Skip to content

Commit cc6faef

Browse files
authored
Merge pull request #189817 from Rainier-MSFT/patch-129
Consistency updates
2 parents 75e0871 + 24eb8c6 commit cc6faef

File tree

1 file changed

+12
-16
lines changed

1 file changed

+12
-16
lines changed

articles/active-directory/manage-apps/f5-big-ip-ldap-header-easybutton.md

Lines changed: 12 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -45,9 +45,9 @@ The secure hybrid access solution for this scenario is made up of:
4545

4646
**Application:** BIG-IP published service to be protected by Azure AD SHA.
4747

48-
**Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SSO to the BIG-IP APM. Through SSO, Azure AD provides the BIG-IP with any required session attributes.
48+
**Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SAML based SSO to the BIG-IP. Through SSO, Azure AD provides the BIG-IP with any required session attributes.
4949

50-
**HR system:** Legacy employee database acting as source of truth for fine grained application permissions.
50+
**HR system:** LDAP based employee database acting as source of truth for fine grained application permissions.
5151

5252
**BIG-IP:** Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the backend application.
5353

@@ -57,12 +57,12 @@ SHA for this scenario supports both SP and IdP initiated flows. The following im
5757

5858
| Steps| Description |
5959
| -------- |-------|
60-
| 1| User connects to application’s SAML SP endpoint (BIG-IP APM) |
61-
| 2| APM access policy redirects user to SAML IdP (Azure AD) for pre-authentication |
62-
| 3| Azure AD authenticates user and applies any enforced CA policies |
63-
| 4| User is redirected back to BIG-IP with issued token and claims |
64-
| 5| BIG-IP authenticates user and requests more attributes from HR system |
65-
| 6| BIG-IP injects Azure AD and HR system attributes as headers in request to the application |
60+
| 1| User connects to application endpoint (BIG-IP) |
61+
| 2| BIG-IP APM access policy redirects user to Azure AD (SAML IdP) |
62+
| 3| Azure AD pre-authenticates user and applies any enforced Conditional Access policies |
63+
| 4| User is redirected to BIG-IP (SAML SP) and SSO is performed using issued SAML token |
64+
| 5| BIG-IP requests additional attributes from LDAP based HR system |
65+
| 6| BIG-IP injects Azure AD and HR system attributes as headers in request to application |
6666
| 7| Application authorizes access with enriched session permissions |
6767

6868
## Prerequisites
@@ -89,19 +89,15 @@ Prior BIG-IP experience isn't necessary, but you'll need:
8989

9090
- An account with Azure AD application admin [permissions](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator)
9191

92-
- An [SSL certificate](./f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS, or use default certificates while testing
92+
- An [SSL Web certificate](./f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS, or use default BIG-IP certs while testing
9393

9494
- An existing header-based application or [setup a simple IIS header app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90)) for testing
9595

9696
- A user directory that supports LDAP, such as Windows Active Directory Lightweight Directory Services (AD LDS), OpenLDAP etc.
9797

9898
## BIG-IP configuration methods
9999

100-
There are many methods to deploy BIG-IP for this scenario including a template-driven Guided Configuration wizard, or the manual advanced configuration. This tutorial covers the Easy Button templates offered by the Guided Configuration 16.1 and upwards.
101-
102-
With the **Easy Button**, admins no longer go back and forth between Azure AD and a BIG-IP to enable services for secure hybrid access. The end-to-end deployment and policy management is handled directly between the APM’s Guided Configuration wizard and Microsoft Graph. This rich integration between BIG-IP APM and Azure AD ensures applications can quickly, easily support identity federation, SSO, and Azure AD Conditional Access, reducing administrative overhead.
103-
104-
For scenarios where the Guided Configuration lacks the flexibility to achieve a particular set of requirements, see the [Advanced deployment](#advanced-deployment) at the end of this tutorial.
100+
There are many methods to configure BIG-IP for this scenario, including two template-based options and an advanced configuration. This tutorial covers the latest Guided Configuration 16.1 offering an Easy button template. With the Easy Button, admins no longer go back and forth between Azure AD and a BIG-IP to enable services for SHA. The deployment and policy management is handled directly between the APM’s Guided Configuration wizard and Microsoft Graph. This rich integration between BIG-IP APM and Azure AD ensures that applications can quickly, easily support identity federation, SSO, and Azure AD Conditional Access, reducing administrative overhead.
105101

106102
>[!NOTE]
107103
>All example strings or values referenced throughout this guide should be replaced with those for your actual environment.
@@ -180,7 +176,7 @@ Some of these are global settings so can be re-used for publishing more applicat
180176

181177
The Service Provider settings define the SAML SP properties for the APM instance representing the application protected through secure hybrid access.
182178

183-
1. Enter **Host**. This is the public FQDN of the application being secured. You’ll need a corresponding DNS record for clients to resolve this address, but using a localhost record is fine during testing
179+
1. Enter **Host**. This is usually the FQDN that will be used for the applications external URL
184180

185181
2. Enter **Entity ID**. This is the identifier Azure AD will use to identify the SAML SP requesting a token
186182

@@ -295,7 +291,7 @@ Selected policies should either have an **Include** or **Exclude** option checke
295291

296292
A virtual server is a BIG-IP data plane object represented by a virtual IP address listening for clients requests to the application. Any received traffic is processed and evaluated against the APM profile associated with the virtual server, before being directed according to the policy results and settings.
297293

298-
1. Enter **Destination Address**. This is any available IPv4/IPv6 address that the BIG-IP can use to receive client traffic. A corresponding record should also exist in DNS, enabling clients to resolve the external URL of your BIG-IP published application to this IP.
294+
1. Enter **Destination Address**. This is any available IPv4/IPv6 address that the BIG-IP can use to receive client traffic. A corresponding record should also exist in DNS, enabling clients to resolve the external URL of your BIG-IP published application to this IP, instead of the appllication itself. Using a test PC's localhost DNS is fine for testing.
299295

300296
2. Enter **Service Port** as *443* for HTTPS
301297

0 commit comments

Comments
 (0)