Skip to content

Commit 591bebe

Browse files
authored
Update f5-aad-password-less-vpn.md
1 parent 4c5a01c commit 591bebe

File tree

1 file changed

+31
-31
lines changed

1 file changed

+31
-31
lines changed

articles/active-directory/manage-apps/f5-aad-password-less-vpn.md

Lines changed: 31 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ ms.service: active-directory
88
ms.subservice: app-mgmt
99
ms.topic: how-to
1010
ms.workload: identity
11-
ms.date: 12/5/2022
11+
ms.date: 12/13/2022
1212
ms.author: gasinh
1313
ms.collection: M365-identity-device-management
1414
ms.reviewer: v-nisba
@@ -37,7 +37,7 @@ To learn about more benefits, see
3737

3838
In this scenario, the BIG-IP APM instance of the SSL-VPN service is configured as a SAML service provider (SP) and Azure AD is the trusted SAML IDP. SSO from Azure AD is provided through claims-based authentication to the BIG-IP APM, a seamless VPN access experience.
3939

40-
![Image shows ssl-vpn architecture](media/f5-sso-vpn/ssl-vpn-architecture.png)
40+
![Diagram of integration architecture.](media/f5-sso-vpn/ssl-vpn-architecture.png)
4141

4242
>[!NOTE]
4343
>Replace example strings or values in this guide with those in your environment.
@@ -91,7 +91,7 @@ Set up a SAML federation trust between the BIG-IP to allow the Azure AD BIG-IP t
9191
>[!NOTE]
9292
>An SLO URL ensures a user session terminates, at BIG-IP and Azure AD, after the user signs out. BIG-IP APM has an option to terminate all sessions when calling an application URL. Learn more on the F5 article, [K12056: Overview of the Logout URI Include option](https://support.f5.com/csp/article/K12056).
9393
94-
![Image shows basic saml configuration](media/f5-sso-vpn/basic-saml-configuration.png).
94+
![Screenshot of basic SAML configuration URLs.](media/f5-sso-vpn/basic-saml-configuration.png).
9595

9696
>[!NOTE]
9797
>From TMOS v16, the SAML SLO endpoint has changed to /saml/sp/profile/redirect/slo.
@@ -100,11 +100,11 @@ Set up a SAML federation trust between the BIG-IP to allow the Azure AD BIG-IP t
100100
10. Skip the SSO test prompt.
101101
11. In **User Attributes & Claims** properties, observe the details.
102102

103-
![Image shows user attributes claims](media/f5-sso-vpn/user-attributes-claims.png)
103+
![Screenshot of user attributes and claims properties.](media/f5-sso-vpn/user-attributes-claims.png)
104104

105105
You can add other claims to your BIG-IP published service. Claims defined in addition to the default set are issued if they're in Azure AD. Define directory [roles or group](../hybrid/how-to-connect-fed-group-claims.md) memberships against a user object in Azure AD, before they can be issued as a claim.
106106

107-
![Image shows federation metadata download link](media/f5-sso-vpn/saml-signing-certificate.png)
107+
![Screenshot of Federation Metadata XML Download option.](media/f5-sso-vpn/saml-signing-certificate.png)
108108

109109
SAML signing certificates created by Azure AD have a lifespan of three years.
110110

@@ -118,7 +118,7 @@ By default, Azure AD issues tokens to users with granted access to a service.
118118
4. In the **Users and groups** dialog, add the user groups authorized to access the VPN
119119
5. Select **Select** > **Assign**.
120120

121-
![Image shows adding user link ](media/f5-sso-vpn/add-user-link.png)
121+
![Screenshot of the Add User option.](media/f5-sso-vpn/add-user-link.png)
122122

123123
You can set up BIG-IP APM to publish the SSL-VPN service. Configure it with corresponding properties to complete the trust for SAML pre-authentication.
124124

