Lab 2: SSL VPN SAML Authentication

Section 1.1 - Setup Lab Environment

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

  1. Click DEPLOYMENT located on the top left corner to display the environment

  2. Click ACCESS next to jumphost.f5lab.local


  3. Select your RDP resolution.

  4. The RDP client on your local host establishes a RDP connection to the jumphost.

  5. Login with the following credentials:

    • User: f5lab\user1
    • Password: user1
  6. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

  7. Click the Classes tab at the top of the page.


  8. Scroll down the page until you see 309 SSL VPN on the left


  9. Hover over tile SSL VPN - SAML Authentication. A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

    image037 image0040
  10. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you experience errors try running the automation a second time or open an issue on the Access Labs Repo.


Task 1 - Review Network Access Components


The network access components were built in Lab01 and have been recreated in Lab02

  1. While in the jumphost, launch Chrome and click on the bigip1 bookmark.

  2. Log in to bigip1.f5lab.local

    • User: admin
    • Password: admin
  3. Navigate to Access –> Connectivity/VPN –> Network Access (VPN) –> Network Access Lists

  4. Click the vpn-lab01-vpn network access resource


  5. Click on the Network Settings tab

  6. We are using the vpn-lab01-vpn_pool lease pool

  7. Split tunneling is enabled for only the internal network traffic



    For the purposes of this lab we are only going to use a single IP address for the lease pool. In a production environment you should set this range to as many as you need.

  8. Navigate to Access –> Connectivity/VPN –> Connectivity –> Profiles

  9. Click on vpn-lab01-cp then scroll to the bottom and click Edit

  10. Profile name is /Common/vpn-lab01-cp and Parent Profile /Common/connectivity

  11. Click OK


  12. Navigate to Access –> Webtops –> Webtop Sections

  13. Click vpn-lab01-network_access


  14. Navigate to Access –> Webtops –> Webtop Lists

  15. Click vpn-lab01-webtop

  16. This is a type Full and using Modern customization type.


Task 2 - SAML Auth objects


For the lab the objects needed in Azure AD have already been created for the Azure Tenant. For complete instructions on integrating Azure AD with SAML to APM SSL-VPN see:

  1. Navigate to Access –> Federation –> SAML Service Provider –> Local SP Services


  2. Click Create from the far right

  3. Give the local SP service a name and identify the entity ID


    The Entity ID is the fully qualified domain name (FQDN) of your application. This is the FQDN that was configured in the Azure Portal and will be the FQDN used to access the application or in this case vpn.

    Name AAD_VPN_SP
    Entity ID
  4. Click OK

  5. From the drop down menu under SAML Service Provider select External IDP Connector


  6. Click on the drop down next to Create button and choose From Metadata


  7. Click Browse from and choose the file

  8. Click Open

  9. Give this object a name AAD_SAML_IDP and Click OK


  10. Click on the drop down menu for SAML Service Provider and select Local SP Services


  11. Select the checkbox next to the AAD_VPN_SP object and click Bind/Unbind IdP Connector at the bottom of the screen (you may need to scroll down)

  12. Click Add New Row select the AAD_SAML_IDP

  13. Click Update

  14. Click OK


Task 3 - Per Session Access Policy

  1. Navigate to Access –> Profiles/Policies –> Access Profiles (Per-Session Policies)

  2. Click Create to create a new per session policy for VPN

    Name vpn-lab02-psp
    Profile Type All
    Customization Type Modern
  3. Scroll to the bottom choose English from the right menu and slide move it to the left and click Finished


  4. Locate profile vpn-lab02-psp and click on Edit. This opens the Visual Policy Editor (VPE) and we can take a look at the policy

  5. Click the + between Start and Deny


  6. Click on the Authentication tab, scroll to SAML Auth and click Add Item


  7. Click the drop down next to AAA Server and choose /Common/AAD_VPN_SP then click Save


  8. Click the + between SAML Auth and Deny on the Successful branch

  9. Click the Assignment tab and choose Advanced Resource Assign then Add Item

  10. Click Add new entry button then the Add/Delete link


  11. Click the Network Acces tab and choose the object, then the Webtop tab, then the webtop setion.

  12. Click Update

  13. Click Save

  14. Click the Deny end point on the fallback branch from from Advanced Resource Assign*. Choose Allow and Save


  15. Click Apply Access Policy


Task 4 - Apply Policy and profiles to Virtual Server

  1. Navigate to Local Traffic –> Virtual Servers –> Virtual Server List

  2. From the Partition menu in the upper right choose vpn-lab01

  3. Click on vpn-lab01 Virtual Server

  4. Scroll down to the Access Policy section

  5. Select the vpn-lab02-psp from the Access Profile drop down menu

  6. Click the drop down for “”Connectivity Profle** and choose the vpn-lab01-cp from the menu


  7. Scroll down and click Update*

Task 4 - Test VPN Access

  1. The connects to with the following credentials

    Password: F5twister$


  2. Click Next and enter the password and click Sign in* then **Yes

  3. Once authenticated the user is presented a Webtop with a single VPN icon.


  4. Assuming the VPN has already been installed the user is notified that the client is attempting to start



    You may be prompted to download the VPN update. This is what a user will experience if you have auto-update enabled in the VPN Connectivity Profile. Click Download and wait for the components to update.

  5. A popup opens displaying the status of the VPN connection. The status will eventually become Connected



    If you lose the pop-up check the system tray for the little red ball. Right click and choose restore

  6. Click Disconnect