Академический Документы
Профессиональный Документы
Культура Документы
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
Part 1 – Preparing the BIG-IP Demo Environment
→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated
license.
On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Access Policy (APM) to Nominal (Limited users)
Create a new pool using the following information, and then click Finished.
Name lorax_pool
Health Monitor http
Members Address Service Port
10.1.20.32 80
Create a new virtual server using the following information, and then click Finished.
Name sso_virtual
Destination Address/Mask 10.1.10.38:443
HTTP Profile http
SSL Profile (Client) f5demo_client_ssl
Source Address Translation Auto Map
Default Pool lorax_pool
WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 3
Part 1 – Preparing the BIG-IP Demo Environment
Open the Access Policy > AAA Servers > Active Directory page, and then click Create.
Create a new AAA server using the following information, and then click Finished.
Name sso_aaa
Domain Name f5demo.com
Server Connection Direct
Domain Controller 10.1.20.251
Admin Name service_account
Admin Password (and Verify) password
Open the Access Policy > Access Profiles > Access Profiles List page, and then click Create.
Create a new access policy using the following information, and then click Finished.
Name sso_profile
Profile Type All
Languages English (en)
AD Auth item
Add a new item in the following location:
Select the Authentication tab, and then select the AD Auth option and click Add Item.
From the Server list box, select /Common/sso_aaa, and then click Save.
WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 4
Part 1 – Preparing the BIG-IP Demo Environment
Change the Successful branch ending to Allow.
In the Configuration Utility, open the Virtual Server List page, and then click sso_virtual.
In the Access Policy section, from the Access Profile list box, select sso_profile, and then click Update.
→NOTE: If you are unable to access this host name, complete Exercise 2, Task 8 in the vLab Setup
Guide.
Because single sign-on is not yet enabled, the user must enter their credentials again
WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 5
Part 1 – Preparing the BIG-IP Demo Environment
Attempt access using the following credentials:
Username: sales_user
Password: password
This user doesn’t have access to the Admins section; this section is only for Lorax administrators.
Click Cancel, and then close the browser.
Use a new InPrivate or Incognito window to access https://sso.vlab.f5demo.com.
When prompted, log in using the following credentials:
Username: admin_user
Password: password
From the top menus click Admins.
Attempt access using the following credentials:
Username: admin_user
Password: password
Although this user has access to the Admins section, they were still required to re-enter their login
credentials.
Close the Lorax Investments Administrator Portal page.
In the Configuration Utility, open the Access Policy > Manage Sessions page.
Select the checkbox for the last session, and then click Kill Selected Sessions, and then click Delete.
Open the Access Policy > SSO Configurations > HTTP Basic page, and then click Create.
Create an SSO configuration named sso_config using the default options, and then click Finished.
Open the Access Policy > Access Profiles > Access Profiles List page, and then click sso_profile.
Open the SSO / Auth Domains page.
From the SSO Configuration list, select sso_config, and then click Update.
In the Visual Policy Editor, add a new item in the following location:
Select the Assignment tab, then add the SSO Credential Mapping option and click Add Item, and then
click Save.
WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 6
Part 1 – Preparing the BIG-IP Demo Environment
Click Apply Access Policy, and then close the Visual Policy Editor.
Use a new tab to access https://sso.vlab.f5demo.com.
When prompted, log in using the following credentials:
Username: sales_user
Password: password
From the top menus click Admins.
This user is still prompted because they don’t have access to the Admins section.
Click Cancel, and then close the browser.
Use a new InPrivate or Incognito window to access https://sso.vlab.f5demo.com.
When prompted, log in using the following credentials:
Username: admin_user
Password: password
From the top menus click Admins.
This user is now able to access the protected web page without needing to re-supply their user
credentials.
WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 7
Part 2 – Delivering the BIG-IP Demo to a Customer
→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated
license.
On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
Open the Virtual Server List page, and then click sso_virtual.
This virtual server is configured for 10.1.10.38 and listens on port 443.
Scroll down to the Access Policy section.
This virtual server is configured with a BIG-IP APM access policy named sso_profile.
Open the Access Policy > AAA Servers > AD page, and then click sso_aaa.
The AAA server provides authentication, authorization, and accounting. We are using an Active
Directory server to authenticate users.
Open the Access Policy > Access Profiles > Access Profiles List page, and then in the sso_profile row,
click Edit.
This is the Visual Policy Editor, which we use to create the access policy. This access policy presents a
logon page the user, and then sends their credentials to the Active Directory server. If they supply
valid credentials they are granted access to the virtual server, if not they are denied access.
WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 8
Part 2 – Delivering the BIG-IP Demo to a Customer
Open the Access Policy > SSO Configurations > HTTP Basic page, and then click Create.
Create an SSO configuration named sso_config using the default options, and then click Finished.
Open the Access Policy > Access Profiles > Access Profiles List page, and then click sso_profile.
Open the SSO / Auth Domains page.
From the SSO Configuration list, select sso_config, and then click Update.
WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 9
Part 2 – Delivering the BIG-IP Demo to a Customer
In the Visual Policy Editor, add a new item in the following location:
Select the Assignment tab, then add the SSO Credential Mapping option and click Add Item, and then
click Save.
Click Apply Access Policy, and then close the Visual Policy Editor.
Use a new tab to access https://sso.vlab.f5demo.com.
When prompted, log in using the following credentials:
Username: sales_user
Password: password
From the top menus click Admins.
This user is still prompted because they don’t have access to the Admins section.
Click Cancel, and then close the browser.
Use a new InPrivate or Incognito window to access https://sso.vlab.f5demo.com.
When prompted, log in using the following credentials:
Username: admin_user
Password: password
From the top menus click Admins.
This user is now able to access the protected web page without needing to re-supply their user
credentials.
That concludes this demonstration on how to use single sign-on with APM.
WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 10