F5 Identity and Access Management Solutions > Class 6: Federating Common Services Source | Edit on

Lab 4: oAuth and AzureAD Lab

The purpose of this lab is to familiarize the Student with the using APM in conjunction with Microsoft Azure AD. Microsoft Active Directory Domain Services is offered by Microsoft Azure as a cloud service. This can be used together with OpenID to log in to APM.

Objective:

  • Gain an understanding of additional F5 OAuth features
  • Deploy a working configuration using F5 APM and Microsoft Azure AD

Lab Requirements:

  • All lab requirements will be noted in the tasks that follow
  • Estimated completion time: 25 minutes

Lab 4 Tasks:

TASK 1: Create/Review New Application Registration

Refer to the instructions and screen shots below:

Note: The following steps in this task can just be “REVIEWED”. As setting up a free Azure

account requires the entry of billing information, setting up an account and performing the

steps below is a [REVIEW] task. For those desiring to set up an account refer to the

“APPENDIX: Setting up an Azure Development Account”. For those with existing accounts

these steps may be followed if desired. For all others, simply review the steps in

Task1 and proceed to Task 2.

[REVIEW]

  1. Log into the Microsoft Azure Dashboard and click Azure Active Directory in the left

    navigation menu.

image99

[REVIEW]

  1. Click on App Registration on the resulting menu and then

    New Application Registration on the flyout menu.

image100

[REVIEW]

  1. In the pop menu for Create App Registration, enter the following values
  • Name: app.f5demo.com
  • Application Type: Web App /API
  • Sign On URL: https://app.f5demo.com
  1. Click Create.
image101

[REVIEW]

  1. In the resulting app.f5demo.com Registered App window, note & copy the

    Application ID. This will be used in a later setup step

  2. Click Settings.

image102

[REVIEW]

  1. In the Settings flyout panel, click Keys
image103

[REVIEW]

  1. In the Keys flyout panel, enter the following values
  • Description: app.f5demo.com
  • Expires: In 2 Years
  1. Click Save.
image104

[REVIEW]

  1. Note the message provided by Azure in the Keys panel.
  2. Copy the *Key Value* for use in a later setup step.
image105

[REVIEW]

  1. In the Settings flyout panel, click Reply URL.
image106

[REVIEW]

  1. In the Reply URL flyout panel, enter

    https://app.f5demo.com/oauth/client/redirect

  2. Click Save.

image107

[REVIEW]

  1. In the Settings flyout panel, click Required Permissions
  2. In the Required Permissions flyout panel, click Grant Permissions
image108

[REVIEW]

  1. The following Required Permissions dialogue box may appear.
  2. Click Yes to proceed.
image109

[REVIEW]

  1. In the Required Permissions flyout panel, click Windows Azure Active Directory.

  2. In the Enable Access flyout panel, ensure the Sign In and Read User Profile.

    permission is checked.

  3. Click Save.

image110

[REVIEW]

  1. In the Registered Application panel, click Manifest.

  2. In the Edit Manifest flyout panel, edit the groupMembershipClaims line (line 7)

    from null to “All” (note quotes are required).

  3. Click Save.

Note: You can also update groupMembershipClaims to be “SecurityGroup”.

image111

TASK 2: Create OAuth Request

Refer to the instructions and screen shots below:

  1. Create the OAuth Request by navigating to Access -> Federation ->

    OAuth Client/Resource Server -> Request and clicking Create

image112
  1. Use the following values to create the Request
  • Name: Azure_AD_Token
  • HTTP Method: POST
  • Type: token-request
  1. Create the following Request Parameters using the Parameter Type drop down:
  • Parameter Type: client-id
  • Parameter Name: client_id (notice _ )
  • Parameter Type: client-secret
  • Parameter Name: client_secret (notice _ )
  • Parameter Type: grant-type
  • Parameter Name: grant_type (notice _ )
  • Parameter Type: redirect-uri
  • Parameter Name: redirect_uri (notice _ )
  • Parameter Type: custom
  • Parameter Name: resource
  • Parameter Value: dd4bc4c7-2e90-41c9-9c41-b7eab5ab68b7
  1. Click Finished.
image113

TASK 3: Create OAuth Provider

Refer to the instructions and screen shots below:

  1. Create the OAuth Provider by navigating to Access -> Federation ->

    OAuth Client/Resource Server -> Provider and clicking Create.

image114
  1. Use the following values to create the Request
  • Name: f5demo_AzureAD_Provider

  • Type: AzureAD

  • OpenID URI: (replace _tennantID_ with the following tenantID

    f5agilitydemogmail.onmicrosoft.com )

Resulting URI should be as follows:

https://login.windows.net/f5agilitydemogmail.onmicrosoft.com/.well-known/openid-configuration

  1. Click Discover.
  2. Click Save.

Note: if using another account you can find you TenantID by navigating to the

“Azure Portal” and clicking “Azure Active Directory”. The tenant ID is the

“default directory” as shown. The full name of the TenantID will be your

“TenantID.onmicrosoft.com”

image115

image116

TASK 4: Create OAuth Server

Refer to the instructions and screen shots below:

  1. Create the OAuth Server (Client) by navigating to Access -> Federation ->

    OAuth Client/Resource Server -> OAuth Server* and clicking Create.

