F5 Identity and Access Management Solutions > 100 Series: Zero Trust Application Access (ZTAA) Source | Edit on

Lab 1: Entra ID Easy Button integration¶

Warning

If you have any feedback on this guide, please raise an issue at https://github.com/f5devcentral/f5-agility-labs-iam/issues .

In this lab, students will learn how to leverage Entra ID as an IDaaS provider while using APM as a SAML SP. Since v15.1, F5 has offered a “Guided Configuration” template to make this integration easier for administrators. This lab guide will also be accessible via a bookmark on the Win11 Edge and Chrome browsers.

This template:

Publishes on-prem apps
Enables Single Sign-on
Interconnects (SAML binding) APM with an Entra ID tenant

Note

You will notice we never connect directly to the Entra ID interface. APM will use Microsoft’s Graph API to configure the AAD tenant accordingly.

The video below illustrates the APM & Entra ID integration. This is not the lab video. It’s simply a demo of the use-case.

Section 1.1 - Check the Lab Architecture¶

In this lab, we will protect 3 apps:

2 internal apps
1. Vanilla Application hosted in IIS
2. Skyblue Application hosted in IIS
1 cloud app hosted in Azure cloud
1. Wordpress-UDF hosted in Azure cloud

Architecture of Internal Apps¶

Bluesky application¶

This application resides on-prem in IIS. Its FQDN is https://bluesky.f5access.onmicrosoft.com

This application is not authenticated, meaning there is no Single Sign-On required in front of this app.

Vanilla application¶

This application also resides on-prem in IIS. Its FQDN is https://vanilla.f5access.onmicrosoft.com

This application is authenticated by Kerberos so a Single Sign-On will be required to connect to this app.

Task 1 (Optional) - Check IIS configuration (Optional)¶

RDP to IIS with f5access\user as user, and user as password
Click IIS manager icon in the taskbar
In the Connections tree, expand IIS, Sites, click vanilla, and finally, double-click Authentication
You’ll notice Anonymous Auth is Disabled and Windows Authentication is Enabled

Note

In the next class we will configure APM to publish, protect and SSO to internal apps. Feel free to close your RDP session to the IIS Server.

Architecture of Cloud App¶

Note

Since customers often have a mixture of authenticated and non-authenticated apps running on-prem and in the public cloud, this lab utilizes an Application hosted in Azure that doesn’t leverage APM for authentication. This application does leverage Entra ID and is meant simply to illustrate the user-experience with such a mixture of application types. This wordpress application is already up and running in Azure Cloud at this address https://wordpress-apm-aad.azurewebsites.net/

This Wordpress application is an Azure App Service.
This App Service is already bound with our demo Entra ID tenant.

Section 1.2 - Deploy APM to protect Bluesky App¶

In this section, we will publish the Bluesky application hosted on-prem.

Task 1 - Publish and protect Bluesky app¶

Let’s start with the Bluesky application. Reminder, Bluesky does not have any Authentication enabled.

Either access TMUI via UDF > Access > BIG-IP > TMUI or RDP to win11 (f5access\user/user) and launch Edge or Chrome. You can also login using Guacamole via the SuperJump Host (Access > Superjump > Guacamole (user/user) Using the BIG-IP bookmark, connect to the BIG-IP user interface (admin/admin)
In Access > Guided Configuration, select Microsoft Integration > Azure AD application

Task 2 - Configuration Properties¶

Click Next and start the configuration
Configure the page as below
1. Configuration Name : IIS-Bluesky-<My Name> Why my name ? This app will be created in Entra ID tenant and we need to differentiate all apps. Example : IIS-Bluesky-ChrisMi The chance of name conflicts increases with the number of students so if possible, please at least use your first name and two characters of your last name. You can leave SSO, Endpoint Checks, and Additional Checks at their defaults (not selected.)
2. In Azure Service Account Details, Select Copy Account Info form Existing Configuration, and select IIS-baseline, then click Copy
  
