Publish and protect Bluesky app¶
Let’s start with Bluesky
application. Reminder, Bluesky does not have any Authentication
enabled.
Connect to BIG-IP HTTPS user interface from UDF as
admin
and passwordadmin
In
Access
>Guided Configuration
, selectMicrosoft Integration
>Azure AD application
Configuration Properties¶
Click
Next
and start the configurationConfigure the page as below
Configuration Name :
IIS-Bluesky-<My Name>
Why my name ? Because this app will be created in Azure AD tenant. And we need to differentiate all apps. Example :IIS-Bluesky-Matt
In
Azure Service Account Details
, SelectCopy Account Info form Existing Configuration
, and selectIIS-baseline
, then clickCopy
Note
In a real world, you will set here the values from the Azure Service Application created for APM. You have to create an Azure Application so that APM gets access to Microsoft Graph API. But for security concerns, I can’t show in this lab the application secret.
Note
The steps to create this Azure applications are below
In Azure AD, create a service application under your organization’s tenant directory using App Registration.
Register the App as Azure AD only single-tenant.
Request permissions for Microsoft Graph APIs and assign the following permissions to the application:
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
Directory.Read.All
Group.Read.All
Policy.Read.All
Policy.ReadWrite.ApplicationConfiguration
User.Read.All
Grant admin consent for your organization’s directory.
Copy the Client ID, Client Secret, and Tenant ID and add them to the Azure AD Application configuration.
Click
Test Connection
button –> Connection is validClick
Next
Service Provider¶
Azure Active Directory¶
Select
Azure BIG-IP APM Azure AD...
templateNote
As you can notice, there are several templates available for different applications. Here, in this lab, we will publish a generic app. So we select the first template.
Click
Add
In the new screen, configure as below
Signing Key :
default.key
Signing Certificate :
default.crt
Signing Key Passphrase :
F5twister$
In
User And User Groups
, clickAdd
Note
We have to assign Azure AD users/group to this app, so that they can be allowed to connect to it.
In the list, click
Add
for the useruser1
. If you can’t find it, search for it in thesearch
field.Click
Close
You can see
user1
in the list.Click
Save & Next
Virtual Server Properties¶
Configure the VS as below
IP address :
10.1.10.104
ClientSSL
profile. We will get a TLS warning in the browser, but it does not matter for this lab.
Click
Save & Next
Pool Properties¶
Select
Create New
In Pool Servers, select
/Common/10.1.20.9
This is the IIS server.
Session Management Properties¶
Nothing to change, click
Save & Next
Deploy your app template¶
Click
Deploy
Behind the scene, the deployment creates an
Azure Enterprise Application
forBluesky
. We can see it inAzure portal
(you don’t have access in this lab). With this Enterprise Application, Azure knows where to redirect the user when authenticated. And this app has the certificate and key used to sign the SAML assertion.
Test your deployment¶
RDP to Win10 machine as
user
and passworduser
Open
Microsoft Edge
browser - icon is on the DesktopClick on the
bookmark
Bluesky
You will be redirected to Azure AD login page. Login as
user1@f5access.onmicrosoft.com
, and for the password please ask to your instructor.You are redirected to APM with a SAML assertion, and can access to Bluesky application