Lab 1: Creating a SAML Service Provider(SP)

In this lab you will learn how to work with the SP Service and IdP Connector.

Task 1 - Access the Lab Environment

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

  1. Click DEPLOYMENT located on the top left corner to display the environment

  2. Click ACCESS next to jumphost.f5lab.local

    image101

  3. Select your RDP resolution.

  4. The RDP client on your local host establishes a RDP connection to the Jump Host.

  5. Login with the following credentials:

    • User: f5lab\user1
    • Password: user1

Task 2 - Import Postman Collections

  1. From the Jumphost, open Postman via the desktop shortcut or toolbar at the bottom

    Note

    Dismiss any prompts to update Postman.

    image001

  2. Click Yes if prompted for “Do you want to allow this app to make changes to your device?”

    image002

  3. Click Import located on the Scratch Pad menu bar

    image003

  4. Click Upload Files

    image004

  5. Navigate to C:\access-labs\class4\module1\student_files, select student-class4-module1-lab1.postman_collection.json, and click Open

    image005

  6. Click Import

    image006

  7. Click on Collections from the left menu and a collection called student-class4-module1-lab1 will be listed

    image032

Task 3 - Import IDP Signing Certificate

  1. Expand the student-class4-module1-lab1 collection to see the subfolders and requests.

    image007

  2. Select the bigip-import-cert-idp request.

  3. Notice the request endpoint is /mgmt/shared/file-transfer/uploads. This endpoint allows us to upload files to the /var/config/rest/downloads directory on the BIG-IP.

    Note

    If you are unfamiliar with Postman, the information in curly braces are variables that have been defined inside the collection. If you wish to see the variable values simply click the three dots on the collection that allows you display more options. Click Edit and then Variables.

  4. Click Body to display what will be passed in the POST request

    Note

    The request contains only the PEM formated certificate of our AzureAD Identity Provider.

    image008

  5. Click the blue Send button in the upper right corner

  6. In the response body we see where the file is stored and its file name.

    image009

  7. Select the bigip-install-cert-idp request.

  8. Examine the body of this request. This request installs the certificate we previously uploaded to the BIG-IPs crypto store.

    image010

  9. Click the blue Send button in the upper right corner

  10. In the response body we a see certificate named class4-module1-lab1-idp has been installed to the crypto store.

    image011

Task 4 - Create an SAML IDP Connector

In order to create an SP service the IDP Connector must exist. This is because the SP Service endpoint contains the binding information to the IDP Connector.

  1. Select the bigip-create-idp connector-azuread request

  2. Notice the request endpoint is /mgmt/tm/apm/aaa/saml-idp-connector/.

  3. Click Body to display what will be passed in the POST request. The body contains all the necessary setting in order to integrate with AzureAD.

    image012

  4. Click the blue Send button in the upper right corner

  5. The response body contains all of the information related the connector and links to other endpoints that are related to this connectors configuration.

    image013

Task 5 - Create an SAML SP Service

  1. Select the bigip-create-sp service-bigip

  2. Notice the request endpoint is /mgmt/tm/apm/aaa/saml/.

  3. Click Body to display what will be passed in the POST request. The body contains all the necessary setting for the SP service, plus a binding to the IDP Connector we just created.

    image014

  4. Click the blue Send button in the upper right corner

  5. The response body contains all of the information related the SP Service and links to other endpoints that are related to this SP Services configuration.

    image015

Task 6 - Explore configuration via the BIG-IP GUI

  1. From the jumphost, open a browser and navigate to https://bigip1.f5lab.local

  2. Login to the BIG-IP GUI with the following credentials:

    • Username: admin
    • Password: admin

  3. Navigate to System -> Certificate Management -> Traffic Certificate Management -> SSL Certificate List. Click on SSL Certificate List and not the + plus symbol.

    image016

  4. You can see the certificate class4-module1-lab1-idp from Task 1 was successfully imported.

    image017

  5. Navigate to Access >> Federation >> SAML Service Provider >> Local SP Services. Click on Local SP Services and not the + (plus symbol).

    image018

  6. You can see a SP service object was created with the name class4-module1-lab1-sp and successfully bound to an IDP Connector named class4-module1-lab1-idp.

    image019

Task 7 - Deleting a SAML Service Provider(SP) Service Configuration

With imperative call objects must be deleted in the reverse order they are typically created in. This is because objects that are currently in use cannot be deleted.

  1. From Postman, inside the collection Student-class4-module1-lab1 open the subfolder Delete Objects

  2. Click bigip-delete-sp service

  3. Notice the body is empty. Also, the endpoint we are using is the same endpoint we used to create the SP service plus the partition and object name.

    image020

  4. Click the blue Send button in the upper right corner.

  5. Notice nothing is returned in the response body but the Response code is a 200 OK.

    image021

  6. If you click Send a second time you will you get a message back stating the object is not found and a Status Code of 404. That’s because the object was deleted with the prior request.

    image022

  7. Click bigip-delete-idp connector

  8. Click the blue send button in the upper right corner.

    image023

  9. You will receive a response code of 200 OK.

    image024

  10. Click bigip-delete-idp cert

  11. Click the blue send button in the upper right corner.

    image025

  12. You will receive a response code of 200 OK.

    image026

Task 8 - Ensure objects were removed via GUI

  1. Return to the jumpbox’s browser and navigate to https://bigip1.f5lab.local

  2. Login to the BIG-IP GUI with the following credentials:

    • Username: admin
    • Password: admin

  3. Navigate to System >> Certificate Management >> Traffic Certificate Management >> SSL Certificate List. Click on SSL Certificate List and not the + (plus symbol).

    image016

  4. Notice the certificate class4-module1-lab1-idp was deleted

    image027

  5. Navigate to Access >> Federation >> SAML Service Provider >> Local SP Services. Click on Local SP Services and not the + (plus symbol).

    image018

  6. Notice the SP Service was deleted

    image028

  7. Mouse over SAML Service Provider on the top of the screen and click External IdP Connectors.

    image029

  8. Notice the IDP Connector was deleted.

    image030

Task 9 - Lab Clean up

  1. From Postman, Mouse over the title of the collection and click the 3 dots next to student-class4-module1-lab1 Collection.

  2. Click Delete

    image031

This concludes the APM lab on creating and deleting APM objects via iControlREST.

image000