  Note
  
  In the real world, this is where you’d configure the application settings from the Azure Service Application created for APM. You have to create an Azure Application so that APM gets access to Microsoft Graph API. Due to security best practices, we won’t show the application secret in this lab.
  Note
  
  For those curious, the steps to create this Azure applications are below
  1. In Entra ID, create a service application under your organization’s tenant directory using App Registration.
  2. Register the App as Entra ID only single-tenant.
  3. Request permissions for Microsoft Graph APIs and assign the following permissions to the application:
    1. Application.ReadWrite.All
    2. Application.ReadWrite.OwnedBy
    3. Directory.Read.All
    4. Group.Read.All
    5. Policy.Read.All
    6. Policy.ReadWrite.ApplicationConfiguration
    7. User.Read.All
  4. Grant admin consent for your organization’s directory.
  5. Copy the Client ID, Client Secret, and Tenant ID and add them to the Entra ID Application configuration.
3. In the guided configuration UI, Click the Test Connection button and the result should yield –> Connection is valid
1. Click Save & Next

Task 3 - Service Provider¶

Configure the page as below
1. Host bluesky.f5access.onmicrosoft.com
2. Entity ID is auto-filled https://bluesky.f5access.onmicrosoft.com/IIS-Bluesky-my name>
3. Click Save & Next

Task 4 - Azure Active Directory¶

Double-click the F5 BIG-IP APM Entra ID... template

Note

As you notice, there are several templates available for different applications. In this lab, we will publish a generic app so we select the first template.
In the new screen, configure as below
1. Signing Key : default.key
2. Signing Certificate : default.crt
3. Signing Key Passphrase : F5twister$
4. In User And User Groups, click Assign
  
  Note
  
  We have to assign Entra ID users/group to this app, so that they can be allowed to connect to it. Changes made here automatically configure app permissions in Entra ID.
  1. In the list, click Assign for the user user. If you can’t find it, search for it in the search field.
  2. Click Close
  3. You can see user in the list.
  4. Click Save & Next

Task 5 - Virtual Server Properties¶

Configure the VS as below
1. IP address : 10.1.10.104
2. The ClientSSL profile is selected by default so let’s use that one. We’ll get a TLS warning in the browser, but it doesn’t matter for this lab.
Click Save & Next

Task 6 - Pool Properties¶

Leave the Select a Pool` setting as ``Create New
In Pool Servers, select /Common/10.1.20.29 from the drop-down menu. This is the Lab’s IIS server whose config you may have viewed earlier. You don’t need to click the add button. Simply selecting from the drop-down with result in the pool member being added.
Click Save & Next

Task 7 - Session Management Properties¶

Nothing to change, click Save & Next

Task 8 - Deploy your app template¶

Click Deploy
Behind the scenes, the deployment creates an Azure Enterprise Application for Bluesky. We can see it in Azure portal (you don’t have access in this lab). With this Enterprise Application, Azure knows where to redirect the user after they’re authenticated. This app will also have the certificate and key used to sign the SAML assertion.
Click Finish and OK on the Confirmation Pop-Up Dialog Box.

Task 9 - Test your deployment¶

RDP to the Win11 machine as f5access\user and password user or use Guacamole.
Open Google Chrome or the Microsoft Edge browser - both icons are on the Desktop and the Taskbar
From the bookmarks list/toolbar, choose Bluesky and ignore the inevitable cert warnings.
You will be redirected to Entra ID login page. Login as user@f5access.onmicrosoft.com and hit Next. The password is stored in a text file named azure_ad_creds.txt on the Win11 Desktop.

Warning

Don’t reset or change the password.
After being successfully authenticated by Entra ID, you’re redirected to APM with a SAML assertion. After validating this assertion, APM allows you to access the Bluesky application. You’ll want to keep your RDP session to Win11 open since you’ll use it again for subsequent testing.

Section 1.3 - Deploy APM to protect the Vanilla App¶

In this section, we will publish the Vanilla application which like bluesky, is hosted on-prem.

