Okta Integration Guide for Single Sign-On with F5 BIG-IP APM as SAML IdP Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000xaoesak&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fokta-integration-guide-for-single-sign-on-with-f5-big-ip-apm-as-saml-idp
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Okta Integration Guide for Single Sign-On with F5 BIG-IP APM as SAML IdP
Published: Apr 12, 2017   -   Updated: Jun 22, 2018

Table of Contents


Overview

In situations where a customer has a high security demand with low risk tolerance there may arise a need to keep all aspects of user authentication on premise. This document will discuss the process of configuring Okta and F5 Big-IP to meet this requirement while still providing the flexibility and power of the Okta cloud.

User-added image

*This document does not cover the setup steps required to configure downstream applications like Salesforce, Office 365 or Box but will make references to them as examples.

In this topology, F5 Big-IP, specifically APM, is the SAML Identity Provider (IdP). Okta is a SAML Service Provider to F5 Big-IP but plays the role of SAML IdP to the cloud apps.

This topology provides the following key features:

  1. F5 Big-IP is handling authentication of users behind the firewall. More importantly, user credentials stay on-premises at all times. In this diagram above, credentials are stored in Directory Services which can be any corporate Active Directory or LDAP.

  2. A simple integration bridges Okta as a SAML Service Provider with F5 Big-IP.

  3. Okta provides pre-integrated solutions to over 5000 applications through the Okta Application Network for Single Sign-On.

  4. Optionally, Okta also provides provisioning support for selected SaaS applications which can be enabled by integrating Okta with the on-premises Directory Services for user profile synchronization (credentials are NOT synchronized). Okta can also integrate with various SaaS and on-premises HR systems for user profile synchronization where appropriate.

  5. With this setup, user experience can be easily configured to achieve an F5 Big-IP centric or an Okta centric UI flow depending on your needs.
     


Configuration

Before Starting

This document assumes that a customer has:

  • An F5 BIG-IP with APM

  • An Okta Org with SSO

  • One or more applications (Service Providers) capable of SAML authentication

  • An available IP/Port for the F5 (eg. TCP/443 for https)

  • A DNS entry pointing to an IP address hosted on or NAT’d to the F5

  • A corresponding SSL Certificate if HTTPS is going to be used

Setup F5 BIG-IP APM to be an IdP

Create Self-signed Certificate for Signing SAML Assertions

  1. In the BIG-IP Configuration Utility, navigate to System > File Management : SSL Certificate List

  2. Click Create…

    1. Provide a Name that is appropriate and unique

    2. Issuer:  Self

    3. Key Type: RSA

    4. Key Size: 2048

    5. Provide relevant and suitable values for remaining fields

    User-added image

  3. Click Finished:

    User-added image

  4. On the SSL Certificate List page, click on the newly created certificate name.

  5. On the resulting page click Export…

    User-added image

  6. On the resulting page click Download [name of certificate].crt.

    User-added image

  7. This section is complete when you have saved the certificate file locally.

  8. Make note of this file location as we will use it when configuring SAML Protocol Settings during this step: Add an Identity Provider in the Okta Org.

Configure SAML Local IdP Services

  1. In the BIG-IP Configuration Utility, navigate to Access Policy > SAML : BIG-IP as IdP.

  2. Click Create in the Local IdP Services section.

    1. General Settings

      The IdP entity ID should be created in a way that it is globally unique. Generally, this is accomplished by configuring the Entity ID as if it were a URI. This is good practice but should not be confused as a valid / accessible web resource.

      The Scheme and Host values are used to populate endpoint values in the metadata. These values MUST align with the scheme and hostname that will be associated with the Virtual Server (inclusive of port if not the default port associated with the scheme (80 for http and 443 for https) for the values in the metadata to be valid. They can be updated after initial creation.

      User-added image

      • IdP Service Name:

        A descriptive and unique name for the IdP service on the F5 2.

      • IdP Entity ID:

        • A globally unique identifier for the F5 as it will be processed by downstream service providers.
        • Suggested: [scheme]://[hostname:port]/[IdP Service Name]
          • https://tmf5.oktaprice.com:8443/F5_Big-IP_APM_as_IdP
          • https://host.domain:tld/IdP_Service_Name
      • Scheme: Select a value appropriate for your configuration.

      • Host: Provide a hostname for your configuration.

      • Description: Optional descriptive value.

      • Log Level: Enter the desired log level.

    2. SAML Profiles:

      User-added image

      • Web Browser SSO: Checked.

      • Enhanced Client or Proxy Profile (ECP): Unchecked

    3. Endpoint Settings:

      User-added image

      • Artifact Resolution Service: Leave blank.
    4. Assertion Settings:

      The Assertion Subject Value MUST align with an Okta account username or email.

      Custom attribute matching is currently an Early Access feature.

      Okta supports transformation of the Subject value using the Okta Expression Language (OEL http://developer.okta.com/docs/getting_started/okta_expression_lang.html) which is shown in this guide to append a domain name to a bare/unqualified username.

