Publish and protect Vanilla app

Let’s continue with Vanilla application. Reminder, Vanilla application as Authentication enabled with Kerberos auth. So, we will need to enable Kerberos Constrained Delegation.

  1. Connect to BIG-IP HTTPS user interface from UDF as admin and password admin

  2. In Access > Guided Configuration, select Microsoft Integration > Azure AD application

    Note

    As you can notice, we deploy one template per application

    ../../_images/AGC2.png

Configuration Properties

  1. Click Next and start the configuration

  2. Configure the page as below

    1. Configuration Name : IIS-Vanilla-<My Name> Why my name ? Because this app will be created in Azure AD tenant. And we need to differentiate all apps.

    2. Enable Single Sign-on (SSO)

      ../../_images/SSO.png

    3. In Azure Service Account Details, Select Copy Account Info form Existing Configuration, and select IIS-baseline, then click Copy

      ../../_images/IIS-baseline1.png

      Note

      In a real world, you will set here the values from the Azure Service Application created for APM. You have to create an Azure Application so that APM get access to Microsoft Graph API. But for security concerns, I can’t show in this lab the application secret.

      Note

      The steps to create this Azure applications are below

      1. In Azure AD, create a service application under your organization’s tenant directory using App Registration.

      2. Register the App as Azure AD only single-tenant.

      3. Request permissions for Microsoft Graph APIs and assign the following permissions to the application:

        1. Application.ReadWrite.All

        2. Application.ReadWrite.OwnedBy

        3. Directory.Read.All

        4. Group.Read.All

        5. Policy.Read.All

        6. Policy.ReadWrite.ApplicationConfiguration

        7. User.Read.All

      4. Grant admin consent for your organization’s directory.

      5. Copy the Client ID, Client Secret, and Tenant ID and add them to the Azure AD Application configuration.

    4. Click Test Connection button –> Connection is valid

      ../../_images/test_conn1.png

    5. Click Next

Service Provider

  1. Configure the page as below

    1. Host vanilla.f5access.onmicrosoft.com

    2. Entity ID is auto-filled https://vanilla.f5access.onmicrosoft.com/IIS-Bluesky-my name>

      ../../_images/SP1.png

    3. Click Save & Next

Azure Active Directory

  1. Select Azure BIG-IP APM Azure AD... template

    Note

    As you can notice, there are several templates available for different applications. Here, in this lab, we will publish a generic app. So we select the first template.

  2. Click Add

  3. In the new screen, configure as below.

    1. Signing Key : default.key

    2. Signing Certificate : default.crt

    3. Signing Key Passphrase : F5twister$

      ../../_images/signing1.png

    4. In User And User Groups, click Add

      Note

      We have to assign Azure AD users/group to this app, so that they can be allowed to connect to it.

      1. In the list, click Add for the user user1. If you can’t find it, search for it in the search field.

        class2/module2/../pictures/module2/user.png

      2. Click Close

      3. You can see user1 in the list.

        ../../_images/user11.png

      4. Click Save & Next

Virtual Server Properties

  1. Configure the VS as below

    1. IP address : 10.1.10.103

    2. ClientSSL profile. We will get a TLS warning in the browser, but it does not matter for this lab.

    ../../_images/VS1.png

  2. Click Save & Next

Pool Properties

  1. Select Create New

  2. In Pool Servers, select /Common/10.1.20.9 This is the IIS server.

    ../../_images/pool1.png

Single Sign-On Settings

  1. In Selected Single Sign-on Type, select Kerberos, and select Advanced Settings

    ../../_images/SSO1.png

  2. In Credentials Source, fill as below

    1. Username Source : session.saml.last.identity

    2. Delete User Realm Source value - keep it empty. The domain is similar between Azure AD and on-prems AD.

  3. In SSO Method Configuration, fill as below

    1. Kerberos Realm : f5access.onmicrosoft.com

    2. Account name : host/apm-deleg.f5access.onmicrosoft.com

    3. Account Password : F5twister$

    4. KDC : 10.1.20.8

    5. UPN Support : Enaled

    6. SPN Pattern : HTTP/%s@f5access.onmicrosoft.com

      ../../_images/SSO2.png

  4. Click Save & Next

Session Management Properties

  1. Nothing to change, click Save & Next

Deploy your app template

  1. Click Deploy

    ../../_images/deploy1.png

  2. Behind the scene, the deployment creates an Azure Enterprise Application for Bluesky. We can see it in Azure portal (you don’t have access in this lab). With this Enterprise Application, Azure knows where to redirect you when authenticated. And this app has the certificate and key used to sign the SAML assertion.

    ../../_images/azure_portal1.png

Test your deployment

  1. RDP to Win10 machine as user and password user

  2. Open Microsoft Edge browser - icon is on the Desktop

  3. Click on the bookmark Vanilla

  4. You will be redirected to Azure AD login page - only if your previous session with Bluesky expired in APM. Login as user1@f5access.onmicrosoft.com, and for the password please ask to your instructor (if you are prompted). But as you already authenticated against Azure AD, you still have a session in Azure AD.

    ../../_images/login1.png

  5. You are redirected to APM with a SAML assertion, and can access to Vanilla application.

  6. APM did Single Sign-on with Vanilla application (Kerberos Constrained Delegation)

    ../../_images/vanilla1.png

  7. Click Bluesky bookmark, you can access Bluesky application as well.

  8. Extra lab, enable Inspect mode in Edge, and follow the SAML redirections to understand the workflow.