Okta

How to Configure SAML 2.0 for F5 BIG-IP

Contents

Supported Features

The Okta/F5 BIG IP SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.

Configuration Steps

  1. Log into your F5 server as an administrator.

  2. From the Main tab, navigate to Access Policy BIG-IP as SP:

    f51.png

  3. Click on the External IdP Connectors tab. This is where we will add your Okta org as an external IDP connector:

    f52.png

  4. Select From Metadata from the Create dropdown menu in the upper right:

    f53.png

  5. The New SAML IdP Connector window opens. Do the following:

    • Select File: The file being requested is the F5 application's metadata from your Okta org. Click on the following URL to download and save that metadata:

      Sign into the Okta Admin dashboard to generate this value.

      Click Browse to locate, then upload the metadata you just saved to F5:

    • Identity Provider Name: Enter a name for the new IdP Connector.

    • Click OK.

    f54.png

  6. The Identity Provider you just created should now appear in the list under the External IdP Connectors tab. Select the IdP you added and click Edit:

    f55.png

  7. The Edit SAML IdP Connector window opens. Do the following:

    Note: Because you uploaded the metadata from Okta, some of the fields should be pre-populated.

    • Click General Settings and make sure the IdP Entity ID field is pre-populated.

    • Click Single Sign On Services and make sure the Single Sign On Service URL is pre-populated and the Single Sign On Service Binding is set to POST.

    • Click Security Settings. Under Authentication Request sent by this device to IdP, check the Must be signed option and choose RSA-SHA256 as the Signing Algorithm.

      Under Certificate Settings, select the certificate for your External IdP. One should have been created automatically and should be formatted similar to this: /Common/{IdentityProvider Name}__saml_idp_metadata_cert.crt.

    • Click OK to save your changes.

    f56.png

  8. Select the Local SP Services tab, then click Create:

    f57.png

  9. The Create New SAML SP Service window opens.

  10. In the Create New SAML SP Service window, under General Settings, enter the following:

    • Name: Enter a name for the SAML SP Service you are creating.

    • Entity ID: Enter the following value:

      [your_f5_baseURL}/[appid]

      For example: https://tmf5.acme.com:2443/exk1av0mrdr2l1KvK1d8

      To obtain your app ID value, take the last part of the following value:

      Sign into the Okta Admin dashboard to generate this value.

      For example, if the generated value above is http://www.acme.com/exka13a2400bKQhdt0h7, your app ID is the portion in bold.

    • Under SP Name Settings: For Scheme, select https. For Host, enter your F5 baseURL.

    f58.png

  11. In the Create New SAML SP Service window, under Security Settings, enter the following:

    • Under Authentication and Encryption Settings, check Sign Authentication Request and Want Signed Assertion.

    f59.png

  12. You will be asked to select a Message Signing Private Key and a Message Signing Certificate. To generate these, please follow the steps below:

    1. In the BIG-IP Configuration Utility, navigate to System > File Management > SSL Certificate List:

      f510.png

    2. Click Create.

    3. Enter a appropriate and unique Name, and use the settings shown in the screen shot below:

      f511.png

    4. Enter relevant values for the remaining fields, then click Finish.

    5. Select the SSL Certificate List tab and click on the newly created certificate name. In the resulting page, click Export.

      f512.png

      f513.png

    6. Click Download [name of certificate].crt to save a copy of the certificate locally.

      f514.png

    7. Once you have created a valid cert, you will use it when editing you SP SAML Service. Go back to step 11 and choose the correct cert and key from the dropdown.

      f515.png

  13. Back in the Create New SAML SP Service window, under Advanced Settings, enter the following:

    • For Name-Identifier Policy Format, select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

    • Check Requested Authentication Context, then click Add. Select the following value: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.

    • Click Update and then OK to finish updating your SAML SP Service.

    f516.png

  14. Select the SP Service you just created from the Local SP Services list, then Click Bind/Unbind IdP Connectors.

    f517.png

  15. In the next window, click Create New IdP Connector. Choose the name of the External IdP Connector you created in step 5 from the SAML IdP Connectors dropdown menu.

  16. Under Matching Source, choose [%{session.server.landinguri}].

  17. For Matching Value, enter /{unique_identifier}*. For example: /mySite*.

    Note: The Matching Value will be appended to the baseURL and will be used to access your F5 server using SP-initiated SAML flow. This will be described at a later step.

  18. Click Update, then click Ok.

  19. After you’ve finished setting up your Local SP Service and External IdP Connector, you can now associate your Access Profile with your Local SP service.

  20. Back in the Main menu, navigate to Access Profiles > Access Profiles List:

    f518.png

  21. Look for your Access Profile, select it, then click Edit under the Access Policy column:

    f519.png

  22. A new window containing the Access Policy settings for your Access Profile will open:

    f520.png

  23. Click SAML Auth. Select the Local SP Service you created starting from step 8 from the AAA Server dropdown Menu. Click Save:

    f521.png

  24. You should see a new Apply Access Policy link. Click this link to save your changes:

    f522.png

  25. In Okta, select the General tab for the F5 app, then click Edit.

    • Enter your F5 Base URL into the corresponding field.

    • Check both options in the Application Visibility section. This will hide the app from users.

    • Click Save.

    f5_newa.png

  26. Still in Okta, select the Sign On tab, then click Edit.

    • Scroll down to the ADVANCED SIGN-ON SETTINGS section.

    • Enter your Audience URI (Entity ID from step 10, above) into the corresponding field.

    • Click Save.

    f5_newb.png

  27. Since the current F5 SAML integration only supports SP-initiated flows, we need to create a bookmark app to simulate an IdP-initiated flow (clicking on an app from your Okta homepage to login to F5). This bookmark application will the only app visible to users. We hid the other F5 app (step 25) to stop users clicking on the wrong app.

    Follow the instructions in Simulating an IDP-initiated Flow with the Bookmark App to create and configure a bookmark application.

    As Bookmark URL use your F5 Base URL followed by the matching value you used in step 17. Don’t include the * (asterisk) character.

    Your URL value should follow this format: [your_F5_baseURL]/{matching_value} (without the * character).

    For Example: https://tmf5.acme:2443/mySite.

  28. Done!

Notes

SP-initiated SSO

Open the Bookmark URL (step 27).