What is Floating IP F5

Tutorial: Configure single sign-on (SSO) between Azure Active Directory and F5

  • 16 minutes to read

This tutorial shows you how to integrate F5 with Azure Active Directory (Azure AD). The integration of F5 with Azure AD enables the following:

  • Control who has access to F5 in Azure AD.
  • Allow your users to automatically sign in to F5 with their Azure AD accounts.
  • Manage your accounts centrally in the Azure portal.

requirements

To get started, you need the following:

  • An Azure AD subscription If you don't have a subscription, you can use a free Azure account.

  • F5 subscription that has single sign-on (SSO) enabled

  • The following license is required to provide the joint solution:

    • F5 BIG-IP® package "Best" (or)

    • Standalone license for F5 BIG-IP Access Policy Manager ™ (APM)

    • Add-on license for F5 BIG-IP Access Policy Manager ™ (APM) for an existing instance of F5 BIG-IP® Local Traffic Manager ™ (LTM)

    • In addition to the above license, the F5 system can also be licensed with the following:

      • Subscription to URL filtering to use the URL category database

      • F5 IP Intelligence subscription to detect and block known attackers and malicious traffic

      • Network HSM (Hardware Security Module) to protect and manage digital keys for secure authentication

  • The F5 BIG-IP system is provided with APM modules. (LTM is optional.)

  • It is highly recommended that the F5 systems be provided with a floating IP address for high availability (HA) in a Sync / Failover Device Group (S / F DG) that contains the active standby pair but this is optional. An even higher interface redundancy can be achieved by using the Link Aggregation Control Protocol (LACP). LACP manages the connected physical interfaces as a single virtual interface (aggregate group) and detects all interface errors within the group.

  • For Kerberos applications: A local AD service account for constrained delegation. For information on creating an AD delegation account, see the F5 documentation.

Access controlled configuration

  • The access-controlled configuration is supported by F5 TMOS from version 13.1.0.8. If your BIG-IP system is pre-13.1.0.8, read the section Advanced configuration.

  • Access controlled configuration is a completely new and streamlined user experience. This workflow-based architecture offers intuitive, entry-level configuration steps that are tailored to the selected topology.

  • Upgrade the interactive configuration by downloading the latest use case package from downloads.f5.com before proceeding with the configuration. To upgrade, do the following:

    Note

    The screenshots provided are from the latest published version (BIG-IP 15.0 with AGC version 5.0). The configuration steps apply to this use case from 13.1.0.8 up to the latest BIG-IP version.

  1. On the F5 BIG-IP web interface, click Access> Guided Configuration (Access> Interactive Configuration).

  2. Click on the top left of the page Guided configuration (Interactive configuration) Upgrade guided configuration (Upgrade interactive configuration).

  3. On the interactive configuration upgrade screen that appears, select the option Choose File Select (Select file) to upload the downloaded use case package and click the button Upload and Install (Upload and install).

  4. When the upgrade is complete, click the button Continue (Further).

Description of the scenario

In this tutorial, you will configure and test Azure AD single sign-on in a test environment.

  • F5 single sign-on can be configured in three different ways:

Important authentication scenarios

  • In addition to the native Azure Active Directory integration support for modern authentication protocols such as OpenID Connect, SAML and WS-Fed, F5 extends the secure access for legacy-based authentication apps for both internal and external access with Azure AD to include modern scenarios for these applications such as enabling access without a password. This includes the following:

  • Apps with header-based authentication

  • Apps with Kerberos authentication

  • Apps with anonymous authentication or without built-in authentication

  • Apps with NTLM authentication (double-prompt protection for the user)

  • Forms based application (protection with double prompts for the user)

Adding F5 from the catalog

To configure the integration of F5 with Azure AD, you must add F5 from the catalog to the list of managed SaaS apps.

  1. Sign in to the Azure portal with a work, school, or college account, or with a personal Microsoft account.
  2. Select the service in the left navigation area Azure Active Directory out.
  3. Navigate to Enterprise applications, and then select All applications out.
  4. To add a new application, select New application out.
  5. Enter in the section Add from catalog the search term F5 in the search field.
  6. In the results pane, choose F5 then add the app. Wait a few seconds while the app is added to your tenant.

Configure and test Azure AD single sign-on for F5

Configure and test Azure AD single sign-on using F5 using a test user named B. Simon. For single sign-on to work, a link relationship must be set up between an Azure AD user and the corresponding user in F5.