@@ -131,36 +131,36 @@ To complete federating the VPN service with Azure AD, create the BIG-IP SAML ser
131131
1. Go to **Access** > **Federation** > **SAML Service Provider** > **Local SP Services**.
132132
2. Select **Create**.
133133

134-
![Image shows BIG-IP SAML configuration](media/f5-sso-vpn/bigip-saml-configuration.png)
134+
![Screenshot of the Create option on the Local SP Services page.](media/f5-sso-vpn/bigip-saml-configuration.png)
135135

136136
3. Enter a **Name** and the **Entity ID** defined in Azure AD.
137137
4. Enter the Host FQDN to connect to the application.
138138

139-
![Image shows creating new SAML SP service](media/f5-sso-vpn/create-new-saml-sp.png)
139+
![Screenshot of Name and Entity entries.](media/f5-sso-vpn/create-new-saml-sp.png)
140140

141141
>[!NOTE]
142142
>If the entity ID isn't an exact match of the hostname of the published URL, configure SP **Name** settings, or perform this action if it isn’t in hostname URL format. If entity ID is `urn:ssl-vpn:contosoonline`, provide the external scheme and hostname of the application being published.
143143
144144
5. Scroll down to select the new **SAML SP object**.
145145
6. Select **Bind/UnBind IDP Connectors**.
146146

147-
![Image shows creating federation with local SP service](media/f5-sso-vpn/federation-local-sp-service.png)
147+
![Screenshot of the Bind Unbind IDP Connections option on the Local SP Services page.](media/f5-sso-vpn/federation-local-sp-service.png)
148148

149149
7. Select **Create New IDP Connector**.
150150
8. From the drop-down menu, select **From Metadata**
151151

152-
![Image shows create new IDP connector](media/f5-sso-vpn/create-new-idp-connector.png)
152+
![Screenshot of the From Metadata option on the Edit SAML IdPs page.](media/f5-sso-vpn/create-new-idp-connector.png)
153153

154154
9. Browse to the federation metadata XML file you downloaded.
155155
10. For the APM object,provide an **Identity Provider Name** that represents the external SAML IdP.
156156
11. To select the new Azure AD external IdP connector, select **Add New Row**.
157157

158-
![Image shows external IDP connector](media/f5-sso-vpn/external-idp-connector.png)
158+
![Screenshot of SAML IdP Connectors option on the Edit SAML IdP page.](media/f5-sso-vpn/external-idp-connector.png)
159159

160160
12. Select **Update**.
161161
13. Select **OK**.
162162

163-
![Image shows SAML IDP using SP](media/f5-sso-vpn/saml-idp-using-sp.png)
163+
![Screenshot of the Common, VPN Azure link on the Edit SAML IdPs page.](media/f5-sso-vpn/saml-idp-using-sp.png)
164164

165165
### Webtop configuration
166166

@@ -173,7 +173,7 @@ Enable the SSL-VPN to be offered to users via the BIG-IP web portal.
173173
5. Complete the remaining preferences.
174174
6. Select **Finished**.
175175

176-
![Image shows webtop configuration](media/f5-sso-vpn/webtop-configuration.png)
176+
![Screenshot of name and type entries in General Properties.](media/f5-sso-vpn/webtop-configuration.png)
177177

178178
### VPN configuration
179179

@@ -187,7 +187,7 @@ VPN elements control aspects of the overall service.
187187
6. Select **Add**.
188188
7. Select **Finished**.
189189

190-
![Image shows vpn configuration](media/f5-sso-vpn/vpn-configuration.png)
190+
![Screenshot of name and member list entries in General Properties.](media/f5-sso-vpn/vpn-configuration.png)
191191

192192
A Network access list provisions the service with IP and DNS settings from the VPN pool, user routing permissions, and can launch applications.
193193

@@ -196,13 +196,13 @@ A Network access list provisions the service with IP and DNS settings from the V
196196
3. Provide a name for the VPN access list and caption, for example, Contoso-VPN.
197197
4. Select **Finished**.
198198

