OPSWAT MetaAccess can be easily integrated with an existing F5 BIG-IP & Salesforce integration to ensure that a device is compliant with the organization's security policy before it is granted access to Salesforce. This ensures that the device is not only authenticated by the IdP, but also checked for security risks and vulnerabilities such as encryption, infections or unpatched versions of operating systems, BEFORE it access an organization's cloud services.

You can learn more details for each step here at 3.1.1. How to set it up?

Step 1. Enable Access Control on your MetaAccess account
Step 2. Enable Single Sign-On on F5 BIG-IP APM
Step 3. Configure SSO settings on applications
Step 4. Add Application on MetaAccess
Step 5. Update Applications settings on Identity Provider
Step 6: Test your integration

Step 1. Enable Access Control on your MetaAccess account

Login to the MetaAccess console
Navigate to Access Control and then Configurations
Check on the box "Enable access control" and configure a port for the cross-domain API. Note that you must select a port which no applications on endpoints is running.
Click SAVE.

Step 2. Enable Single Sign-On on F5 BIG-IP APM

Note: if you already enabled single sign-on on F5 BIG-IP APM and integrated Salesforce app there, you can jump to step 2-9 to download a certificate which you configured for Salesforce app on F5 BIG-IP APM for later use. You can refer F5 - Module 1: SAML Identity Provider for more details.

Login to your F5 BIG-IP console
Go to Access → Federation → SAML Identity Provider → Local IDP Service then click Create
1. General Settings:
  IDP Service Name: an unique name, for ex: F5_AS_IDP
  Idp Entity ID: uniqe ID, for ex: https:<ip address>/F5_AS_IDP
  Scheme: https
  Host: your host name or IP address
2. Assertion Settings:
  Assertion Subject Type: Unspecificed
  Assertion Subject Value: %{session.logon.last.username}
3. Security Settings
  Choose your Singing Key and Signing Certificate, we use default key and value for this demo
4. Then click OK.
Go to Access → Webtops → Webtop Lists to create new Webtop
Name: an unique name, for ex: full_webtop
Type: Full

Then click Finished
Go to Access → Federation → SAML Resources to create new SAML Resource
Name: an unique name, for ex: Salesforce
Publish on Webtop: check Enable
SSO Configuration: choose the one created in step 2.2
Click Finished
Authentication: F5 BIGIP provides many authentication methods like Kerberos, Active Directory, LDAP,... We use Local User DB for this demo.
Go to Access → Profiles / Policies → Access Profiles then click on Create
Name: an unique name, for ex: F5_AS_IDP
Profile Type: All

Then click on Finished
Edit Access Policy for the Access Profile
1. Click Edit in the Per-Session Policy field of the newly created Access profile
2. Logon Page is default
3. LocalDB Auth
  1. LocalDB Auth is for demonstration purposes only
  2. For this example, select a valid LocalDB Instance that you can populate
4. Advanced Resource Assign:
  Add an expression for LocalDB Auth has Passed and assign the previously created Webtop and SAML Resource based on that success.
5. Change the result of the fallback Branch for Advanced Resource Assign to Allow.
Create Virtual Server for IdP Service and Webtop
1. Go to Local Traffic → Virtual Servers → Virtual Server List then click Create
2. General Properties :
  
  Name : an unique name
  Type : Standard
  Source Address : 0.0.0.0/0
  Destination Address/Mask : your IP address
  Service Port : An available port that aligns with the port specified or implied in previous steps. For ex: 443, HTTPS
  State : Enabled
3. Configuration : (basic)
4. Access policy
  
  Access Profile : Select the access profile configured in step 2.6
5. Click Finished
Download certificate: you need to upload this certificate to MetaAccess later
1. Go to System → Certificate Management → Traffic Certificate management → SSL Certificate List
2. Choose certificate that is used to singing SAML data. We use default certificate for demo purpose
3. Click Export

Step 3. Configure SSO settings on applications

On MetaAccess console, navigate to Access Control > Configurations
Click Download OPSWAT certificate to download a self-signed certificate MetaAccess generated for your account
Go to Local IDP Services in BIGIP and choose the one created in step 2.2
Click on Export Metadata
Login to Salesforce as administrator
Navigate to Setup > Security Controls > Single Sign-On Settings , click on New from Metadata File then choose the file get from above step

Upload OPSWAT certificate from your MetaAccess account which you downloaded from Step 3.2
Get Login URL:
Get Logout URL
1. You can find "Logout" link when you click on your name
2. Right-click Logout link and select "Copy link address" to copy logout URL

Step 4. Add Application on MetaAccess

Login to the MetaAccess console
Navigate to Access Control and then Configurations
Add new IDP Provider
1. On the Identity Providers tab, click " Add New Identity Provider " to add your IdP
2. Fill in required fields for the Identity Provider
  1. IdP Name : an IdP name, for example: F5
  2. IdP Certificate : upload F5 certificate you downloaded in Step 2.9
  3. Click Add IDP
  4. Click Save
Add Application:
1. Expand the F5 BIG_IP APM IdP settings you have just added above.
2. Click Add New Application
3. Enter required field:
  1. Application : application name, for example: Salesforce
  2. IdP Login URL: https://<BIGIP host>/saml/idp/res=?id=/<SAML Resource path>/ <SAML Resource name>. For ex: https://10.0.4.83 /saml/idp/res=/Common/Saleforce
  3. Application Login URL : application login URL which you have from Step 3.6
  4. Application Logout URL : application logout URL which you have from Step 3.7
  5. Access Mode : pick an access mode you prefer.
  6. Click Save
After saving your changes sucessfully, click the Setup Instructions button of the Salesforce application you have just added and then copy the URL MetaAccess generated there.
Configure Access Rules
1. On Access Rules tab, click "ADD NEW RULE" to add a new rule for this application OR you can update existing access rules to add this application
2. With a new access rule, you need to specify how you would like to block/allow access a device from the application
  1. Rule name: a rule name, for example Block non-compliant devices
  2. Action: Block or Allow
  3. Configure conditions to do the action. Details at Step 3. Configure Access Rules
3. Click ADD RULE

Step 5. Update Applications settings on Identity Provider

Login to your F5 BIGIP console
Go to Access → Federation → SAML Identity Provider → External SP Connector then click Create to create new SP Connector
1. Service Provider Name: an unique service name
2. Service Provider Entity ID: an unique entity ID
3. ACS URL: specific URL user will be redirected after login to BIGIP from Step 4.5
4. Make sure Response must be signed and Assertion must be signed checked
5. Then click OK to finish
6. Now choose the IDP Service just created in Step 2.2 then click on Bind/Unbind SP Connectors and choose the SP Connector created in Step 5.2

Step 6: Test your integration

Follow guideline at Step 6: Test your integration to test your integration to verify if it works as your expectation.

DONE! CONGRATULATIONS.

F5 BIG-IP APM with Salesforce