Lab 6: SAML IdP Chaining to AzureAD (BIG-IP Primary IdP)

Task 1 - Setup Lab Environment

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

1. Click DEPLOYMENT located on the top left corner to display the environment

2. Click ACCESS next to jumphost.f5lab.local

   

3. Select your RDP resolution.

4. The RDP client on your local host establishes a RDP connection to the Jump Host.

5. Login with the following credentials:

   • User: f5lab\user1
   • Password: user1

6. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

7. Click the Classes tab at the top of the page.

   

8. Scroll down the page until you see 301 SAML Federation on the left

   

9. Hover over tile SAML IdP Chaining to AzureAD (BIG-IP Primary IdP). A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

10. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    

Task 2 - Create portal.acme.com SAML Service Provider(SP) Service

1. Begin by selecting: Access ‑> Federation ‑> SAML Service Provider ‑> Local SP Services. Click the Plus (+) Sign

   

2. In the Create New SAML SP Service dialog box, click General Settngs in the left navigation pane and key in the following:

   Service Name:	portal.acme.com-sp-s
   Entity ID:	https://portal.acme.com

3. Click OK

   

4. Select the Checkbox next to the previously created portal.acme.com and click the Bind/Unbind IdP Connectors button at the bottom of the GUI

   

5. Click Add New Row

   

6. Select /Common/azure-idp from the SAML IdP Connectors dropdown menu

7. Click Update

   Note

   The Azure IdP connector was previously configured through the automation.

   

8. Click OK

   

Task 3 ‑ Configure the SAML Identity Provider (IdP) Service

1. Begin by selecting: Access ‑> Federation ‑> SAML Identity Provider ‑> Local IdP Services. Click the Plus (+) Sign

   

2. In the Create New SAML IdP Service dialog box, click General Settngs in the left navigation pane and key in the following:

   IdP Service Name:	portal.acme.com-idp-s
   IdP Entity ID:	https://portal.acme.com

   

   Note

   The yellow box on “Host” will disappear when the Entity ID is entered

3. In the Create New SAML IdP Service dialog box, click Assertion Settings in the left navigation pane and key in the following:

   Assertion Subject Type:	Persistent Identifier (drop down)
   Assertion Subject Value:	%{session.logon.last.username} (drop down)
   Authentication Context Class Reference	%{session.saml.last.authNContextClassRef}

   

4. In the Create New SAML IdP Service dialog box, click Security Settings in the left navigation pane and key in the following:

   Signing Key:	/Common/portal.acme.com (drop down)
   Signing Certificate:	/Common/portal.acme.com (drop down)

   Note

   The certificate and key were previously imported via automation

5. Click OK to complete the creation of the IdP service

   

6. Select the Checkbox next to the previously created portal.acme.com-idp-s and click the Bind/Unbind SP Connectors button at the bottom of the GUI

   

7. In the Edit SAML SP’s that use this IdP dialog, select the /Common/sp.acme.com SAML SP Connection Name.

8. Click the OK button at the bottom of the dialog box

   

Task 4 - Create a SAML Resource

1. Begin by selecting Access ‑> Federation ‑> SAML Resources >> Plus (+) Sign

   

2. In the New SAML Resource window, enter the following values:

   Name:	sp.acme.com
   SSO Configuration:	portal.acmem.com-idp-s
   Caption:	sp.acme.com

3. Click Finished at the bottom of the configuration window

   

Task 5 - Create a Webtop

1. Select Access ‑> Webtops ‑> Webtop Lists >> Plus (+) Sign

   

2. In the resulting window, enter the following values:

   Name:	full_webtop
   Type:	Full (drop down)
   Minimize To Tray	uncheck

3. Click Finished at the bottom of the GUI

   

Task 6 - Create a SAML IdP Access Policy

1. Select Access ‑> Profiles/Policies ‑> Access Profiles (Per-Session Policies) -> Plus (+) Sign

   

2. In the New Profile window, enter the following information:

   Name:	portal.acme.com‑psp
   Profile Type:	All (drop down)
   Profile Scope:	Profile (default)
   Customization Type:	modern (default)

   

3. Scroll to the bottom of the New Profile window to the Language Settings section

4. Select English from the Factory Built‑in Languages menu on the right and click the Double Arrow (<<), then click the Finished button.