199-
![Image shows vpn configuration in network access list](media/f5-sso-vpn/vpn-configuration-network-access-list.png)
199+
![Screenshot of name entry in General Properties, and caption entry in Customization Settings for English.](media/f5-sso-vpn/vpn-configuration-network-access-list.png)
200200

201201
5. From the top ribbon, select **Network Settings**.
202202
6. For **Supported IP version**: IPV4.
203203
7. For **IPV4 Lease Pool**, select the VPN pool created, for example, Contoso_vpn_pool
204204

205-
![Image shows contoso V P N pool](media/f5-sso-vpn/contoso-vpn-pool.png)
205+
![Screenshot of the IPV4 Lease Pool entry in General Settings.](media/f5-sso-vpn/contoso-vpn-pool.png)
206206

207207
>[!NOTE]
208208
>Use the Client Settings options to enforce restrictions for how client traffic is routed in an established VPN.
@@ -212,7 +212,7 @@ A Network access list provisions the service with IP and DNS settings from the V
212212
10. For **IPV4 Primary Name Server**: Your environment DNS IP
213213
11. For **DNS Default Domain Suffix**: The domain suffix for this VPN connection. For example, contoso.com
214214

215-
![Image shows default domain suffix](media/f5-sso-vpn/domain-suffix.png)
215+
![Screenshot of entries for IPV4 Primary Server Name and DNS Default Domain Suffix.](media/f5-sso-vpn/domain-suffix.png)
216216

217217
>[!NOTE]
218218
>See the F5 article, [Configuring Network Access Resources](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-11-5-0/2.html) for other settings.
@@ -224,7 +224,7 @@ A BIG-IP connection profile is required to configure VPN client-type settings th
224224
3. Enter a profile name.
225225
4. Set the parent profile to **/Common/connectivity**, for example, Contoso_VPN_Profile.
226226

227-
![Image shows create new connectivity profile](media/f5-sso-vpn/create-connectivity-profile.png)
227+
![Screenshot of Profile Name and Parent Name entries in Create New Connectivity Profile.](media/f5-sso-vpn/create-connectivity-profile.png)
228228

229229
For more information on client support, see the F5 article, [F5 Access and BIG-IP Edge Client](https://techdocs.f5.com/kb/en-us/bigip-edge-apps.html).
230230

@@ -239,51 +239,51 @@ An access policy enables the service for SAML authentication.
239239
5. Scroll down and add at least one language to the **Accepted Languages** list
240240
6. Select **Finished**.
241241

242-
![Image shows general properties](media/f5-sso-vpn/general-properties.png)
242+
![Screenshot of Name, Profile Type, and Language entries on New Profile.](media/f5-sso-vpn/general-properties.png)
243243

244244
7. In the new access profile, on the Per-Session Policy field, select **Edit**.
245245
8. The visual policy editor opens in a new tab.
246246

247-
![Image shows per-session policy](media/f5-sso-vpn/per-session-policy.png)
247+
![Screenshot of the Edit option on Access Profiles, pre-session policies.](media/f5-sso-vpn/per-session-policy.png)
248248

249249
9. Select the **+** sign.
250250
10. In the menu, select **Authentication** > **SAML Auth**.
251251
11. Select **Add Item**.
252252
12. In the SAML authentication SP configuration, select the VPN SAML SP object you created
253253
13. Select **Save**.
254254

255-
![Image shows saml authentication](media/f5-sso-vpn/saml-authentication.png)
255+
![Screenshot of the AAA Server entry under SAML Authentication SP, on the Properties tab.](media/f5-sso-vpn/saml-authentication.png)
256256

257257
14. For the Successful branch of SAML auth, select **+** .
258258
15. From the Assignment tab, select **Advanced Resource Assign**.
259259
16. Select **Add Item**.
260260

261-
![Image shows advance resource assign](media/f5-sso-vpn/advance-resource-assign.png)
261+
![Screenshot of the plus button on Access Policy.](media/f5-sso-vpn/advance-resource-assign.png)
262262

