Okta Integration Guide for Web Access Management with F5 BIG-IP Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka0f0000000u7zbkac&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fokta-integration-guide-for-web-access-management-with-f5-big-ip
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Okta Integration Guide for Web Access Management with F5 BIG-IP
Published: Aug 18, 2016   -   Updated: Jun 22, 2018

Table of Contents

 

Introduction

F5® BIG-IP® Local Traffic Manager™ (BIG-IP LTM®) and F5 BIG-IP Access Policy Manager® (BIG-IP APM®) provide extended capabilities in conjunction with Okta identity management platform. The integration in this document allows Okta to support applications with header-based authentication, kerberos-based authentication. In addition, F5 BIG-IP also can act as a reverse proxy for publishing on-premise apps beyond the firewall where they can be accessed through Okta.

User-added image

The diagram above illustrates the basic integration between the two products.

  1. Okta is the identity provider.  Users can be defined locally within Okta.  In most cases, an on-prem Active Directory and/or LDAP is the source of identities and is integrated with Okta via Okta’s AD/LDAP agent.

  2. Between Okta and F5 BIG-IP, a SAML trust is built where F5 BIG-IP acts as a SAML Service Provider.

  3. The target applications are protected behind F5 BIG-IP.  This document covers applications that are either protected by header-based authentication or Kerberos.

  4. SAML assertion from Okta is consumed by F5 BIG-IP which then “translates” the assertion appropriately for the downstream application based on their authentication scheme.

This combined solution provides best-of-breed Identity as a Service (IDaaS) deployment with full legacy and on-premise app support that is easy to deploy and configured through Okta.  It also helps lower TCO by removing the need to maintain traditional on-prem identity solutions for on-premise apps.

The following table illustrates the use cases when considering using Okta and F5 BIG-IP together.
 

 

Authentication Mechanism

Okta

F5 BIG-IP

1

SAML

Acts as SAML Identity Provider

 

2

WS-Fed

Acts as WS-Fed Identity Provider

 

3

Login Page only (username/pwd)

Okta’s Secure Web Authentication providing form-post capability through browser plug-in

        

4

Header-based

Acts as identity provider

Receives SAML from Okta – generates header(s) for downstream app

5

Kerberos

Acts as identity provider

Receives SAML from Okta – obtains Kerberos ticket for downstream Kerberos-enabled app.

6

Reverse-Proxy to access on-prem application from outside the firewall

Acts as identity provider if only authenticated users are allowed

Acts as reverse proxy

 

This document will go through the following:

The instructions provided here should work for F5 BIG-IP version 11.* and up.  You can apply this to any production or lab edition of the product.

For an example of how to set up F5 BIG-IP environment, the Appendix presents a basic set of instructions around a VMWare example.
 


Publishing SAMPLE Web Application VIA F5 BIG-IP

We assume that you have an existing F5 BIG-IP setup where you can test the Okta integration.

If you are new to F5 BIG-IP, please refer to the F5 Support Site (https://support.f5.com/kb/en-us/products/big-ip_apm.html) for download, setup and general information around F5 BIG-IP.

The instructions below assumes a Microsoft Windows Server environment with IIS enabled.

  1. It is recommended to configure F5 BIG-IP to proxy requests to the test webserver by creating an iApp. Click iApp > Application Services > ‘Create’.

  2. Provide a Name for this application and choose f5.microsoft_iis as the Template (use http template for generic webservers). Also provide the Virtual Server IP-Address on the external interface (e.g., 12.12.1.12).

    User-added image

  3. Scroll down on the same page and under Server Pool, Load Balancing section, provide the IP-address of the test web server and the port it is listening on (e.g., 11.11.1.11 and 80). Also provide an FQDN for the web server hostname (e.g., www.democorp.co), then click Finish.

    User-added image

  4. F5 BIG-IP will show the status of this application.

    User-added image

  5. To test the connection, launch a browser on the host machine and point it to the external IP-address chosen in the previous screen (e.g., 12.12.1.12 and it should render the backend webserver page).

    User-added image

  6. It is recommended to put a hosts file entry to point a test hostname (e.g., www.democorp.co) to this backend app IP-address (e.g., 12.12.1.12). Also, place a file headers.aspx in the root of the webserver’s folder with the following line to display all headers:
    <%@ Page Language="C#" Tace="True"%>

    User-added image

  7. The page in previous step will be used to verify Okta integration in the next section.

 

Configuring Okta as SAML 2.0 Identity Provider for F5 BIG-IP

  1. Under Applications,  select Add Application option, then click Create New App.

    User-added image

  2. Create a new SAML 2.0 App in Okta and provide it a name and optionally choose a logo.

    User-added image

  3. In SAML Settings, provide the Single Sign On URL (should be: <https://external-f5-hostname/saml/sp/profile/acs>), and Audience URI (SP Entity ID).