5. The Default Language should be automatically set

   

6. From the Access ‑> Profiles/Policies ‑> Access Profiles (Per-Session Policies) screen, click the Edit link on the previously created portal.acme.com-psp line

   

7. Click the Plus (+) Sign between Start and Deny

   

8. In the pop-up dialog box, select the Authentication tab and then select the Radio next to SAML Auth, and click the Add Item button

   

   

9. Select /Common/portal.acme.com-sp-s from the AAA Server dropdown menu

10. Click Save

    

11. On the successful branch of the SAML Auth Policy-Item click the Plus (+) Sign

    

12. In the pop-up dialog box, select the Assignment tab and then select the Radio next to Variable Assign, and click the Add Item button

    

13. Click Add new entry

14. Click Change

    

15. Enter the Custom Variable session.logon.last.username

16. Select Session Variable from the right drop down menu

17. Enter the session variable name session.saml.last.nameIDValue

18. Click Finished

    

19. Click Save

    

20. Click the Plus (+) Sign on the fallback branch between Variable Assign and Deny

    

21. In the pop-up dialog box, select the Assignment tab and then select the Radio next to Advanced Resource Assign, and click the Add Item button

    

22. Click Add new entry

23. In the new Resource Assignment entry, click the Add/Delete link

    

24. In the resulting pop-up window, click the SAML tab, and select the Checkbox next to /Common/sp.acme.com

    

25. Click the Webtop tab, and select the Checkbox next to /Common/full_webtop

26. Click the Update button at the bottom of the window to complete the Resource Assignment entry

    

27. Click the Save button at the bottom of the Advanced Resource Assign window

    

28. In the Visual Policy Editor, select the Deny ending on the fallback branch following Advanced Resource Assign

    

29. In the Select Ending dialog box, selet the Allow radio button and then click Save

    

30. In the Visual Policy Editor, click Apply Access Policy (top left), and close the Visual Policy Editor

    

Task 7 - Create an IdP Virtual Server

1. Navigate to Local Traffic ‑> Virtual Servers -> Virtual Server List. Click the Plus (+) Sign

   

2. In the New Virtual Server window, enter the following information:

   General Properties
   Name:	portal.acme.com
   Destination Address/Mask:	10.1.10.102
   Service Port:	443

   

   Configuration
   HTTP Profile:	http (drop down)
   SSL Profile (Client)	wildcard.acme.com

   

   Access Policy
   Access Profile:	portal.acme.com-psp

   

3. Scroll to the bottom of the configuration window and click Finished

Task 8 - Test Access to sp.acme.com

1. From the jumphost’s browser, navigate to https://sp.acme.com

2. You will not see this but you are redirected to https://portal.acme.com before finally landing at the Azure Login Screen https://login.microsoft.com

   

3. Enter the username: user1@f5access.onmicrosoft.com

4. Click Next

   

5. Enter the Password: F5twister$

6. Click Sign in

   

7. If you receive a notice about Staying Signed in simply click No

   

8. You are successfully logged into https://portal.acme.com, automatically redirected back to https://sp.acme.com, and presented a webpage.

   

Task 9 - Test access to portal.acme.com

1. The broswer completely or open a new session in incoginito view

2. From the jumphost’s browser, navigate to https://portal.acme.com

3. You will not see this but you are redirected to https://login.microsoftonline.com

   

4. Enter the username: user1@f5access.onmicrosoft.com

5. Click Next

   

6. Enter the Password: F5twister$

7. Click Sign in

   

8. If you receive a notice about Staying Signed in simply click No

   

9. You automatically redirected back to https://portal.acme.com and presented a webtop.

10. Click the sp.acme.com resource on the Webtop

    

11. You are successfully authenticated to the sp.acme.com application

    

Task 10 - Lab Cleanup

1. From the jumphost’s browser navigate to https://portal.f5lab.local

2. Click the Classes tab at the top of the page.

   

3. Scroll down the page until you see 301 SAML Federation on the left

   

4. Hover over tile SAML IdP Chaining to AzureAD (BIG-IP Primary IdP). A start and stop icon should appear within the tile. Click the Stop Button to trigger the automation to remove any prebuilt objects from the environment

5. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

   

6. This concludes the lab.