Configuration [F5-BI-SAML]

DualShield - Create a SSO logon procedure

1. Login to the DualShield management console
2. In the main menu, select “Authentication | Logon Procedure”
3. Click the “Create” button on the toolbar
4. Enter “Name” and select “Web SSO” as the Type
   
   
   
   
5. Click “Save”
6. Click the Context Menu icon of the newly create logon procedure, select “Logon Steps”
7. In the popup windows, click the “Create” button on the toolbar
8. Select the desired authentication methods, e.g. “Static Password”
9. Click “Save”
10. Repeat step 7 - 9 to add more logon steps if desired, e.g. “One-Time Password”
    
    
    
    
11. Click "Save"

DualShield - Create a SAML application

1. In the main menu, select “Authentication | Applications”
2. Click the “Create” button on the toolbar
3. Enter “Name”
4. Select “Realm”
5. Select the logon procedure that was just created 
   
   
   
   
6. Click “Save”
7. Click the context menu of the newly created application, select “Agent”
   
   Select "SSO Server"
8. Click "Save"
9. Click the context menu of the newly created application, select "Self Test"
   
   

F5 - Create a new SP

In the main tab, select “Access Policy | SAML | BIG-IP as SP”

Enter the Name, e.g. "bigip_sp"

In the Entity ID field, we just use the virtual server URL as its Entity ID

Select "Security Settings":

Select "Want Signed Assertion"

F5 – Download Metadata

Once completed, we need to export its metadata which will be used later in DualShield to create a SP.

DualShield - Register F5 BIG-IP as a SSO Service Provider

1. Select “SSO” in the main menu
2. Select “Service Providers”
3. Click “Create” on the toolbar
   
   
   
   
4. Enable "Sign on SAML assertion"

DualShield - Download IdP Metadata

1. Select “SSO | SSO Servers”
2. Click the context menu icon of the SSO server and select “Download IdP Metadata” 
   
   
   
   
   
   
3. Select the F5 BIG-IP application created in the previous step
4. Save the metadata file into your hard disk

F5 - Register DualShield as an IdP Connector

In the Main tab, select “Access Policy | SAML | BIG-IP as SP”, you shall get a list of SPs that have been created:

Select “External IdP Connectors”

Click the down arrow on the “Create” button to show the drop-down menu, then select “From Metadata”

Select the DualShield IdP metadata downloaded in the previous step

Enter the Name: dualshield

Click “OK” to save it

Now, we need to edit the SAML IdP Connector settings:

Select “Endpoint Settings”, in the Single Sign On Service URL you should see the URL similar to:

http://dualshield.deepnetsecurity.local:8074/appsso/login?DASApplicationName=F5%20BIG-%20IP%20SAML

F5 Big-IP has a bug that it does not accept URLs containing question mark (?). We have to replace it to:

http://dualshield.deepnetsecurity.local:8074/appsso/login/kvps/DASApplicationName/F5%20BIG-%20IP%20SAML

F5 - Bind the IdP Connector to the SP 

In the Main tab, select “Access Policy | SAML | BIG-IP as SP”, you shall get a list of SPs that have been created:

Select the SP and click the "Bind/Unbind IdP Connectors" button

Click "Add New Row" button:

In the "SAML IdP Connectors" drop down list, select "dualShield"

Click "Update" to finish it

Now you should see that the SP "bigip_sp" is bound to the IdP "dualshield":

F5 – Configure Access Policy 

We need to add a “SAML Auth” to replace the “RADIUS Auth” policy.

Click the plus mark before “RADIUS Auth”. 

Enable the option: “SAML Auth”, then click “Add Item”:

In "AAA Server" field, select "bigip_sp" that we just created and configured, then click "Save" to save it.

Click the cross icon "X" on "RADIUS Auth" to delete it. Now the access policy becomes:

With SAML authentication, the Logon Page provided by Big-IP is redundant. So, delete it as well.

Finally, the access policy looks like:

Now, go back to Access Profiles List, notice the status flag is "Modified"

Click "Apply Access Policy" to save it.