To configure and test Azure AD single sign-on using F5, do the following:

  1. Configure Azure AD single sign-on to enable your users to use this feature.
    1. Create an Azure AD test user to test Azure AD single sign-on with test user B. Simon.
    2. Assign the Azure AD test user to enable B. Simon to use Azure AD single sign-on.
  2. Configure single sign-on for F5 to configure the single sign-on settings on the application page
    1. Create an F5 test user to get a B. Simon equivalent in F5 linked to their representation in Azure AD
  3. Testing single sign-on to check that the configuration works

Configure Azure AD single sign-on (SSO)

Follow these steps to enable Azure AD single sign-on in the Azure portal.

  1. In the Azure portal, navigate to the application integration page for F5 to the section Manage, and choose Single sign-on out.

  2. Select on the side Select the SSO method The method SAML out.

  3. Click on the side Set up single sign-on (SSO) with SAML on the edit or pencil icon for Basic SAML configurationto edit the settings.

  4. Enter in the section Basic SAML configuration Enter the values ​​in the following fields when you run the application in IDP- want to configure initiated mode:

    a. Enter in the text box Identifier a URL in the following format:

    b. Enter in the text box Reply url a URL in the following format:

  5. click on Specify additional URLs, and do the following step if you are running the application in SP initiated mode want to configure:

    Enter in the text box Login URL a URL in the following format:

    Note

    These are sample values. You will need to update these values ​​with the actual identifier, reply url, and login url. You can obtain these values ​​from the support team for the F5 client. You can also check out the patterns in the section Basic SAML configuration view in the Azure portal.

  6. Look on the side Set up single sign-on (SSO) with SAML in the section SAML signing certificate to Federation metadata XML as well as after Certificate (Base64) , then select Download to download the certificate and save it on your computer.

  7. Copy the section Set up F5 the appropriate URLs according to your requirements.

Create an Azure AD test user

In this section, you will create a test user named B. Simon in the Azure portal.

  1. Select in the left pane of the Microsoft Azure portal Azure Active Directory > user > All users out.
  2. Select the option at the top of the screen New User out.
  3. Under the properties for user the following steps:
    1. Enter in the field Surname the string.
    2. Enter in the field User name the string [email protected] Example:.
    3. Check the box Show password, and write down the value in the field password.
    4. click on Create.

Assign the Azure AD test user

In this section, you enable B. Simon to use Azure single sign-on by granting her access to F5.

  1. In the Azure portal, select Enterprise applications > All applications out.
  2. Select in the application list F5 out.
  3. On the app's overview page, navigate to the section Manage, and choose Users and Groups out.
  4. Choose add user and then in the dialog box Add assignment the option Users and Groups out.
  5. In the dialog box, choose Users and Groups the entry in the "User" list B. Simon , then click the button at the bottom of the screen Choose.
  6. If you want to assign a role to users, you can choose it from the drop-down menu Select role choose. If no role has been set up for this app, the "Standard access" role is selected.
  7. Click in the dialog box Add assignment on the button To assign.

Configure single sign-on for F5

Configure F5 single sign-on for a header-based application

Interactive configuration

  1. In a new web browser window, log into F5's company website (header-based) as an administrator and do the following:

  2. Navigate to System> Certificate Management> Traffic Certificate Management> SSL Certificate List (System> Certificate Management> Traffic Certificate Management> SSL Certificate List). Select on the right import (Import). Enter under Certificate name (Certificate name) a certificate name. (This will be referenced later in the configuration.) Select under Certificate Source For Certificate Source, select Upload File and specify the certificate that you downloaded when you configured SAML single sign-on. click on Import.

  3. You will also need the SSL certificate for the application host name. Navigate to System> Certificate Management> Traffic Certificate Management> SSL Certificate List (System> Certificate Management> Traffic Certificate Management> SSL Certificate List). Select on the right import (Import). The Import type reads PKCS 12 (IIS) . Enter under Key name (Key name) a key name and then the PFX file. (The key name will be referenced later in configuration.) Enter the password for the PFX file. click on Import.

    Note

    In this example, our app is called, we are using a wildcard certificate, and the key name is.

  4. We use the interactive environment to set up Azure AD federation and application access. Navigate to F5 BIG-IP under Main (Main menu) Access> Guided Configuration> Federation> SAML Service Provider (Access> Interactive Configuration> Federation> SAML Service Provider). click on Next (Next) and then click again Next (Next) to start the configuration.

  5. Enter under Configuration name (Configuration name) a name for the configuration. Enter under Entity ID (Entity ID) displays the entity ID. Use the value from the Azure AD application configuration. Enter under Host name (Hostname) the hostname. Paste below Description (Description) add a description for reference. Accept the rest of the default entries and options, and then click Save & Next (Save and continue).

  6. In this example we create a new virtual server as 192.168.30.20 with port 443. Under Destination Address (Destination address) the IP address of the virtual server. Choose under Client SSL profile (Client SSL Profile), select “Create new”. Specify the previously uploaded application certificate (the wildcard certificate in this example) and its key, then click Save & Next (Save and continue).

