Online Help

SafeNet Trusted Access for F5 BIG-IP Access Policy Manager

Overview

Configuring SafeNet Trusted Access for F5 BIG-IP Access Policy Manager is a three-step process:

1.F5 BIG-IP Access Policy Manager setup

2.SafeNet Trusted Access setup

3.Verify authentication

F5 BIG-IP Access Policy Manager Setup

As a prerequisite, download the Identity Provider metadata from the SafeNet Trusted Access console by clicking the Download metadata file button. You will need this metadata in one of the steps below.

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in F5 BIG-IP Access Policy Manager:

1.Configure F5 BIG-IP Access Policy Manager as a service provider

2.Configure SafeNet Trusted Access as an Identity Provider

3.Associate an Identity Provider connector with the Service Provider service

4.Download F5 BIG-IP Access Policy Manager metadata

5.Configure the Webtop list

6.Configure Webtop links

7.Configure an access profile

8.Modify the Access Profile

9.Add SAML Authentication

10.Add a Webtop

11.Configure the Virtual Server

Configure F5 BIG-IP Access Policy Manager as a Service Provider

Perform the following steps to configure F5 BIG-IP Access Policy Manager as a service provider:

1.In a web browser, open the DNS/IP address of F5 BIG-IP Access Policy Manager to log in to the F5 BIG-IP Access Policy Manager administrator management portal.

2.On the Main tab, click Access > Federation > SAML Service Provider > Local SP Services.

3.In the right pane, on the SAML Service Provider tab, click Create.

4.In the Create New SAML SP Service window, under General Settings, complete the following fields:

Field Value to be Set
Name Enter a name for the service provider.
Entity ID Enter the URL of the virtual server in the following format:
https://<IP Address/FQDN of the Virtual Server>

5.Click Security Settings and perform the following steps:

a.Under Authentication and Encryption Settings, select the Sign Authentication Request check box.

b.In the Message Signing Private Key field, select the private key that F5 BIG-IP Access Policy Manager uses to sign the authentication requests (for example, /Common/default.key).

c.In the Message Signing Certificate field, select the certificate that F5 BIG-IP Access Policy Manager uses to sign the authentication requests (for example, /Common/default.crt).

d.Click OK.

Configure SafeNet Trusted Access as an Identity Provider

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in F5 BIG-IP Access Policy Manager:

1.On the Main tab, click Access > Federation > SAML Service Provider > External IdP Connectors.

2.In the right pane, click Create > From Metadata.

3.In the Create New SAML IdP Connector window, perform the following steps:

a.Click Browse to search for and select the Identity Provider metadata that you downloaded earlier from the SafeNet Trusted Access console.

b.In the Identity Provider Name field, enter a name for the identity provider.

c.Click OK.

Associate an Identity Provider Connector with the Service Provider Service

Perform the following steps to associate an identity provider (IdP) connector with the SP service:

1.On the Main tab, click Access > Federation > SAML Service Provider > Local SP Services.

2.On the SAML Service Provider tab, select the Service Provider service that you created earlier in the Configure F5 BIG-IP Access Policy Manager as a Service Provider section, and then click Bind/Unbind IdP Connectors.

3.In the Edit SAML IDPs that use this SP window, click Add New Row.

4.In the SAML IdP Connectors column, select the Identity Provider connector, click Update, and then click OK.

Download F5 BIG-IP Access Policy Manager Metadata

Perform the following steps to download the F5 BIG-IP Access Policy Manager metadata:

1.On the Main tab, click Access > Federation > SAML Service Provider > Local SP Services.

2.On the SAML Service Provider tab, select the SP service that you created earlier in the Configure F5 BIG-IP Access Policy Manager as a Service Provider section, and then click Export Metadata.

3.In the Export SP Metadata window, click Download, and then save the metadata file on your local machine.

Configure the Webtop List

Perform the following steps to configure the Webtop list:

1.On the Main tab, click Access > Webtops > Webtop Lists.

2.On the Webtop Lists tab, click Create.

3.Complete the following fields and then click Finished.

Field Value to be Set
Name Enter a name for the Webtop.
Type Select Full.

Configure Webtop Links

Perform the following steps to configure Webtop links:

1.On the Main tab, click Access > Webtops > Webtop Links.

2.On the Webtop Link List tab, click Create.

