Lab 1: ADFS Proxy using ADFS Authentication

Task 1 - Setup Lab Environment

To access your dedicated student lab environment, you will require a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Lab Training Portal. The RDP client will be used to connect to the Jump Host, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

  1. Click DEPLOYMENT located on the top left corner to display the environment

  2. Click ACCESS next to jumpohost.f5lab.local

    image001

  3. Select your RDP resolution.

  4. The RDP client on your local host establishes a RDP connection to the Jumphost.

  5. Login with the following credentials:

    • User: f5lab\user1
    • Password: user1

  6. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

  7. Click the Classes tab at the top of the page.

    image002

  8. Scroll down the page until you see 305 ADFS Proxy on the left

    image003

  9. Hover over tile ADFS Proxy using ADFS Authentication. A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

    image004 image005

  10. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    image006

Task 2 - Create the ADFS Server Pool

  1. From the jumphost browser navigate to https://bigip1.f5lab.local

  2. Login with the following credentials:

    • username admin
    • password admin

  3. Navigate to Local Traffic >> Pool >> Pool List. Click the + (Plus Symbol)

    image009

  4. Enter the Name adfs_pool

  5. Select the Health Monitor https from the list of available monitors

  6. Enter the Member Address 10.1.20.13

  7. Enter the Member Service Port 443

  8. Click Add

  9. Click Finished

    image010

Task 3 - Create an ADFS Server-side SSL Profile

  1. Navigate to Local Traffic >> Profiles >> SSL >> Server. Click the + (Plus Symbol)

    image011

  2. Enter the Name adfs_serverssl

  3. From the Configuration dropdown select Advanced

  4. On the Server Name line Check the Custom box on the right side

  5. Enter the Server Name adfs.acme.com

  6. Click Finished

    image012

    image013

Task 4 - Create an ADFS Client-side SSL Profile

  1. Navigate to Local Traffic >> Profiles >> SSL >> Client. Click the + (Plus Symbol)

    image014

  2. Enter the Name adfs_clientssl

  3. On the Certificate Key Chain line check the Custom box on the right side

  4. Click Add

    image015

  5. From the Certificate Dropdown select acme.com-wildcard

  6. From the Key dropdown select acme.com-wildcard

  7. Click Add

    image016

  8. Click Finished

    image017

    image018

Task 5 - Create an ADFS Client-side SSL Profile for Certificate Authentication

  1. Navigate to Local Traffic >> Profiles >> SSL >> Client. Click the + (Plus Symbol)

    image014

  2. Enter the Name adfs_clientssl_certauth

  3. Select Parent Profile adfs_clientssl

  4. On the Trusted Certificate Authorities line check the Custom box on the right side

  5. From the Trusted certifciate Authoriates dropdown select ca.f5lab.local

  6. On the Advertised Certificate Authorities line check the Custom box on the right side

  7. From the Advertised certifciate Authoriates dropdown select ca.f5lab.local

    image019

  8. Click Finished

    image020

Task 6 - Create the AD Authenticated ADFS Proxy Virtual Server

  1. Navigate to Local Traffic >> Virtual Servers >> Virtual Server List. Click the + (Plus Symbol)

    image021

  2. Enter the Name adfs-ad-auth

  3. Enter the Destination Address 10.1.10.101

  4. Enter the Service Port 443

  5. Select the HTTP profile(Client) http from the dropdown

  6. In the SSL Profile(Client) section move adfs_clientssl under Selected

  7. In the SSL Profile(Server) section move adfs_serverssl under Selected

    image022

  8. From the Source Address Translation dropdown select Auto Map

  9. Check the ADFS Proxy Enabled box

    image023

  10. From the Default Pool dropdown select adfs_pool

  11. Click Finished

    image024

  12. Click adfs-ad-auth

    image025

  13. Scroll down to the Access Policy section and click Establish Trust

    image026

  14. Enter the Username admin

  15. Enter the Password admin

  16. Enter the Certificate Name adfs

  17. Click OK

    image027

  18. A Trust certificate should now be displayed.

  19. Click Update

    image028

Task 7 - Create the Certificate Authentication ADFS Proxy Virtual Server

  1. Navigate to Local Traffic >> Virtual Servers >> Virtual Server List. Click the + (Plus Symbol)

    image021

  2. Enter the Name adfs-cert-auth

  3. Enter the Destination Address 10.1.10.101

  4. Enter the Service Port 49443

  5. Select the HTTP profile(Client) http from the dropdown

  6. In the SSL Profile(Client) section move adfs_clientssl_certauth under Selected

  7. In the SSL Profile(Server) section move adfs_serverssl under Selected

  8. From the Source Address Translation dropdown select Auto Map

    image029

  9. Check the ADFS Proxy Enabled box

  10. From the Default Pool dropdown select adfs_pool

  11. Click Finished

    image030

Task 8 - Test username and password Authenticaiton

  1. On the jumphost open a webbrowser and navigate to https://sp.acme.com. You will redirected to https://adfs.acme.com

  2. Enter the username user1@f5lab.local

  3. Enter the password user1

  4. Click Sign in

    image031

  5. After successful login at ADFS you redirected to http://sp.acme.com

    image032

Task 9 - Test Certificate authentication

  1. Close the browser completely from the previous test or open a new tab in ingonito(private) view

  2. On the jumphost open a webbrowser and navigate to https://sp.acme.com. You will redirected to https://adfs.acme.com

  3. Select Sign in using an X.509 Certificate

    image033

  4. Select the user1 certificate

  5. Click OK

    image034

  6. After successful login at ADFS you redirected to http://sp.acme.com

    image032

Task 10 - Lab Cleanup

  1. From the jumphost browser navigate to https://bigip1.f5lab.local

  2. Login with the following credentials:

    • username admin
    • password admin

  3. From a browser on the jumphost navigate to https://portal.f5lab.local

  4. Click the Classes tab at the top of the page.

    image002

  5. Scroll down the page until you see 305 ADFS Proxy on the left

    image003

  6. Hover over the tile ADFS Proxy using ADFS Authentication. A start and stop icon should appear within the tile. Click the Stop Button to start the automation to delete any prebuilt objects

    image004 image007

  7. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    image008

  8. This concludes Lab 1.

    image000