter the following value: userPrincipalName=%{session.logon.last.username}

    

25. In the AD Query window, click the Branch Rules tab

26. Change the Name of the branch to Successful.

27. Click the Change link next to the Expression

    

28. In the resulting pop-up window, delete the existing expression by clicking the X as shown

    

29. Create a new Simple expression by clicking the Add Expression button

    

30. In the resulting menu, select the following from the drop down menus:

    Agent Sel:	AD Query
    Condition:	AD Query Passed

31. Click the Add Expression Button

    

32. Click the Finished button to complete the expression

    

33. Click the Save button to complete the AD Query

    

34. Click the Plus (+) Sign on the Successful branch between AD Query and Deny

    

35. In the pop-up dialog box, select the Assignment tab and then select the Radio next to Advanced Resource Assign, and click the Add Item button

    

36. In the resulting Advanced Resource Assign pop-up window, click the Add New Entry button

37. In the new Resource Assignment entry, click the Add/Delete link

    

38. In the resulting pop-up window, click the SAML tab, and select the Checkbox next to /Common/sp.acme.com

    

39. Click the Webtop tab, and select the Checkbox next to /Common/full_webtop

40. Click the Update button at the bottom of the window to complete the Resource Assignment entry

    

41. Click the Save button at the bottom of the Advanced Resource Assign window

    

42. In the Visual Policy Editor, select the Deny ending on the fallback branch following Advanced Resource Assign

    

43. In the Select Ending dialog box, selet the Allow radio button and then click Save

    

44. In the Visual Policy Editor, click Apply Access Policy (top left), and close the Visual Policy Editor

    

TASK 7 - Create the IdP Virtual Server

1. Begin by selecting Local Traffic ‑> Virtual Servers

2. Click the Create button (far right)

   

3. In the New Virtual Server window, enter the following information:

   General Properties
   Name:	idp.acme.com
   Destination Address/Mask:	10.1.10.102
   Service Port:	443

   

   Configuration
   HTTP Profile:	http (drop down)
   SSL Profile (Client)	wildcard.acme.com

   

   Access Policy
   Access Profile:	idp.acme.com-psp

   

4. Scroll to the bottom of the configuration window and click Finished

TASK 8 - Test the Configuration

1. From the jumphost, navigate to the SAML IdP you previously configured at https://idp.acme.com. Noticee you are automatically signed into the IDP.

2. Click sp.acme.com

   

3. You are then successfully logged into https://sp.acme.com and presented a webpage.

1. From the jumphost CLI, type klist. You will see there is a kerberos ticket for HTTP/idp.acme.com@F5LAB.LOCAL

   

2. Review your Active Sessions (Access ‑> Overview ‑> Active Sessions­­­)

3. Review your Access Report Logs (Access ‑> Overview ‑> Access Reports)

Task 9 - Lab Cleanup

1. From a browser on the jumphost navigate to https://portal.f5lab.local

2. Click the Classes tab at the top of the page.

   

3. Scroll down the page until you see 301 SAML Federation on the left

   

4. Hover over tile SAML Identity Provider (IdP) - Kerberos Auth. A start and stop icon should appear within the tile. Click the Stop Button to trigger the automation to remove any prebuilt objects from the environment

5. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

   

6. This concludes the lab.