F5 Customer Demo

Using BIG-IP Access Policy Manager (APM) for

Single Sign-On
Document version 12.0.B
Written for: TMOS® Architecture v12.0.0
Virtual images:
BIGIP_A_v12.0
Windows_Server_2008
Windows_7_External

NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

Please DO NOT contact F5 Support for assistance with the vLab. For help with the setup of the vLab
or running a demonstration, you should contact your F5 Channel Account Manager (CAM).

F5 Worldwide Field Enablement Last Updated: 2/5/2016

Learn More, Sell More, Sell Faster
©2016 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.

The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
 Part 1 – Preparing the BIG-IP Demo Environment

Part 1 – Preparing the BIG-IP Demo Environment

 Required virtual images: BIGIP_A_v12.0, Windows_Server_2008, Windows_7_External
 Estimated completion time: 40 minutes

Task 1 – Configure a Web Application

Provision APM on the BIG-IP system, and then create a new pool and virtual server that will be used with the
access policy.

 In VMware, start up the BIGIP_A_v12.0, LAMP_3.6.5, and Windows_7_External images.

 On the Windows_7_External desktop, use putty to access and log into 10.1.1.245.
 At the CLI type:
tmsh
load sys ucs clean_install_BIGIP_A_v12.0.ucs no-license
y

→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated
license.

If you do not have the BIGIP_A_v12.0 image or the clean_install_BIGIP_A_v12.0.ucs

archive file, complete the F5 vLab Setup.

 On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
 Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Access Policy (APM) to Nominal (Limited users)
 Create a new pool using the following information, and then click Finished.
Name lorax_pool
Health Monitor http
Members Address Service Port
10.1.20.32 80

 Create a new virtual server using the following information, and then click Finished.
Name sso_virtual
Destination Address/Mask 10.1.10.38:443
HTTP Profile http
SSL Profile (Client) f5demo_client_ssl
Source Address Translation Auto Map
Default Pool lorax_pool

WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 3
 Part 1 – Preparing the BIG-IP Demo Environment

Task 2 – Create a AAA Server

Create an Active Directory AAA server to use with the new access policy.

 Open the Access Policy > AAA Servers > Active Directory page, and then click Create.
 Create a new AAA server using the following information, and then click Finished.
Name sso_aaa
Domain Name f5demo.com
Server Connection Direct
Domain Controller 10.1.20.251
Admin Name service_account
Admin Password (and Verify) password

Task 3 – Create and Configure an Access Profile and an Access Policy

Create and configure the new access profile and access policy.

 Open the Access Policy > Access Profiles > Access Profiles List page, and then click Create.
 Create a new access policy using the following information, and then click Finished.
Name sso_profile
Profile Type All
Languages English (en)

 In the sso_profile row, click Edit.

Logon Page item

 Click the + icon between Start and Deny.
 From the Logon tab, select the Logon Page option, then click Add Item, and then click Save.

AD Auth item
 Add a new item in the following location:

 Select the Authentication tab, and then select the AD Auth option and click Add Item.
 From the Server list box, select /Common/sso_aaa, and then click Save.

WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 4
 Part 1 – Preparing the BIG-IP Demo Environment
 Change the Successful branch ending to Allow.

 Click Apply Access Policy.

 In the Configuration Utility, open the Virtual Server List page, and then click sso_virtual.
 In the Access Policy section, from the Access Profile list box, select sso_profile, and then click Update.

 Create an archive file named demo_apm_sso_v12.0.

Task 4 – Test Access without Single Sign-On Enabled

Access the virtual server and note the results without a single sign-on policy.

 Use a new tab to access https://sso.vlab.f5demo.com.

→NOTE: If you are unable to access this host name, complete Exercise 2, Task 8 in the vLab Setup
Guide.

 When prompted, log in using the following credentials:

Username: sales_user
Password: password

→NOTE: Do not select to remember your password.

This is the internal Lorax Investments Intranet site.

 From the top menus click Admins.

Because single sign-on is not yet enabled, the user must enter their credentials again

WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 5
 Part 1 – Preparing the BIG-IP Demo Environment
 Attempt access using the following credentials:
Username: sales_user
Password: password
This user doesn’t have access to the Admins section; this section is only for Lorax administrators.
 Click Cancel, and then close the browser.
 Use a new InPrivate or Incognito window to access https://sso.vlab.f5demo.com.
 When prompted, log in using the following credentials:
Username: admin_user
Password: password
 From the top menus click Admins.
 Attempt access using the following credentials:
Username: admin_user
Password: password
Although this user has access to the Admins section, they were still required to re-enter their login
credentials.
 Close the Lorax Investments Administrator Portal page.
 In the Configuration Utility, open the Access Policy > Manage Sessions page.
 Select the checkbox for the last session, and then click Kill Selected Sessions, and then click Delete.

Task 5 – Create and Apply a Single Sign-On Configuration

Create a single sign-on configuration and add the configuration to sso_profile.

 Open the Access Policy > SSO Configurations > HTTP Basic page, and then click Create.
 Create an SSO configuration named sso_config using the default options, and then click Finished.
 Open the Access Policy > Access Profiles > Access Profiles List page, and then click sso_profile.
 Open the SSO / Auth Domains page.

 From the SSO Configuration list, select sso_config, and then click Update.