    Note

    In this example, our internal web server is running on port 888 and we want to publish it on port 443.

  7. Enter under Select method to configure your IdP connector (Choose the configuration method for your IdP connector), select Metadata, click Choose File, and upload the metadata XML file you downloaded from Azure AD. Enter under Surname a unique name for the SAML IdP connector. Choose under Metadata Signing Certificate (Metadata Signature Certificate) select the previously uploaded metadata signature certificate. click on Save & Next (Save and continue).

  8. Choose under Select a pool (Select pool) either the option Create New (Create new) or an existing pool. Leave the other value unchanged. Enter under Pool servers (Pool server) enter the IP address in the field for the IP address / node name. Enter the port at. click on Save & Next (Save and continue).

  9. On the single sign-on settings screen, select the check box Enable single sign-on (Enable single sign-on). Under Selected Single Sign-On Type, select the option HTTP header-based (HTTP header based). Replace session.saml.last.Identity under “Username Source” session.saml.last.attr.name.Identity. (This variable is set using claims mapping in Azure AD.) Under SSO Headers, specify the following:

    • Header Name: MyAuthorization

    • Header Value:% {session.saml.last.attr.name.Identity}

    • click on Save & Next (Save and continue).

    A complete list of variables and values ​​can be found in the appendix. Additional headers can be added if necessary.

    Note

    The created F5 delegation account is used as the account name (see documentation on F5).

  10. For simplicity, the endpoint checks are skipped in this guide. See the F5 documentation for details. Choose Save & Next (Save and continue).

  11. Accept the defaults and click Save & Next (Save and continue). For details on the SAML session management settings, see the documentation for F5.

  12. Review the summary and select Deploy (Deploy) to configure BIG-IP. click on finish (Complete).

Advanced configuration

Use this section if you cannot use the interactive configuration or if you want to add / change additional parameters. You need the TLS / SSL certificate for the application host name.

  1. Navigate to System> Certificate Management> Traffic Certificate Management> SSL Certificate List (System> Certificate Management> Traffic Certificate Management> SSL Certificate List). Select on the right import (Import). The Import type reads PKCS 12 (IIS) . Enter under Key name (Key name) a key name and then the PFX file. (The key name will be referenced later in configuration.) Enter the password for the PFX file. click on Import.

    Note

    In this example, our app is called, we are using a wildcard certificate, and the key name is.

Adding a new web server to F5 BIG-IP

  1. click on Main> IApps> Application Services> Application> Create (Main Menu> IApps> Application Services> Application> Build).

  2. Enter under Surname the name and select under Template (Template) the option f5.http out.

  3. In this case, our “HeaderApp2” app is published externally as HTTPS. For How should the BIG-IP system handle SSL traffic? (How should SSL traffic be handled by the BIG-IP system?) We specify the following: Terminate SSL from client, plaintext to servers (SSL offload) (Terminate SSL from client, plain text to server (SSL offload)). Enter under Which SSL certificate would you like to use? Your certificate and under Which SSL private key do you want to use? Your key. Enter under What IP Address do you want to use for the Virtual Server? Enter the IP address of the virtual server (Which IP address do you want to use for the virtual server?).

    • Provide further details:

      • FQDN

      • Specify an existing app pool or create a new one.

      • When creating a new app server, enter the internal IP address and the Port number at.

  4. click on Finished (Finished).

  5. Make sure the app properties can be changed. click on Main> IApps> Application Services: Applications> HeaderApp2 (Main menu> IApps> Application services: Applications> HeaderApp2). Uncheck the box Strict updates (Strict updates). (We're changing a setting outside of the GUI.) Click the button Update (To update).

  6. You should now be able to browse the virtual server.

Configure F5 as SP and Azure as IdP

  1. click on Access> Federation> SAML Service Provider> Local SP Service Go to Access> Federation> SAML Service Providers> Local SP Service, then click Create or the plus sign.

  2. Provide details for the service provider service. Enter under Surname a name for the F5-SP configuration. Enter under Entity ID (Entity ID) is the entity ID (usually the same as the application URL).

Create the IdP connector

  1. Click the button Bind / Unbind IdP Connectors Select (Bind IdP Connectors / Unbind IdP Connectors) Create New IdP Connector (Create new IdP connector) and From metadata (Based on metadata), then do the following:

    a. Navigate to the file metadata.xmldownloaded from Azure AD and provide a name for the identity provider.

    b. click on OK.

    c. The connector is created and the certificate is automatically prepared based on the XML metadata file.

    d. Configure F5 BIG-IP to send all requests to Azure AD.

    e. click on Add New Row (Add new line), choose AzureIDP (created in the previous steps) and specify the following:

    f. Matching Source:% {session.server.landinguri}

    G. Matching Value: / *

    H. click on Update (To update).

    i. click on OK

    j. The SAML IdP setup is complete.