image117
  1. Using the following values to complete the OAuth Provider
  • Name: f5demo_AzureAD_Server
  • Mode: Client
  • Type: AzureAD
  • OAuth Provider: f5demo_AzureAD_Provider
  • DNS Resolver: proxy_dns_resolver
  • Client ID: dd4bc4c7-2e90-41c9-9c41-b7eab5ab68b7
  • Client Secret: YqHbzTosdBxdaGl9A/hXCs1ex1HWi+BTUSkgcfhbTwA=
  • Client’s Server SSL Profile Name: serverssl-insecure-compatible
  1. Click Finished.
image118

TASK 5: Setup F5 Per Session Policy (Access Policy)

Refer to the instructions and screen shots below:

  1. Create the Per Session Policy by navigating to Access -> Profile/Policies ->

    Access Profiles (Per Session Policies) and clicking Create.

image119
  1. In the New Profile dialogue window enter the following values
  • Name: AzureAD_OAuth
  • Profile Type: All
  • Profile Scope: Profile
  • Language: English
  1. Click Finished.
image120
  1. Click Edit link on for the AzureAD_OAuth Access Policy
image121
  1. In the AzureAD_OAuth Access Policy, click the “+” between Start & Deny
  2. Click the Authentication tab in the events window.
  3. Scroll down and click the radio button for OAuth Client.
  4. Click Add Item.
image122
  1. In the *OAuth_Client* window enter the following values as shown:
  • Server: /Common/f5demo_AzureAD_Server
  • Grant Type: Authorization code
  • OpenID Connect: Enabled
  • OpenID Connect Flow Type: Authorization code
  • Authentication Redirect Request: /Common/AzureADAuthRedirectRequest
  • Token Request: /Common/Azure_AD_Token
  • Refresh Token Request: /Common/AzureADTokenRefreshRequest
  • OpenID Connect UserInfo Request: None
  • Redirection URI: https://%{session.server.network.name}/oauth/client/redirect
  1. Click Save.
image123
  1. Click on the Deny link, in the Select Binding, select the Allow radio button
and click Save.
image124
  1. Click on the Apply Access Policy link in the top left-hand corner.

Note: Additional actions can be taken in the Per Session policy (Access Policy). The lab

is simply completing authorization. Other access controls can be implemented based

on the use case.

image125

TASK 6: Associate Access Policy to Virtual Server

Refer to the instructions and screen shots below:

  1. Navigate to Local Traffic -> Virtual Servers -> Virtual Server List and

    click on the app.f5demo.com Virtual Server link

  2. Scroll to the Access Policy section.

image126
  1. Use the Access Profile drop down to change the Access Profile to

    AzureAD_OAuth.

  2. Use the Per-Request Policy drop down to change the Per-Request Policy to

    AzureAD_oauth_policy.

  3. Scroll to the bottom of the Virtual Server configuration and click Update.

image127

TASK 7: Test app.f5demo.com

Refer to the instructions and screen shots below:

  1. Navigate in your provided browser to https://app.f5demo.com
image128
  1. Authenticate with the following AzureAD account:
  • Username: demouser@f5agilitydemogmail.onmicrosoft.com
  • Password: f5d3m0u$3r
image129
  1. Did you successfully redirect to the AzureAD?
  2. After successful authentication, were you returned to the app.f5demo.com?
  3. Did you successfully pass your OAuth Token?
image130

TASK 8: Per Request Policy Controls

Refer to the instructions and screen shots below:

  1. As in the prior lab, you can experiment with Per Request Policy controls. In the

application page for https://app.f5demo.com click the Admin Link shown.

image131
  1. You will receive an Access to this page is blocked (customizable) message with a

    reference. You have been blocked because you do not have access on a per request basis.

  2. Press the Back button in your browser to return to https://app.f5demo.com.

image132
  1. Navigate to Local Traffic -> iRules -> Datagroup List and click on the

    Allowed_Users datagroup.

  2. Enter your demouser@f5agilitydemogmail.onmicrosoft.com used for this lab as the

    String value.

  3. Click Add then Click Update.

Note: We are using a DataGroup control to minimize lab resources and steps. AD or LDAP

Group memberships, Session variables, other user attributes and various other access

control mechanisms can be used to achieve similar results.

image133
  1. You should now be able to successfully to access the Admin Functions by clicking on the

    Admin Link.

Note: Per Request Policies are dynamic and do not require the same “Apply Policy” action

as Per Session Policies.

image134
  1. To review the Per Request Policy, navigate to *Access -> Profiles/Policies ->

    Per Request Policies and click on the Edit link for the AzureAD_oauth_policy.

image135
  1. The various Per-Request-Policy actions can be reviewed.

Note: Other actions like Step-Up Auth controls can be performed in a Per-Request Policy

image136

TASK 9: Review OAuth Results

Refer to the instructions and screen shots below:

  1. Review your Active Sessions (Access -> Overview -> Active Sessions).

  2. You can review Session activity or session variable from this window or kill the

    selected Session.

image137
  1. Review your Access Report Logs (Access -> Overview -> Access Reports).
image138
  1. In the Report Parameters window click Run Report.
image139
  1. Look at the SessionID report by clicking the Session ID Link.
image140
  1. Look at the Session Variables report by clicking the View Session Variables link.

    Pay attention to the OAuth Variables.

Note: Any of these session variables can be used to perform further actions to improve

security or constrain access with logic in the Per-Session or Per Request VPE policies

or iRules/iRulesLX.

image141
  1. Review your Access Report Logs (Access -> Overview -> OAuth Reports ->

    Client/Resource Server).

image142