      User-added image

      • Assertion Subject Type: Unspecified

      • Assertion Subject Value (relates to configuring Authentication Settings, part of Add an Identity Provider in the Okta Org step): 

        • Local Auth

          %{session.logon.last.username}

        • AD Auth

          %{session.ad.last.attr.userPrincipalName}

          %{session.ad.last.attr.sAMAccountName}

      • Authentication Context Class Reference:

        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

      • Assertion Validity: 600

      • No encryption of Subject

    5. SAML Attributes

      In this configuration, there is no need for additional attributes in the assertion. If there was a need to perform user provisioning using Just in Time (JIT) provisioning from SAML assertions in the subordinate Okta org, you would need to add the required attributes from the authoritative source here.

      User-added image

    6. Security Settings

      User-added image

      • Select the Key and Certificate created in the previous section.

    7. Click Ok.

    8. This section is complete when the newly created Local IdP Service is listed.

      User-added image

    Setup Okta Org to Accept F5 BIG-IP APM as an IdP

    Add an Identity Provider in the Okta Org

    1. From the Okta Admin Console, navigate to Security > Identity Providers.

    2. Select Add Identity Provider.

      User-added image

    3. General Settings:

      User-added image

      • Name: A unique and descriptive name for this Identify Provider.

    4. Authentication Settings

      User-added image

      • IdP Username:

        Taking into consideration the values being provided in the SAML Assertion (see Assertion Settings, part of Configure SAML Local IP Services step.)

        • In this example, we are appending a static value to the name provided turning username into username@oktaprise.com.

        • This example: idpuser.subjectNameId + "@oktaprise.com"

      • Filter:

        • If required provide a filter, not required for this example.

        • Unchecked.

      • Match against:

        Adjust to match your environment based on the value being delivered in the SAML assertion. The objective is to accurately and unambiguously identify the user in the Okta org based on the value delivered in the Assertion.

        • Configurable to match against Okta Username, Email or both.

        • Feature to match on a custom attribute is in Early Access at the time of this writing.

        • This example: Okta Username.

      • If no match is found:

        • It is possible to perform Just in Time.

        • This example: Redirect to Okta sign-in page.

        • If selected additional options are presented that are not discussed here

    5. SAML Protocol Settings:

      User-added image

       

      F5 (Identity Provider)Okta (Service Provider)
      User-added imageUser-added image
      1. IdP Issuer URI:

        • Issuer from F5 configuration

        • This example: https://tmf5.oktaprise.com:8443/F5_Big-IP_APM_as_IdP

      2. IdP Single Sign-On URL:

        • [scheme]://[hostname:port]/saml/idp/profile/redirectorpost/sso

        • This example: https://tmf5.oktaprise.com:8443/saml/idp/profile/redirectorpost/sso

      3. IdP Signature Certificate:

    6. Advanced SAML Protocol Settings (Click Show Advanced Settings).

      User-added image

      1. Request Binding: HTTP POST.

      2. Request Signature: Checked.

      3. Request Signature Algorithm: SHA-256 4.

      4. Response Signature Verification: Response or Assertion.

      5. Response Signature Algorithm: SHA-256.

      6. Destination:

        • [scheme]://[hostname:port]/saml/idp/profile/redirectorpost/sso
          This example: https://tmf5.oktaprise.com:8443/saml/idp/profile/redirectorpost/sso

    7. Okta Assertion Consumer Service URL: Trust-specific.

    8. Max Clock Skew: 2 minutes.

    9. Click Add Identity Provider.

    10. Click on Download metadata.

    11. This section is complete when you have saved the metadata.xml file locally.

    12. Make note of the file location as we will use the Okta metadata.xml file in a subsequent step.

Setup F5 BIG-IP APM with SAML Service Provider (SP) Connectors

Configure SAML External SP Connectors

  1. In the BIG-IP Configuration Utility, navigate to Access Policy > SAML : BIG-IP as IdP.

  2. Click External SP Connectors on the top navigation bar.

    User-added image

  3. Click the down arrow on the Create button to expand the selections, then select From Metadata.

    User-added image

  4. Create New SAML Service Provider:

    User-added image

    • Select File:

      Browse to and select the file downloaded during the Add an Identity Provider in the Okta Org step.

    • Service Provider Name:

      Provide a Name that is appropriate and unique.

    • Select Signing Certificate:

      The Metadata provided by Okta isn’t signed so this value is left blank.

    • Click OK.

  5. Select the newly created External SP Connector, then click Edit.

    User-added image

    1. General Settings:

      User-added image

      • SP Entity ID:

        • Populated from the Metadata

        • Will align with the Value of the Audience URI in the Okta Identity Provider configuration.

      • Description: Optionally provide a description.

    2. Endpoint Settings:

      User-added image

      1. Relay State: Leave blank.

      2. Assertion Consumer Service(s).

      3. Click Add…:

        • Index: 0

        • Default: Checked

        • Location URL:

          https://mattegantest.oktapreview.com/sso/saml2/0oa9jbf10zd6RCQeT0h7

          Retrieve URL from Metadata.xml

          URL Value for Assertion Consumer Service URL in the Identity Provider Configuration page in Okta.