    Note that F5 BIG-IP versions prior to 11.5.0 (not included) only supports SHA1 as Signature Algorithm.so it has to be set to RSA-SHA1. F5 BIG-IP version 11.5.0 and above supports RSA-SHA256.  It is strongly recommended that you upgrade to a version that supports RSA-SHA256.

    User-added image

  4. Scroll down on the same page and provide custom attributes to be passed in the SAML assertion to the ASP .NET application.

    User-added image

  5. Click Finish on the next screen.

    User-added image

  6. This app can now be assigned to authorized users or groups. Additional security options like App Sign On policy to provide MFA and granular control can be applied as well.

    User-added image

    User-added image

  7. Click on the Sign On tab in the app and then click Identity Provider metadata link to save the SAML metadata.xml that will be imported in F5 BIG-IP.

    User-added image

  8. Okta SAML Identity Provider setup is complete.


Configuring F5 BIG-IP as SAML 2.0 Service Provider for Okta

Configure SAML SP Service

Configure a SAML SP service for F5 BIG-IP Access Policy Manager to provide AAA authentication, requesting authentication and receiving assertions from a SAML IdP.

  1. On the Main tab, click Access Policy > SAML > BIG-IP as SP. The BIG-IP as SP screen opens and displays a list of local SP services.

    User-added image

  2. In the Name field, type a unique name for the SAML SP service. In the Entity ID field, provide the Audience URI that was provided in Okta SAML configuration.

    User-added image

    User-added image

  3. Click OK.

Configure SAML IdP Connector and Bind SAML SP Service to SAML IdP Connector

Configure Okta as SAML IdP connector in F5 BIG-IP so that Access Policy Manager (as a SAML service provider) can send authentication requests to Okta IdP, relying on it to authenticate users and to provide access to resources behind APM.

  1. On the Main tab, click Access Policy > SAML > BIG-IP as SP. The BIG-IP as SP screen opens and displays a list of local SP services. Select BIGIPSP’ SAML SP service from the list.

    User-added image

  2. Click Bind/Unbind IdP Connectors. Then click Create New IdP Connector and From Metadata.

    User-added image

  3. Browse to metadata.xml download from Okta and enter an Identity Provider Name, then OK.

    User-added image

  4. This will create an Okta IdP Connector and also import its signing certificate.

  5. Click Add New Row. Choose OktaIdP as the SAML IdP Connect, Matching Source as: %{session.server.landinguri} and Matching Value as /*. It tells F5 BIG-IP to use OktaIdP for all requests on this webserver. This URI can be adjusted based on specific folders or other Matching Source parameters. Click OK.

    User-added image

  6. SAML IdP and SP setup is complete.

Configure an F5 BIG-IP Access Policy to Authenticate with Okta SAML IdP

With the F5 BIG-IP system as a SAML service provider, configure an F5 BIG-IP access policy to direct users to Okta SAML IdP for authentication.

  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens. Click Create.

    User-added image

  2. Provide the policy a name. In non-HTTPS test environment, make sure the Secure cookie option is deselected. Other custom values for timeouts and session can be optionally provided. Choose a Language and click Finished.

    User-added image

  3. After the policy has been created, click on Edit… under the Access Policy column.

    User-added image

  4. The F5 BIG-IP APM visual policy editor opens the access policy in a separate screen displaying the default policy.

    User-added image

  5. Click on the ‘+’ icon between Start and Deny nodes and on the pop-up window, choose SAML Auth.

    User-added image

  6. On the next screen, under Properties, choose a name for the auth method and in AAA Server dropdown, select the previously configured BIG-IP SP. Click Save.

    User-added image

  7. The access policy looks like the following. Note that F5 BIG-IP APM is a very powerful tool and additional processing including fetching attributes from other AD/LDAP sources for insertion and additional backend authorization can be performed.

    User-added image

  8. Click ‘Apply Access Policy. Then click Close.

  9. To put the access policy into effect, you must attach it to the virtual server that was created for the test ASP .NET IIS web app.

Adding the Access Profile to the Virtual Server

Associate the access profile with the virtual server so that F5 BIG-IP APM can apply the profile to incoming traffic and run the previously defined access policy.

  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.

    User-added image

  2. Click on the virtual server. Then scroll all the way to the bottom to the Access Policy section. Select the previously defined Access Profile and click Update.

    User-added image

  3. Next create an F5 BIG-IP iRule® to extract the custom SAML attributes from the incoming assertion and pass them as HTTP headers to the backend test ASP .NET IIS application. Click Create.

