You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In this tutorial, you'll learn how to configure F5's BIG-IP Access Policy Manager (APM) and Azure Active Directory (Azure AD) for secure hybrid access to header-based applications.
18
+
In this article, you’ll learn to implement Secure Hybrid Access (SHA) with single sign-on (SSO) to header-based applications using F5’s BIG-IP advanced configuration.
19
19
20
20
Configuring BIG-IP published applications with Azure AD provides many benefits, including:
21
21
@@ -30,20 +30,20 @@ To learn about all of the benefits, see the article on [F5 BIG-IP and Azure AD i
30
30
31
31
## Scenario description
32
32
33
-
For this scenario, we have an internal application whose access relies on receiving HTTP authorization headers from a legacy broker system. This enables users to be directed to their respective areas of content.
33
+
For this scenario, we have a legacy application using HTTP authorization headers to control access to protected content.
34
34
35
-
The ideal scenario is to have the application managed and governed directly through Azure AD. However, as it lacks any form of modern protocol interop, it would take considerable effort and time to modernize, introducing inevitable costs and risks of potential downtime.
35
+
Ideally, application access should be managed directly by Azure AD but being legacy it lacks any form of modern authentication protocol. Modernization would take considerable effort and time, introducing inevitable costs and risk of potential downtime. Instead, a BIG-IP deployed between the public internet and the internal application will be used to gate inbound access to the application.
36
36
37
-
Instead, a BIG-IP Virtual Edition (VE) deployed between the public internet and the internal Azure VNet the application is connected to will be used. It will enable to gate inbound access, with Azure AD for its extensive choice of authentication and authorization capabilities.
37
+
Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and header-based SSO, significantly improving the overall security posture of the application.
38
38
39
-
Having a BIG-IP in front of the application enables to overlay the service with Azure AD pre-authentication and header-based SSO. It significantly improves the overall security posture of the application, allowing the business to continue operating at pace, without interruption.
40
39
41
-
The secure hybrid access solution for this scenario is made up of the following components:
40
+
## Scenario architecture
42
41
43
-
-**Application**: Backend service to be protected by Azure AD and BIG-IP secure hybrid access
42
+
The secure hybrid access solution for this scenario is made up of:
44
43
45
-
-**Azure AD**: The SAML Identity Provider (IdP), responsible for
46
-
verification of user credentials, Conditional Access (CA), and SSO to the BIG-IP APM.
44
+
-**Application**: BIG-IP published service to be protected by and Azure AD SHA.
45
+
46
+
-**Azure AD**: Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SSO to the BIG-IP. Through SSO, Azure AD provides the BIG-IP with any required session attributes including user identifiers.
47
47
48
48
-**BIG-IP**: Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP, before
49
49
performing header-based SSO to the backend application.
@@ -52,13 +52,13 @@ performing header-based SSO to the backend application.
52
52
53
53
| Step | Description |
54
54
|:-------|:-----------|
55
-
| 1. | User connects to application's SAML SP endpoint (BIG-IP APM). |
56
-
| 2. | APM access policy redirects user to SAML IdP (Azure AD) for pre-authentication.|
57
-
| 3. | SAML IdP authenticates user and applies any enforced CA policies. |
58
-
| 4. | Azure AD redirects user back to SAML SP with issued token and claims. |
59
-
| 5. | BIG-IP APM grants user access and injects headers in the request to the application. |
55
+
| 1. | User connects to application's SAML SP endpoint (BIG-IP). |
56
+
| 2. | BIG-IP APM access policy redirects user to Azure AD (SAML IdP).|
57
+
| 3. | Azure AD pre-authenticates user and applies any enforced CA policies. |
58
+
| 4. | User is redirected to BIG-IP (SAML SP) and SSO is performed using issued SAML token. |
59
+
| 5. | BIG-IP injects Azure AD attributes as headers in request to the application. |
60
+
| 6. | Application authorizes request and returns payload. |
60
61
61
-
For increased security, organizations using this pattern could also consider blocking all direct access to the application, in that way, forcing a strict path through the BIG-IP.
62
62
63
63
## Prerequisites
64
64
@@ -398,7 +398,6 @@ This last step provides break down of all applied settings before they are commi
398
398
399
399
Your application is now published and accessible via Secure Hybrid Access, either directly via its URL or through Microsoft's application portals.
400
400
401
-
For increased security, organizations using this pattern could also consider blocking all direct access to the application, in that way forcing a strict path through the BIG-IP.
402
401
403
402
## Next steps
404
403
@@ -407,6 +406,8 @@ The output of the injected headers displayed by our headers-based application is
407
406
408
407
409
408
409
+
For increased security, organizations using this pattern could also consider blocking all direct access to the application, in that way forcing a strict path through the BIG-IP.
410
+
410
411
## Troubleshooting
411
412
412
413
Failure to access the secure hybrid access protected application could be down to any number of potential factors, including a
0 commit comments