        • Binding: POST

      4. Click Update.

    3. Security Settings:

      User-added image

      1. Require Signed Authentication Request: Checked.

        Signing Certificate should be populated from the Metadata import

        Certificate should be from Okta

      2. Response must be signed: Checked

      3. Assertion must be signed: Checked

      4. Signing Algorithm: RSA-SHA256

      5. Assertion must be encrypted: Unchecked

    4. SLO Service Settings:

      User-added image

      • Leave all blank.

  6. Click OK.

Bind SP Connector to IdP Service

  1. In the BIG-IP Configuration Utility, navigate to Access Policy > SAML : BIG-IP as IdP.

  2. Check the box next to the IdP Service configured in Configure SAML Local IdP Services.

  3. Click Bind/Unbind SP Connectors.

    User-added image

  4. Select the SP Connection Name we configured in Configure SAML External SP Connectors

  5. Click OK.

Setup F5 BIG-IP APM with SAML SSO Portal

Create Full Webtop

  1. In the BIG-IP Configuration Utility, navigate to Access Policy > Webtops : Webtop List

  2. Click Create:

    User-added image
  3. Provide an appropriate and distinct name.

  4. Select a Type of Full.

  5. Select Finished.

Create a SAML Resource to Publish IdP Entry on Webtop

  1. In the BIG-IP Configuration Utility, navigate to Access Policy > Webtops : Webtop List.
  2. Click Create.

    User-added image

    • Name: Appropriate and unique name.

    • Description: appropriate description.

    • Publish on Webtop: Checked.

    • SSO Configuration: Select the name of the IDP configured in Configure SAML Local IdP Services.

    • Detailed Description: Optional English Language Description.

    • Image: Optional custom image

Create an Access Profile for SAML SSO Portal

  1. In the BIG-IP Configuration Utility, navigate to Access Policy > SAML : SAML Resources.

  2. Click Create.

  3. General Properties:

    User-added image

    • Name

    • Profile Type

    • Profile Scope

  4. Settings:

    • Defaults

  5. Configurations:

    • Defaults

  6. SSO Across Authentication Domains (Single Domain mode):

    • Defaults

  7. Language Settings:

    • Add English (en) as an Accepted Language

    • Default Language: English (en)

  8. Click Finished.

Edit Access Policy for the Access Profile

  1. In the BIG-IP Configuration Utility, navigate to Access Policy > Access Profiles : Access Profiles list.

  2. Click Edit in the Access Policy field of the newly created Access Profile.

    User-added image

  3. Logon Page is default.

  4. LocalDB Auth:

    • LocalDB Auth is for demonstration purposes only replace with appropriate values like AD Auth.

    • For this example, select a valid LocalDB Instance that you can populate.

  5. Advanced Resource Assign:

    User-added image

    • Add an expression for LocalDB Auth has Passed and assign the previously created Webtop and SAML Resource based on that success.

  6. Change the result of the fallback Branch for Advanced Resource Assign to Allow.

Create Virtual Server for IdP Service and Webtop

  1. In the BIG-IP Configuration Utility, navigate to Local Traffic > Virtual Servers : Virtual Server List.

  2. Click Create.

  3. General Properties:

    User-added image

    • Name: Appropriate and unique values.

    • Type: Standard.

    • Source Address: 0.0.0.0/0 or a suitable range for your purposes

    • Destination Address/Mask: The address that is aligned with the hostname (or address) used in previous steps.

    • Service Port: An available port that aligns with the port specified or implied in previous steps.

    • State: Enabled

  4. Configuration: (basic)

    User-added image

    • Protocol: TCP

    • HTTP Profile: http

    • SSL Profile (Client): Delect the ssl client profile associated with the cert that aligns with the hostname

    • Source Address Translation: None

  5. Content Rewrite:

    User-added image

    • None

  6. Access Policy:

    User-added image

  7. Acceleration (Basic):

    User-added image

    • None

  8. Resources:

    User-added image

    • None

  9. Click Finished.

Setting up SaaS Provisioning with Okta

In addition to Single Sign-On, Okta Application Network supports account provisioning for many popular SaaS applications.

User-added image

The easiest way to enable provisioning and user onboarding in Okta is to set up directory integration between Okta and your directory services. This integration does not synchronize the directory credentials to Okta. It does allow you to customize the list of attributes being synchronized into Okta – which can then be used for downstream account provisioning through Universal Directory and attribute mapping done between Okta and the applications.

Go to: https://support.okta.com/help/Documentation/Knowledge_Article/Common_Okta_Tasks/Universal-Directory-and-Provisioning-Knowledge-Hub to learn more about:

  • Directory Integration
  • Universal Directory
  • Attribute Mapping
  • Application Provisioning
  • Group-based provisioning
  • Group & Group Membership

References

F5

F5 SAML: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/28.html#unique_1718726759

With Portal: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/29.html#conceptid

No Portal:  https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/30.html#conceptid

Okta

Okta Expression Language (OEL):  http://developer.okta.com/docs/getting_started/okta_expression_lang.html