Publish and protect Bluesky app¶

Click Next and start the configuration

Configure the page as below

1. Configuration Name : IIS-Bluesky-<My Name> Why my name ? Because this app will be created in Azure AD tenant. And we need to differentiate all apps. Example : IIS-Bluesky-Matt

2. In Azure Service Account Details, Select Copy Account Info form Existing Configuration, and select IIS-baseline, then click Copy

   
   
   

   Note

   In a real world, you will set here the values from the Azure Service Application created for APM. You have to create an Azure Application so that APM gets access to Microsoft Graph API. But for security concerns, I can’t show in this lab the application secret.

   Note

   The steps to create this Azure applications are below

   1. In Azure AD, create a service application under your organization’s tenant directory using App Registration.

   2. Register the App as Azure AD only single-tenant.

   3. Request permissions for Microsoft Graph APIs and assign the following permissions to the application:

      1. Application.ReadWrite.All

      2. Application.ReadWrite.OwnedBy

      3. Directory.Read.All

      4. Group.Read.All

      5. Policy.Read.All

      6. Policy.ReadWrite.ApplicationConfiguration

      7. User.Read.All

   4. Grant admin consent for your organization’s directory.

   5. Copy the Client ID, Client Secret, and Tenant ID and add them to the Azure AD Application configuration.

3. Click Test Connection button –> Connection is valid

   

4. Click Next

Configure the page as below

1. Host bluesky.f5access.onmicrosoft.com

2. Entity ID is auto-filled https://bluesky.f5access.onmicrosoft.com/IIS-Bluesky-my name>

   

3. Click Save & Next

Select Azure BIG-IP APM Azure AD... template

Click Add

In the new screen, configure as below

1. Signing Key : default.key

2. Signing Certificate : default.crt

3. Signing Key Passphrase : F5twister$

   

4. In User And User Groups, click Add

   Note

   We have to assign Azure AD users/group to this app, so that they can be allowed to connect to it.

   1. In the list, click Add for the user user1. If you can’t find it, search for it in the search field.

      
      
      

   2. Click Close

   3. You can see user1 in the list.

      
      
      

   4. Click Save & Next

Configure the VS as below

1. IP address : 10.1.10.104

2. ClientSSL profile. We will get a TLS warning in the browser, but it does not matter for this lab.

Click Save & Next

Select Create New

In Pool Servers, select /Common/10.1.20.9 This is the IIS server.

Click Deploy

Behind the scene, the deployment creates an Azure Enterprise Application for Bluesky. We can see it in Azure portal (you don’t have access in this lab). With this Enterprise Application, Azure knows where to redirect the user when authenticated. And this app has the certificate and key used to sign the SAML assertion.

RDP to Win10 machine as user and password user

Open Microsoft Edge browser - icon is on the Desktop

Click on the bookmark Bluesky

You will be redirected to Azure AD login page. Login as user1@f5access.onmicrosoft.com, and for the password please ask to your instructor.

You are redirected to APM with a SAML assertion, and can access to Bluesky application