3.Complete the following fields and then click Finished.

Field Value to be Set
Name Enter a name for the Webtop link.
Description Enter a description for the link.
Link Type Select either Application URL or Hosted Contents. For example, if your resource is an application, select Application URI.
Application URl Enter the application URI. This field is available only when Application URl is selected as the Link Type.
Hosted File Enter the hosted file name. This field is available only when Link Type is selected as Hosted Contents.
Caption Enter the caption. By default, the caption is the same as the Webtop link name.

Configure an Access Profile

Perform the following steps to configure an access profile:

1.On the Main tab, click Access > Profiles / Policies > Access Profiles (Per-Session Policies).

2.On the Access Profiles tab, click Create.

3.Under General Properties, complete the following fields:

Field Value to be Set
Name Enter a name for the profile.
Profile Type Select All.
 

4.Under Language Settings, in the Factory BuiltIn Languages list, select a language, and then click << to move the selected language to the Accepted Languages list.

5. Click Finished.

Modify the Access Profile

Perform the following steps to modify the Access Profile:

1.On the Main tab, click Access > Profiles / Policies > Access Profiles (Per-Session Policies).

2.On the Access Profiles tab, select the access profile that you created in Configure an Access Profile and click Edit to modify the access profile. The Visual Policy editor is displayed in a new tab.

3.In the Visual Policy editor, on a rule branch of the Access Policy, click the + icon to add an action.

Add SAML Authentication

Perform the following steps to add SAML authentication:

1.On the visual policy editor, click + after Start.

2.On the Authentication tab, select SAML Auth and then click Add Item.

3.Under SAML Authentication SP, in the AAA Server field, select the SAML service provider that you configured earlier (for example, /Common/SafeNet_SP).

4. Click Save.

Add a Webtop

Perform the following steps to add a Webtop:

1.In the Visual Policy editor, click the + icon in the Successful branch of SAML Auth.

2.On the Assignment tab, select the Advanced Resource Assign option and then click Add Item.

3.Under Resource Assignment, click Add new entry.

4.Under Expression, click Add/Delete.

5.Click the Webtop Links tab and then select the link that you created earlier in Configure Webtop Links.

6.Click the Webtop tab, select the webtop that you created earlier in Configure a Webtop List, and then click Update.

7.Click Save and then click Apply Access Policy.

Configure the Virtual Server

Perform the following steps to configure the Virtual Server:

1. On the Main tab, click Local Traffic > Virtual Servers.

2.On the Virtual Server List tab, click Create.

3.Under General Properties, complete the following fields:

Name Enter a name for the virtual server.
Destination Address/Mask Enter the host IP address of the virtual server.
Service Port Select HTTPS.
 

4.Under Configuration, complete the following fields:

HTTP Profile Select http.
SSL Profile (Client) In the Available list, select the client SSL profile and then click << to move the selected profile to the Selected list.

If no client SSL profile is configured, select the default SSL profile from the Available list.
 

5.Under Access Policy, in the Access Profile field, select the access profile that you created earlier in Configure an Access Profile to associate it with the virtual server.

6.Click Finished.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in F5 BIG-IP Access Policy Manager, the second step is to activate the F5 BIG-IP Access Policy Manager application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, you will notice that the F5 BIG-IP Access Policy Manager application that you added previously is currently in inactive state by default. To configure and activate this application, click the application (for example, F5 BIG-IP Access Policy Manager) and proceed to the next step.

2.Under STA Setup, click Upload F5 BIG-IP Access Policy Manager Metadata.

3.In the Metadata upload window, click Browse to search and select the F5 BIG-IP Access Policy Manager metadata that you saved in step 3 of Download F5 BIG-IP Access Policy Manager metadata.

Under Account Details, the service provider metadata information is displayed.

 

4.Click Save Configuration to save the details and activate the F5 BIG-IP Access Policy Manager application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the F5 BIG-IP Access Policy Manager URL, https://<domainName>.<application.com>, where <domainName> is the name of your organization that you registered in F5 BIG-IP Access Policy Manager. You will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to F5 BIG-IP Access Policy Manager Webtops after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the F5 BIG-IP Access Policy Manager application icon, you should be redirected to the F5 BIG-IP Access Policy Manager Webtops after authentication.

 

© 2018 SafeNet Trusted Access. Various trademarks held by their respective owners.