Task 1 - Publish and protect Vanilla app¶

Unlike Bluesky, the Vanilla application has Authentication enabled via Kerberos and because APM won’t have access to an Entra ID user’s password, we’ll need to enable and leverage Kerberos Constrained Delegation.

As before, Connect to the BIG-IP GUI directly from UDF or via Win11 with admin/admin.
In Access > Guided Configuration, select Microsoft Integration > Azure AD application

Note

As you’ll notice, we only deploy one application per Guided Config template.

Task 2 - Configuration Properties¶

Click Next and start the configuration
Configure the page as below
1. Configuration Name : IIS-Vanilla-<My Name> Just like before, please try to use a unique string for My Name, IE your first name and first two characters of your last name. IIS-Vanilla-ChrisMi is an example name.
2. Enable Single Sign-on (SSO)
3. In Azure Service Account Details, Select Copy Account Info form Existing Configuration, and select IIS-baseline, then click Copy
  
  Note
  
  Just like before, a real-world deployment would require an administrator to obtain these values via the Azure Service App created for APM. This Azure Application must be created so that APM can access the Microsoft Graph API.
  Note
  
  The steps to create this Azure applications are below
  1. In Entra ID, create a service application under your organization’s tenant directory using App Registration.
  2. Register the App as Entra ID only single-tenant.
  3. Request permissions for Microsoft Graph APIs and assign the following permissions to the application:
    1. Application.ReadWrite.All
    2. Application.ReadWrite.OwnedBy
    3. Directory.Read.All
    4. Group.Read.All
    5. Policy.Read.All
    6. Policy.ReadWrite.ApplicationConfiguration
    7. User.Read.All
  4. Grant admin consent for your organization’s directory.
  5. Copy the Client ID, Client Secret, and Tenant ID and add them to the Entra ID Application configuration.
4. In the Guided Config GUI, Click the Test Connection button which should yield –> Connection is valid
5. Click Save & Next

Task 3 - Service Provider¶

Configure the page as below
1. Host vanilla.f5access.onmicrosoft.com
2. The Entity ID is auto-filled https://vanilla.f5access.onmicrosoft.com/IIS-Vanilla-my name>
3. Click Save & Next

Task 4 - Azure Active Directory¶

Double click the F5 BIG-IP APM Azure AD... template

Note

As you can notice, there are several templates available for different applications. Here, in this lab, we will publish a generic app. So we select the first template.
In the new screen, configure as below.
1. Signing Key : default.key
2. Signing Certificate : default.crt
3. Signing Key Passphrase : F5twister$
4. In User And User Groups, click Add
  
  Note
  
  We have to assign Entra ID users/group to this app, so that they can be allowed to connect to it.
  1. In the list, click Assign for the user user. If you can’t find it, search for it in the search field.
  2. Click Close
  3. You can see user in the list.
  4. Click Save & Next

Task 5 - Virtual Server Properties¶

Configure the VS as below
1. IP address : 10.1.10.103
2. Since we’ll use the already-selected, existing ClientSSL profile, you don’t have to do anything for the Client SSL Profile section. We’ll get a TLS warning in the browser, but it doesn’t matter for this lab.
Click Save & Next

Task 6 - Pool Properties¶

For Select a Pool, leave Create New selected
In Pool Servers, select /Common/10.1.20.29 This is once again the lab’s IIS server whose config you investigated earlier.
Click Save & Next

Task 7 - Single Sign-On Settings¶

Check the Advanced Settings box so it’s On
Check the ``Single Sign-On box.
In Selected Single Sign-on Type, select Kerberos, and select Create New for SSO Configuration Object
In Credentials Source, fill as below
1. Username Source : Change this value to session.logon.last.username
2. Clear out the text in User Realm Source. The domain is similar between Entra ID and on-prem AD so we don’t need a realm variable.
In SSO Method Configuration, fill as below
1. Kerberos Realm : f5access.onmicrosoft.com
2. Account name : host/apm-deleg.f5access.onmicrosoft.com
3. Account Password : F5twister$ (You’ll be asked to enter this password twice for confirmation)
4. KDC : 10.1.20.8
5. UPN Support : Enabled
6. SPN Pattern : HTTP/%s@f5access.onmicrosoft.com
Leave the other settings at their default values and Click Save & Next

