The purpose of this lab is to configure and test a IDaaS SAML Identity
Provider. Students will configure a IDaaS based SAML Identity Provider
(in this case OKTA) and import and bind to a SAML Service Provider and
test IdP-Initiated and SP-Initiated SAML Federation.
Lab 2 Tasks:
TASK 1: Sign Up for OKTA Developer Account
Refer to the instructions and screen shots below:
Note: The following steps provide instruction for setting up an OKTA developer account.
If you already have one, you may elect to use that account. Understand, however, that the
instructions below may need to be modified to match your environment.
|
Sign Up for an OKTA developer account by navigating to:
https://developer.okta.com/signup/ and using a VALID email and click Get Started
Upon registration, you will be directed to a hyperlink (hostname) for your developer
account. This link should be saved for future use.
Additional instructions will be sent to the email address provided during account setup.
|
|
Following the instructions received from the generated email, sign into the OKTA
development environment with your provided, temporary password.
|
 |
- Enter a New Password and the Repeat New Password
- Use the drop down to select a Forgot Password Question and provide the Answer
- Click a Security Image
- Click Create My Account
|
 |
TASK 2: OKTA Classic UI
Refer to the instructions and screen shots below:
For the purposes of the lab and SAML development, we will be using the OKTA Classic UI
which provides access to SAML configurations. (Note: At lab publication, the Developer
Console did not have SAML resources.)
In the top, left hand corner click the <> & select Classic UI from the drop down.
|
 |
TASK 3: Enable OKTA Multi-Factor Authentication [OPTIONAL]
Refer to the instructions and screen shots below. This task will require a mobile app to enable a second factor.
[OPTIONAL]
Note: Enabling MFA will require a Smart Device with the appropriate OKTA client for your OS
The step can be skipped if you prefer to just use UserID/Password
- Click Security from the top navigation, then click Multifactor
|
 |
[OPTIONAL]
- Under OKTA Verify, change the dropdown from Inactive to Active
- Click the Edit button next to *OKTA Verify Settings
|
 |
[OPTIONAL]
- Check Enable Push Verification
- Check Require TouchID for OKTA Verify (optional)
- Click Save
|
 |
TASK 4: Build SAML Application - OKTA
Refer to the instructions and screen shots below:
In the main menu, click Applications, and Applications from the dropdown in the
top navigation.
|
 |
- Click Add Application in the Applications dialogue window.
|
 |
- Click Create New App in the Add Application Menu
|
 |
In the Create a New Application Integration dialogue box, select Web from the
drop down for Platform.
Select the SAML 2.0 radio button for Sign on Method and click Create.
|
 |
- In the Create SAML Integration screen, enter app.f5demo.com for the App Name.
- Leave all other values as default and click Next.
|
 |
- In the Create SAML Integration screen, enter the following values
- In the SAML Setting section
- Single Sign on URL: https://app.f5demo.com/saml/sp/profile/post/acs
- Audience URI (SP Entity ID): https://app.f5demo.com
- Leave all other values as default and click Next.
|
 |
In the Create SAML Integration screen, select the:
“I’m an OKTA customer adding an internal app” radio button for
Are you a customer or partner?
In the resulting expanded window, select:
“This is an internal app that we have created” for App Type
and click Finish.
|
 |
In the resulting application screen for app.f5demo.com, navigate to the
SAML 2.0 section.
Right Click the Identity Provider Metadata hyperlink and click Save Link As …
Save the metadata.xml to your jumphost desktop. We will be using it in a later step
in the Lab.
|
 |
TASK 5: Add User to SAML Application
Refer to the instructions and screen shots below:
Within the app.f5demo.com application screen, Click Assignments then Assign
and then Assign to People from the dropdown.
|
 |
In the Assign app.f5demo.com to People dialogue box, select your User ID, click
Assign, then Done.
|
 |
- Click Save and Go Back.
|
 |
- Click Done.
|
 |
TASK 6: Add Multi-Factor Authentication Sign-On Policy [OPTIONAL]
Refer to the instructions and screen shots below. This section requires that Task 3 be completed.
[OPTIONAL]
- Within the app.f5demo.com application screen, Click Sign On
|
 |
[OPTIONAL]
- Scroll down to the Sign On Policy section and click Add Rule
|
 |
[OPTIONAL]
- In the Add Sign On Rule dialogue box, enter MFA for the Rule Name.
- Scroll down to the Actions section.
- In the Actions section, under Access, check the box for Prompt for factor.
- Ensure Every Sign On radio button is selected.
- Click Save.
|
 |
TASK 7: Create the External IDP Connector
Refer to the instructions and screen shots below:
Login to your lab provided Virtual Edition BIG-IP
Begin by selecting: Access -> Federation -> SAML Service Provider ->
External IdP Connectors.
|
 |
In the External IdP Connectors screen, click the downward arrow next to the word
Create on the Create button (right side)
Select From Metadata from the drop down menu
|
 |
In the Create New SAML IdP Connector dialogue box, use the Browse button to
select the metadata.xml from the desktop (created in Task 4).
Name the Identity Provider Name: OKTA_SaaS-iDP.
Click OK.
|
 |
TASK 8: Change the SAML SP Binding
Refer to the instructions and screen shots below:
Begin by selecting: Access -> Federation -> SAML Service Provider ->
Local SP Services
Select the checkbox next to app.f5demo.com and click Bind\UnBind IdP Connectors
|
 |
- Check the existing binding and click Delete.
|
 |
- Click Add New Row and use the following values
- SAML IdP Connectors: /Common/OKTA_SaaS-iDP
- Matching Source: %{session.server.landinguri}
- Matching Value: /*
- Click Update then OK.
|
 |
TASK 9: Apply Access Policy Changes
Refer to the instructions and screen shots below:
- Click the Apply Access Policy link in the top left corner of the Admin GUI
|
 |
- Ensure app.f5demo.com-policy is checked and click Apply
|
 |