    User-added image

  4. Paste the F5 BIG-IP iRule text below into the Definition window.

    User-added image
     

    when RULE_INIT {
      set static::debug 0
    }

    when ACCESS_ACL_ALLOWED {
        set oktaUser [ACCESS::session data get "session.saml.last.identity"]
        if { $static::debug } { log local0. "id is $oktaUser" }
        if { !([HTTP::header exists "OKTA_USER"]) } {
          HTTP::header insert "OKTA_USER" $oktaUser
        }

        set oktaFirstName [ACCESS::session data get "session.saml.last.attr.name.FirstName"]
        if { $static::debug } { log local0. "id is $oktaFirstName" }
        if { !([HTTP::header exists "OKTA_FIRSTNAME"]) } {
          HTTP::header insert "OKTA_FIRSTNAME" $oktaFirstName
        }

        set oktaLastName [ACCESS::session data get "session.saml.last.attr.name.LastName"]
        if { $static::debug } { log local0. "id is $oktaLastName" }
        if { !([HTTP::header exists "OKTA_LASTNAME"]) } {
          HTTP::header insert "OKTA_LASTNAME" $oktaLastName
        }

        set oktaCity [ACCESS::session data get "session.saml.last.attr.name.City"]
        if { $static::debug } { log local0. "id is $oktaCity" }
        if { !([HTTP::header exists "OKTA_CITY"]) } {
          HTTP::header insert "OKTA_CITY" $oktaCity
        }
    }

  5. Next, apply this F5 BIG-IP iRule to the Virtual Server.

    User-added image

  6. Click Edit under Resources column.

    User-added image

  7. Click Manage under iRules.

  8. Add OktaiRule that previously created to the Enabled list and click Finished.

    User-added image

 


Testing the F5 BIG-IP + Okta Integration

Follow the steps below to test the integration           

  1. Go to the published application URL http://www.democorp.co/headers.aspx.

  2. F5 BIG-IP should redirect the request to Okta for authentication. Enter credentials.

    User-added image

  3. Complete the MFA challenge.

    User-added image

  4. Should be redirected to the published application web page.

    User-added image

  5. Note the HTTP_OKTA_* headers indicating successful extraction of SAML headers.


Appendix

Reports and Logs

F5 BIG-IP APM Reports > All Sessions report and Okta System Log can provide traces of transactions that can aid in troubleshooting.

User-added image

For more on Okta System Log – please refer to Okta documentation here – (https://support.okta.com/help/articles/Knowledge_Article/27605453-Using-the-Okta-Reports-Page)

Additional References

Okta Company website – https://www.okta.com

Okta Customer Support – https://support.okta.com

Okta Documentation - https://support.okta.com/help/documentation

F5 BIG-IP APM Documentation - https://support.f5.com/kb/en-us/products/big-ip_apm.html

F5 BIG-IP LTM Documentation - https://support.f5.com/kb/en-us/products/big-ip_ltm.html

Sample F5 BIG-IP Virtual Lab Setup with VMWare

The following outlines the steps to create a basic setup of an F5 BIG-IP environment using VMWare.

NOTE:  This should only be used as a sample guidance.  To set up a production environment, please refer to the F5 BIG-IP documentation listed above.

  1. F5 BIG-IP should be setup with three network interfaces:

    • Management (10.10.1.1)

    • Internal (11.11.1.1)

    • External (12.12.1.1)

      It is recommended that VMWare is setup with three custom host-only networks as shown below: 

      User-added image

  2. There should be an IIS or Apache webserver to test backend application with the suggested IP-address: 11.11.1.11.

  3. Open the downloaded image file in VMWare Workstation and deploy it using default options, then start the F5 BIG-IP VM.

  4. Switch to VM console and on login prompt, enter root as username and default as password.

  5. Enter ifconfig -a | more to find the DHCP assigned IP-address to this VM. For example, inet addr: 192.168.1.149 is the IP-address below:

    User-added image

  6. Launch a browser on the host machine and enter the https://IP-address obtained in the previous step, For example: https://192.168.1.149.

  7. A certificate warning will be issued by the browser. This is normal, click proceed to the login page:

    User-added image

  8. Enter admin as username and admin as password and click Log in.

  9. Click Next in the Setup Utility section:

    User-added image

  10. Click Activate under License.

    User-added image

  11. Enter Registration Key received via email and click Next.

    User-added image

  12. Click Accept after reviewing the license agreement.

    User-added image

  13. After license activation, in the Resource Provisioning screen, select Access Policy (APM) and make sure Local Traffic (LTM) is also selected. Then click Next.

    User-added image

  14. In the Platform screen, enter the static IP address for Management Port and a Host Name for the F5 BIG-IP. Also choose passwords for Root and Admin accounts.

    User-added image

  15. The system should redirect to the new Management address and port. Log in with the new Admin password. Click Next to configure the Network.

    User-added image

  16. Unselect Config Sync options and click Next as they are not needed for this lab.

    User-added image

  17. Configure the Internal Network.

    User-added image

  18. Configure the External Network.

    User-added image

  19. Base setup is complete at this point.