F5 BIG-IP APM 14.1 - SSO Agent - SAML Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on Jun 25, 2019Last modified by RSA Information Design and Development on Jun 25, 2019
Version 2Show Document
  • View in full screen mode

This section describes how to integrate RSA SecurID Access with F5 BIG-IP APM using a SAML SSO Agent.

Architecture Diagram

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to F5 BIG-IP APM.

Procedure

1. Sign into the Cloud Administration Console and do the following:

  1. Click Applications > Application Catalog.
  2. Search for F5 BIG-IP APM and click +Add to add the connector.

2. On the Basic Information page, enter a name for the application in the Name field, and click Next Step.

3. In the Initiate SAML Workflow section, click IDP-initiated radio button.

4. Scroll down to SAML Identity Provider (Issuer) section and perform following steps:

  1. Click Generate Cert Bundle to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
  2. Select the first Choose File and upload the RSA SecurID Access private key.
  3. Select the second Choose File and upload the RSA SecurID Access public certificate.
  4. Also, note down the Identity Provider URL and the Issuer Entity ID displayed. This along with the certificate is required while configuring F5 BIG-IP APM as SP.

5. In the Service Provider section, do the following:

  1. In the Assertion Consumer Service (ACS) URL field, enter https://<VIRTUAL-SERVER>/saml/sp/profile/post/acs replacing <VIRTUAL-SERVER> with the IP address or host name of the Virtual Server as configured in F5.
  2. In the Audience (Service Provider Entity ID) field, enter https://<VIRTUAL-SERVER> replacing <VIRTUAL-SERVER> with the IP address or host name of the Virtual Server as configured in F5.

6. In the User Identity section, select Email Address from the Identifier Type drop-down list, select the name of your user identity source and select the property value as mail. Click Next Step.

7. On the User Access page, select the access policy the identity router will use to determine which users can access the F5 BIG-IP APM service provider. Click Next Step.

8. On the Portal Display page, configure the portal display and other settings. Click Save and Finish.

9. Click Publish Changes in the top left corner of the page, and wait for the operation to complete.

 

Configure F5 BIG-IP APM

Perform these steps to configure F5 BIG-IP APM as an SSO Agent SAML SP to RSA Cloud Authentication Service.

Procedure

1. Sign into the BIG-IP Configuration Utility and click System > Certificate Management > Traffic Certificate Management > SSL Certificate List > Import.

 

2. Select Certificate from the Import Type drop-down list.

 

3. Enter the following details:

  1. Certificate Name: Click the New radio button and enter a suitable name for the certificate.
  2. Certificate Source: Cick the Upload File radio button. Then click Choose File button and select the certificate downloaded in Step 4 of CAS configuration.

4. Click Import.

5. Click Access > Federation > SAML Service Provider > External IdP Connectors.

 

6. Click Create.

 

7. On the Create New SAML IdP Connector pop-up window, under General Settings tab, do the following:

  1. Name: Suitable name for this IdP Connector.
  2. IdP Entity ID: Enter the Issuer Entity ID obtained from Step 4(d) of CAS configuration.

8. On the Create New SAML IdP Connector pop-up window, under Single Sign On Service Settings, do the following:

  1. Single Sign On Service URL: Enter the Identity Provider URL obtained from Step 4(d) of CAS configuration.
  2. Single Sign On Service Binding: Select POST from the drop-down list.

9. On the Create New SAML IdP Connector pop-up window, under Assertion Settings, select Identity Location as Subject from the drop-down list.

10. On the Create New SAML IdP Connector pop-up window, under Security Settings, select the certificate imported in Step 3 above from the IdP's Assertion Validation Certificate drop-down list.

11. Click OK.

12. Click Access > Federation > SAML Service Provider > Local SP Services.

13. Click Create.

14. On the Create New SAML SP Service pop-up window, under General Settings, do the following:

  1. Name: Enter a suitable name for the SAML SP service.
  2. Entity ID: Enter https://<VIRTUAL-SERVER> replacing <VIRTUAL-SERVER> with the IP address or host name of your Virtual Server as configured in F5. This should be same as the Service Provider Entity ID as enter in CAS configuration Step 5(b).

15. Click OK.

16. On the Local SP Services page, click the check-box corresponding to the Service Provider just created.

17. Click on Bind/Unbind IdP Connectors at the bottom of the page.

18. On the Edit SAML IdPs that use this SP pop-up window, click Add New Row.

19. From the SAML IdP Connectors drop-down list select the Connector created in Step 7 above. Then click Update. Then click OK.

 

Next Step: Proceed to Access Profile use case configuration section to apply this integration type to an access profile.

 

Attachments

    Outcomes