Secure Access to Web Applications with F5 and Okta using SAML 2.0 (2 of 2)

Step 2: Configure F5 BIG-IP APM as SAML SP for the Application

Refer to the step by step instructions and screenshots below to configure F5 BIG-IP APM as SAML SA for a new application called app.f5sec.net.

2.1 Import Certificate for the Application

Import the certificate for app.f5sec.net. This certificate will be later referenced when configuring the application.

•   Log in to the F5 BIG-IP System.

•  On the F5 Configuration Utility (Web UI) Main menu, navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate List.

•   On the Traffic Certificate Management page, click the Import button on the right-hand corner.

•   On the SSL Certificate/Key Source page, select Key from the Import Type drop-down box.

•   Specify a Key Name and browse to the folder that contains the Key. After selecting the key file, click Import.

•   Back in the Traffic Certificate Management page, click on the imported Key name.

•   In the General Properties page, click on the Import button.

•   Browse to the folder that contains the Certificate. After selecting the certificate file, click Import.

Figure 9: Importing application certificate and key

2.2 Using Guided Configuration

The F5 BIG-IP APM Guided Configuration presents a completely new and streamlined user experience. This workflow-based architecture provides intuitive configuration steps tailored for a selected use case.

The steps below will walk through the Guided Configuration to build the application and configure F5 BIG-IP APM as SAML SP.

•   On the F5 Web UI Main menu, navigate to Access > Guided Configuration.

•   Click on the Federation tile. From the expanded option, click on the SAML Service Provider tile.

Figure 10: Guided configuration initial selection.

•   Take a moment to review the various configuration options on the SAML Service Provider page.

Figure 11: SAML Service Provider page

•   Satisfy any of the DNS, NTP, Interface, VLAN, Route, and Self IP configuration prerequisites from this initial configuration page.

•   Scroll down and click Next.

2.2.1 Configure Service Provider Properties

•   To configure these properties, follow the guidance below.

Figure 12: Sample ‘Service Provider Properties’ configuration.

•   Accept the remaining default entries and click Save & Next.

2.2.2 Configure Virtual Server Properties

•   To configure a virtual server for the app, follow these steps.

Figure 13: Sample ‘Virtual Server Properties’ configuration.

•   Click Save & Next.

2.2.3 Configure Okta Identity Provider Connector

•   To configure Okta as the external SAML IdP provider, follow the steps below.

Figure 14: Sample Okta IdP configuration.

•   Click Save & Next.

2.2.4 Create a Pool

•   To create a load balancing pool of application servers, follow the steps below.

Figure 15: Sample ‘Pool Properties’ configuration.

•   Click Save & Next.

2.2.5 Configure Single Sign-On Settings

•   To configure Okta as the external SAML IdP provided, follow the steps below.

Figure 16: Sample ‘Single Sign-on Settings’ configuration.

•   Click Save & Next.

2.2.6 Endpoint Checks

Select the Enable Endpoint Checks radio button to enable endpoint checks. For this demonstration, we will leave this setting at default.

Figure 17: 'Endpoint Checks Properties' page to enable and configure endpoint checks.

•   Click Save & Next.

2.2.7 Session Management

Leave the Timeout Settings at default.

Figure 18: Default timeout settings

•   Click Save & Next.

2.2.8 Summary

Review the Summary screen. When done, scroll down and click Deploy.

Figure 20: Confirmation of a successful deployment.

•  Click on the Finish button.

This completes the F5 BIG-IP APM configuration.

Step 3: Verification

We will verify the solution by accessing app.f5sec.net.

•   Open a web browser on an end host and navigate to https://app.f5sec.net. Notice the request will be redirected to Okta.com for user authentication.

Figure 21: Redirection to Okta for user authentication.

•   The application default web page prints all the headers. Notice that the HTTP_MYAUTHORIZATION header has been inserted with the appropriate value.

Figure 22: HTTP_MYAUTHORIZATION header inserted with user identity value.

 

Additional Resources

Part 1 - Secure Access to Web Applications with F5 and Okta using SAML 2.0

BIG-IP APM Product Information: Knowledge Center

Free Training Course: Getting Started with BIG-IP Access Policy Manager (APM)

Lightboard Lesson: F5 Access Policy Manager and Okta - Single Sign On and Multi-Factor Authentication

External Resource: F5 | Okta partnership