Configure the F5 policy to redirect users to the Azure SAML IdP

  1. To configure the F5 policy to redirect users to the Azure SAML IdP, do the following:

    a. click on Main> Access> Profiles / Policies> Access Profiles (Main menu> Access> Profile / Policies> Access profiles).

    b. Click the button Create.

    c. Enter under Surname a name (“HeaderAppAzureSAMLPolicy” in this example).

    d. If necessary, further settings can be adjusted. You can find relevant information in the F5 documentation.

    e. click on Finished (Finished).

    f.After the policy creation is complete, click the policy and navigate to the tab Access Policy (Access policy).

    G. Click below Visual Policy Editor (Visual Guideline Editor) on the link Edit Access Policy for Profile (Edit access policy for the profile).

    H. In the Guideline Visual Editor, click the plus sign and select SAML Auth (SAML authentication).

    i. click on Add Item (Add item).

    j. Enter under Properties (Properties) under Surname a name, choose under AAA server (AAA Server) select the previously configured SP and click Save (To save).

    k. The basic guideline is ready. You can adapt the policy to incorporate additional sources / attribute stores.

    l. Click the link above Apply Access Policy (Apply access policy).

Apply the access profile to the virtual server

  1. Assign the access profile to the virtual server so that F5 BIG-IP APM can apply the profile settings to incoming traffic and execute the previously defined access policy.

    a. click on Main > Local traffic > Virtual servers (Main menu> Local data traffic> Virtual server).

    b. Click on the virtual server, scroll down the drop-down list Access Profile (Access profile) to the section Access Policy (Access Policy) and select the SAML Policy you created (HeaderAppAzureSAMLPolicy in this example).

    c. click on Update (To update).

    d. Create an F5 BIG-IP iRule® to extract the custom SAML attributes from the incoming assertion and pass it as an HTTP header to the back-end test application. click on Main> Local Traffic> iRules> iRule List> Create (Main menu> Local traffic> iRules> iRule list> Create).

    e. Paste the following F5 BIG-IP iRule text into the definition window:

    when RULE_INIT {set static :: debug 0} when ACCESS_ACL_ALLOWED {

    set AZUREAD_USERNAME [ACCESS :: session data get "session.saml.last.attr.name. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] if {$ static :: debug } {log local0. "AZUREAD_USERNAME = $ AZUREAD_USERNAME"} if {! ([HTTP :: header exists "AZUREAD_USERNAME"])} {HTTP :: header insert "AZUREAD_USERNAME" $ AZUREAD_USERNAME}

    set AZUREAD_DISPLAYNAME [ACCESS :: session data get "session.saml.last.attr.name. http://schemas.microsoft.com/identity/claims/displayname"] if {$ static :: debug} {log local0. "AZUREAD_DISPLAYNAME = $ AZUREAD_DISPLAYNAME"} if {! ([HTTP :: header exists "AZUREAD_DISPLAYNAME"])} {HTTP :: header insert "AZUREAD_DISPLAYNAME" $ AZUREAD_DISPLAYNAME}

    set AZUREAD_EMAILADDRESS [ACCESS :: session data get "session.saml.last.attr.name. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] if {$ static :: debug } {log local0. "AZUREAD_EMAILADDRESS = $ AZUREAD_EMAILADDRESS"} if {! ([HTTP :: header exists "AZUREAD_EMAILADDRESS"])} {HTTP :: header insert "AZUREAD_EMAILADDRESS" $ AZUREAD_EMAILADDRESS}}

    Sample output

Create an F5 test user

In this section you create a user named B. Simon in F5. Contact the F5 client support team to add the users on the F5 platform. Users must be created and activated in order to use single sign-on.

Testing single sign-on

In this section, you test the Azure AD single sign-on configuration with the following options:

SP initiated:

  • In the Azure portal, click Test this application. This will redirect you to the login URL for F5 where you can initiate the login flow.

  • Go directly to the F5 login URL and initiate the login flow.

IDP initiated:

  • In the Azure portal, click Test this application. This should automatically sign you in to the F5 instance for which you set up single sign-on.

You can also use Microsoft's My Apps area to test the application in any mode. When you click the F5 tile in My Apps, the following happens: If you configured the application in SP mode, you will be directed to the application's login page to initiate the login flow. If you configured the application in IDP mode, you should be automatically logged in to the F5 instance for which you set up single sign-on. For more information on My Apps, see this introduction.

Next Steps

After configuring F5, you can enforce session control, which protects against exfiltration and infiltration of sensitive corporate data in real time. Session control is based on conditional access. Here's how to enforce session control with Microsoft Cloud App Security.

Is this page helpful?