263263
17. In the pop-up, select **New Entry**
264264
18. Select **Add/Delete**.
265265
19. In the window, select **Network Access**.
266266
20. Select the Network Access profile you created.
267267

268-
![Image shows adding new network access entry](media/f5-sso-vpn/add-new-entry.png)
268+
![Screenshot of the Add new entry button on Resource Assignment, on the Properties tab.](media/f5-sso-vpn/add-new-entry.png)
269269

270270
21. Go to the **Webtop** tab.
271271
22. Add the Webtop object you created.
272272

273-
![Image shows adding webtop object](media/f5-sso-vpn/add-webtop-object.png)
273+
![Screenshot of the created webtop on the Webtop tab.](media/f5-sso-vpn/add-webtop-object.png)
274274

275275
23. Select **Update**.
276276
24. Select**Save**.
277277
25. To change the Successful branch, select the link in the upper **Deny** box.
278278
26. The Allow label appears.
279279
27. **Save**.
280280

281-
![Image shows new visual policy editor](media/f5-sso-vpn/vizual-policy-editor.png)
281+
![Screenshot of the Deny option on Access Policy.](media/f5-sso-vpn/vizual-policy-editor.png)
282282

283283
28. Select **Apply Access Policy**
284284
29. Close the visual policy editor tab.
285285

286-
![Image shows new access policy manager](media/f5-sso-vpn/access-policy-manager.png)
286+
![Screenshot of the Apply Access Policy option.](media/f5-sso-vpn/access-policy-manager.png)
287287

288288
## Publish the VPN service
289289

@@ -294,18 +294,18 @@ The APM requires a front-end virtual server to listen for clients connecting to
294294
3. For the VPN virtual server, enter a **Name**, for example, VPN_Listener.
295295
4. Select an unused **IP Destination Address** with routing to receive client traffic.
296296
5. Set the Service Port to **443 HTTPS**.
297-
6. Ensure the state is **Enabled**.
297+
6. For **State**, ensure **Enabled** is selected.
298298

299-
![Image shows new virtual server](media/f5-sso-vpn/new-virtual-server.png)
299+
![Screenshot of Name and Destination Address or Mask entries on General Properties.](media/f5-sso-vpn/new-virtual-server.png)
300300

301301
7. Set the **HTTP Profile** to **http**.
302302
8. Add the SSL Profile (Client) for the public SSL certificate you created.
303303

304-
![Image shows ssl profile](media/f5-sso-vpn/ssl-profile.png)
304+
![Screenshot of HTTP Profile entry for client, and SSL Profile selected entries for client.](media/f5-sso-vpn/ssl-profile.png)
305305

306306
9. To use the created VPN objects, under Access Policy, set the **Access Profile** and **Connectivity Profile**.
307307

308-
![Image shows access policy](media/f5-sso-vpn/access-policy.png)
308+
![Screenshot of Access Profile and Connectivity Profile entries on Access Policy.](media/f5-sso-vpn/access-policy.png)
309309

310310
7. Select **Finished**.
311311

@@ -317,7 +317,7 @@ Your SSL-VPN service is published and accessible via SHA, either with its URL or
317317
2. Browse to the **BIG-IP VPN service** URL.
318318
3. The BIG-IP webtop portal and VPN launcher appear.
319319

320-
![Image shows vpn launcher](media/f5-sso-vpn/vpn-launcher.png)
320+
![Screenshot of the Contoso Network Portal page with network access indicator.](media/f5-sso-vpn/vpn-launcher.png)
321321

322322
>[!NOTE]
323323
>Select the VPN tile to install the BIG-IP Edge client and establish a VPN connection configured for SHA. The F5 VPN application is visible as a target resource in Azure AD Conditional Access. See [conditional access policies](../conditional-access/concept-conditional-access-policies.md) to enable users for Azure AD [password-less authentication](https://www.microsoft.com/security/business/identity/passwordless).

0 commit comments

Comments
 (0)