Task 6 – Add Single Sign-On to the Access Policy

Update sso_profile by adding the single sign-on credential mapping item, and then test single sign-on in the web
application.

 In the Visual Policy Editor, add a new item in the following location:

 Select the Assignment tab, then add the SSO Credential Mapping option and click Add Item, and then
click Save.

WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 6
 Part 1 – Preparing the BIG-IP Demo Environment
 Click Apply Access Policy, and then close the Visual Policy Editor.
 Use a new tab to access https://sso.vlab.f5demo.com.
 When prompted, log in using the following credentials:
Username: sales_user
Password: password
 From the top menus click Admins.
This user is still prompted because they don’t have access to the Admins section.
 Click Cancel, and then close the browser.
 Use a new InPrivate or Incognito window to access https://sso.vlab.f5demo.com.
 When prompted, log in using the following credentials:
Username: admin_user
Password: password
 From the top menus click Admins.
This user is now able to access the protected web page without needing to re-supply their user
credentials.

WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 7
 Part 2 – Delivering the BIG-IP Demo to a Customer

Part 2 – Delivering the BIG-IP Demo to a Customer

 Required virtual images: BIGIP_A_v12.0, Windows_Server_2008, Windows_7_External
 Required archive file: demo_apm_sso_v12.0.ucs
 Estimated completion time: 30 minutes

Task 1 – Prepare for the Demo

Restore the archive file you created in Part 1.

 In VMware, start up the BIGIP_A_v12.0, LAMP_3.6.5, and Windows_7_External images.

 On the Windows_7_External desktop, use putty to access and log into 10.1.1.245.
 At the CLI type:
tmsh
load sys ucs demo_asm_sso_v12.0.ucs no-license
y

→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated
license.

 On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.

Task 2 – Review Objects Used in the Demo

Show the deployed web application that will be used during the demonstration.

 Open the Virtual Server List page, and then click sso_virtual.
This virtual server is configured for 10.1.10.38 and listens on port 443.
 Scroll down to the Access Policy section.
This virtual server is configured with a BIG-IP APM access policy named sso_profile.
 Open the Access Policy > AAA Servers > AD page, and then click sso_aaa.
The AAA server provides authentication, authorization, and accounting. We are using an Active
Directory server to authenticate users.
 Open the Access Policy > Access Profiles > Access Profiles List page, and then in the sso_profile row,
click Edit.
This is the Visual Policy Editor, which we use to create the access policy. This access policy presents a
logon page the user, and then sends their credentials to the Active Directory server. If they supply
valid credentials they are granted access to the virtual server, if not they are denied access.

WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 8
 Part 2 – Delivering the BIG-IP Demo to a Customer

Task 3 – Test Access without Single Sign-On Enabled

Access the virtual server and note the results without a single sign-on policy.

 Use a new tab to access https://sso.vlab.f5demo.com.

 When prompted, log in using the following credentials:
Username: sales_user
Password: password
This is the internal Lorax Investments Intranet site.
 From the top menus click Admins.
Because single sign-on is not yet enabled, the user must enter their credentials again
 Attempt access using the following credentials:
Username: sales_user
Password: password
This user doesn’t have access to the Admins section; this section is only for Lorax administrators.
 Click Cancel, and then close the browser.
 Use a new InPrivate or Incognito window to access https://sso.vlab.f5demo.com.
 When prompted, log in using the following credentials:
Username: admin_user
Password: password
 From the top menus click Admins.
 Attempt access using the following credentials:
Username: admin_user
Password: password
Although this user has access to the Admins section, they were still required to re-enter their login
credentials.
 Close the Lorax Investments Administrator Portal page.
 In the Configuration Utility, open the Access Policy > Manage Sessions page.
 Select the checkbox for the last session, and then click Kill Selected Sessions, and then click Delete.

Task 4 – Create and Apply a Single Sign-On Configuration

Create a single sign-on configuration and add the configuration to sso_profile.

 Open the Access Policy > SSO Configurations > HTTP Basic page, and then click Create.
 Create an SSO configuration named sso_config using the default options, and then click Finished.
 Open the Access Policy > Access Profiles > Access Profiles List page, and then click sso_profile.
 Open the SSO / Auth Domains page.
 From the SSO Configuration list, select sso_config, and then click Update.

WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 9
 Part 2 – Delivering the BIG-IP Demo to a Customer

Task 5 – Add Single Sign-On to the Access Policy

Update sso_profile by adding the single sign-on credential mapping item, and then test single sign-on in the web
application.

 In the Visual Policy Editor, add a new item in the following location:

 Select the Assignment tab, then add the SSO Credential Mapping option and click Add Item, and then
click Save.
 Click Apply Access Policy, and then close the Visual Policy Editor.
 Use a new tab to access https://sso.vlab.f5demo.com.
 When prompted, log in using the following credentials:
Username: sales_user
Password: password
 From the top menus click Admins.
This user is still prompted because they don’t have access to the Admins section.
 Click Cancel, and then close the browser.
 Use a new InPrivate or Incognito window to access https://sso.vlab.f5demo.com.
 When prompted, log in using the following credentials:
Username: admin_user
Password: password
 From the top menus click Admins.
This user is now able to access the protected web page without needing to re-supply their user
credentials.

That concludes this demonstration on how to use single sign-on with APM.

WWFE vLab Guides – Using BIG-IP Access Policy Manager (APM) for Single Sign-On; v12.0.B Page | 10