Let's start with Bluesky
application. Reminder, Bluesky does not have any Authentication
enabled.
Connect to BIG-IP HTTPS user interface from UDF as
admin
and passwordadmin
In
Access
>Guided Configuration
, selectMicrosoft Integration
>Azure AD application
Click
Next
and start the configurationConfigure the page as below
Configuration Name :
IIS-Bluesky-<My Name>
Why my name ? Because this app will be created in Azure AD tenant. And we need to differentiate all apps. Example :IIS-Bluesky-Matt
In
Azure Service Account Details
, SelectCopy Account Info form Existing Configuration
, and selectIIS-baseline
, then clickCopy
Note
In a real world, you will set here the values from the Azure Service Application created for APM. You have to create an Azure Application so that APM gets access to Microsoft Graph API. But for security concerns, I can't show in this lab the application secret.
Note
The steps to create this Azure applications are below
- In Azure AD, create a service application under your organization's tenant directory using App Registration.
- Register the App as Azure AD only single-tenant.
- Request permissions for Microsoft Graph APIs and assign the following permissions to the application:
- Application.ReadWrite.All
- Application.ReadWrite.OwnedBy
- Directory.Read.All
- Group.Read.All
- Policy.Read.All
- Policy.ReadWrite.ApplicationConfiguration
- User.Read.All
- Grant admin consent for your organization's directory.
- Copy the Client ID, Client Secret, and Tenant ID and add them to the Azure AD Application configuration.
Click
Test Connection
button --> Connection is validClick
Next
Configure the page as below
Select
Azure BIG-IP APM Azure AD...
templateNote
As you can notice, there are several templates available for different applications. Here, in this lab, we will publish a generic app. So we select the first template.
Click
Add
In the new screen, configure as below
Configure the VS as below
- IP address :
10.1.10.104
ClientSSL
profile. We will get a TLS warning in the browser, but it does not matter for this lab.
- IP address :
Click
Save & Next
- Nothing to change, click
Save & Next
Click
Deploy
Behind the scene, the deployment creates an
Azure Enterprise Application
forBluesky
. We can see it inAzure portal
(you don't have access in this lab). With this Enterprise Application, Azure knows where to redirect the user when authenticated. And this app has the certificate and key used to sign the SAML assertion.
RDP to Win10 machine as
user
and passworduser
Open
Microsoft Edge
browser - icon is on the DesktopClick on the
bookmark
Bluesky
You will be redirected to Azure AD login page. Login as
user1@f5access.onmicrosoft.com
, and for the password please ask to your instructor.You are redirected to APM with a SAML assertion, and can access to Bluesky application