F5 Identity and Access Management Solutions > 100 Series: Zero Trust Application Access (ZTAA) Source | Edit on

Lab 1: SAML IdP Access Guided Configuration (AGC) Lab¶

The purpose of this lab is to configure and test SAML Federation Services.

Students will leverage Access Guided Configuration (AGC) to configure the various aspects of a SAML Identity Provider (IdP), import and bind to a SAML Service Provider (SP) and test IdP-Initiated SAML Federation.

Objective:¶

Gain an understanding of SAML Federation configurations and their component parts through Access Guided Configuration (AGC)
Gain an understanding of the access flow for IDP & SP Initiated SAML

Lab Requirements:¶

All Lab requirements will be noted in the tasks that follow
Estimated completion time: 25-30 minutes

Task 1 - Setup Lab environment¶

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

Click DEPLOYMENT located on the top left corner to display the environment
Click ACCESS next to jumpbox.f5lab.local
Select your RDP resolution.
The RDP client on your local host establishes a RDP connection to the Jump Host.
Login with the following credentials:
- User: f5lab\user1
- Password: user1
After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.
Click the Classes tab at the top of the page.
Scroll down the page until you see 202 - Federation on the left
Hover over tile SAML IdP Access Guided Configuration(AGC) Lab. A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment
The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

TASK 2 - Configure a SAML Identity Provider (IdP) via AGC¶

Login to your lab provided Virtual Edition BIG-IP by clicking bigip1 in the

shortcut toolbar from the Jumphost. Username: admin, Password: admin.

Note: Many of the lab steps will need to be run from the Jumphost. This is to support

file imports and various other tasks.

Navigate to Access -> Guided Configuration in the left-hand menu.

Once Guided Configuration loads, click on Federation and then in the resulting

Federation sub-menu click, SAML Identity Provider Federation for Applications.

In the resulting SAML Identity Provider Federation for Applications window,

review the IdP-Initiated SAML flow and then click the right arrow.

Review the SP-Initiated SAML flow and then scroll down to the bottom of the window.

Review the configuration objects to be created and the click Next.

TASK 3 - Configure the Identity Provider¶

In the Identity Provider Properties section, enter the following values in the fields

provided:
- In the Configuration Name field input idp.acme.com.
- In the Entity ID field input https://idp.acme.com.
In the Assertion Properties section, use the dropdowns to select the following:
- For the Signing Key select idp.acme.com.
- For the Signing Certificate select idp.acme.com.
Click Save & Next.

TASK 4 - Configure the Virtual Server¶

In the Virtual Server Properties section, enter the following values in the fields

provided:
- In the Destination Address field input 10.1.10.102.
- In the Service Port field input 443 HTTPS
- In the Redirect Port field input 80 HTTP
In the Client SSL Profile section, use the arrows to move only the

wildcard.acme.com profile to the right-hand column as shown.
Click Save & Next.

TASK 5 - Configure Authentication¶

In the Authentication Properties section, use the dropdowns to select the following:
- For the Choose Authentication Server Type select Active Directory.
- For the Choose Authentication Server select f5lab.local.
Check the Active Directory Query Properties checkbox.
Input %{session.logon.last.username} in Search Filter field. Your cursor will be

next to the existing sAMAccountName=.
In the Required Attributes section, use the arrows to move only the

memberOf attribute to the right-hand column as shown.
Scroll to the bottom of the window and click Save & Next.

TASK 6 - Configure MFA¶

In the Multi Factor Authentication winodw, click Save & Next.

Note: Multiple MFA options can be easily integrated with TMOS.

TASK 7: Configure Applications¶

In the Application Properties section, use the Select method to configure your

application dropdown to choose Metadata.

Note: Multiple applications are available to be configured with more continually added

In the updated Application Properties window, click the Choose File button, browse

the Jumphost desktop and select the sp_acme_com.xml file.
For the Application Name, input sp.acme.com
For the Webtop Caption, make sure the value is sp.partner.com
Scroll to the bottom of the window and click Save.

Review the Configured Application List and then click Save & Next.

TASK 8 - Configure Endpoint Checks¶

In the Endpoints Checks Properties window, click Save & Next.

Note: Endpoints checks can also be configured to protect application access. The

Access 302 Lab, hosted at this year’s Agility will have additional details.

TASK 9 - Configure Customization¶

Review the Customization options, then scroll to the bottom of the window and click

Save & Next.

Note: Unlike iApps, Access basic customizations are part of AGC.

TASK 10 - Configure Logon Protection¶

In the Logon Protection Properties window, click Save & Next.

Note: Logon Page Protection enables Datasafe to further protect logon pages and

defend against malicious in-browser attacks.

TASK 11: Configure Session Management¶

Review the Session Managment settings, in the Timeout Settings section then scroll to

the bottom of the window and click Save & Next.

TASK 12: Review the Summary and Deploy¶

Review the Summary, then scroll to the bottom of the window and click Deploy.

Once the application is deployed, scroll to the bottom and click Finish.

Review the Access Guided Confguration window, Status for idp.acme.com is

DEPLOYED.

TASK: 13: Testing the SAML Identity Provider (IdP)¶

Open Firefox from the Jumphost desktop and navigate to https://idp.acme.com
Once the page loads, enter user1 for username and user1 for password in the

logon form and click the logon button.

Note: If you have issues, open Firefox in a New Private Window (Incognito/Safe Mode)

On the presented webtop, click the sp.acme.com link in the Applications and

Links section.

The Application will now open if successfully configured. Close the

Application window, navigate to the F5 Dynamic Webtop tab/window and click Logout.

TASK 14: Lab CleanUp¶

Navigate to Access -> Guided Configuration in the left-hand menu.

Click the Undeploy button

Click OK when asked, “Are you sure you want to undeploy this configuration?”

Click the Delete button once the deployment is undeployed

Click OK when asked, “Are you sure you want to delete this configuration?”

The Configuration section should now be empty

From a browser on the jumphost navigate to https://portal.f5lab.local
Click the Classes tab at the top of the page.

Scroll down the page until you see 202 - Federation on the left

10. Hover over the tile SAML IdP Access Guided Configuration(AGC) Lab. A start and stop icon should appear within the tile. Click the Stop Button to start the automation to delete any prebuilt objects

11. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

This concludes Lab1.

Previous Next