Task 8 - Session Management Properties¶

Nothing to change, click Save & Next

Task 9 - Deploy your app template¶

Click Deploy and after patiently waiting, click Finish and OK on thhe Pop-Up Dialog Box once the deployment is successful
Behind the scenes, the deployment creates an Azure Enterprise Application for Bluesky. We can see it in Azure portal (you don’t have access in this lab). With this Enterprise Application, Azure knows where to redirect the user after they’re authenticated. This app will also have the certificate and key used to sign the SAML assertion.

Task 10 - Test your deployment¶

If you closed your RDP session to Win11, pleae re-connect as user and password user
Open Google Chrome or Microsoft Edge - the icons are on the Desktop and the Taskbar
From the bookmarks menu/toolbar, select Vanilla and ignore the Cert Errors.
Since you already logged into Entra ID when accessing BlueSky, you may notice you didn’t need to sign-in again and were automatically taken into the application. Your previous assertion was still validated but it was done transparently. If you were sent to Entra ID again for authenticaton, please use the same credentials as before: user1@f5access.onmicrosoft.com and the password is stored in a text file named azure_ad_creds.txt on the Win11 Desktop.
Reminder: Since APM doesn’t have a SAML user’s password if it isn’t the IdP, it performs server-side Single Sign-on with the Vanilla application via Kerberos Constrained Delegation in which it requests a Kerberos Ticket on behalf of the user leveraging the username found in the SAML Assertion sent by Entra ID.
In your already-open browser, Click the Bluesky bookmark. You’ll notice you were automatically authenticated with your already-existing Entra ID session.
Optional: enable Inspect mode in Edge or Dev Tools in Chrome, and follow the SAML redirections to understand the workflow.

Section 1.4 - Leverage Entra ID to protect Cloud Apps¶

In this lab, we will verify that user1 can access any cloud app federated with Entra ID.

As mentioned earlier, customers often deploy applications on-prem and in public clouds. If the customer uses Entra ID as their IDaaS, it will federate all cloud apps within this Entra ID tenant.

As an example, we’ve configured a Wordpress Cloud Application. This application is federated with our Entra ID tenant.

Since everything is handled between the App and Entra ID, you have nothing to configure on the APM side. In the Azure portal, we configured OAuth for the cloud app so that every user attempting to access this App would be redirected to Entra ID for Authentication.

If not already connected, RDP to Win11 as user and password user
Open Google Chrome or Microsoft Edge - icons are on the Desktop and Taskbar
Click on the bookmarks menu/toolbar and select Wordpress Cloud App
Just like before, you’ll only be redirected to the Entra ID login page if your prior session expired. Accessing this app can take a while so be patient. Pay special attention to the address bar and you’ll notice the redirects during the authentication process. If prompted for creds, Login as user@f5access.onmicrosoft.com and the password is stored in a text file named azure_ad_creds.txt on the Win10 Desktop.
After Entra ID authenticates (either transparently or via login,) you’re redirected to the cloud app in Azure cloud, and can access to Wordpress-UDF application.

Section 1.5 - Clean up the Lab¶

Warning

In order to keep the Entra ID tenant clean, it is important you delete your application in the Guided Configuration, when your demo is finished.

In Guided Configuration menu, click on the Undeploy icon for IIS-Bluesky, then OK. After it finishes, do the same for IIS-Vanilla. You don’t need to do anything for IIS-baseline.
After undeploying has finished, click on the Delete icon for each app, then OK.

Note

Thanks a lot, you cleaned up your config on both sides (APM and AAD). FYI, all old deployments will be deleted automatically in Entra ID.

Previous Next