Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Introduction

In the following guide we are configuring Federated AWS Console Access through BIG-IP APM as Identity Provider (IdP). With AWS console we need to be very careful about granting access, checking endpoint and apply Multi-Factor Authentication (MFA).

Architecture

The expected traffic flow follows the below path,

User Access F5 APM portal.
F5 APM applies EndPoint inspection and user authentication.
Once the user is authenticated, APM redirects user browser to AWS Console with SAML assertion.
AWS Console verifies the assertion, the assigned role and allow the proper access to the user.

Configurations steps

let's list the steps to perform the configurations.

F5 APM Configurations

Head to Access > Access Guided Configurations > Select SAML Identity provider template

Configure IdP settings.

Configure Virtual Server settings or select one that's already created.

Specify Authentication and MFA settings.

Select proper SaaS Application template (Amazon Web Services in our case)

Configure the AWS Application settings,
- Mention IdP name configured at AWS console.
- Mention IdP role name created at AWS console.

EndPoint checks and inspection

Then adjust session management parameters as per requirements and customization for the web portal and Deploy.

Here's how the final policy should look like,

Note, you can make use of authentication part to fetch the proper role per user and communicate that to AWS Console, so each user is assigned to the proper role.

AWS Console Configurations

Create IdP settings from AWS Console > IAM > Identity Providers

Make sure to assign proper roles to the Identity Provider and make sure the role got "sts:AssumeRoleWithSAML" Allow.

Conclusion

Using Access Guided Configurations, it's easy to secure and simplify access to AWS Console and we can extend our existing Identity services to facilitate and authorize access to AWS Console.

In addition to authorizing users, you can make use of F5 APM endpoint inspection and further integrations with 3rd parties through HTTP connectors and iRules.