F5 BIG-IP APM with Salesforce
OPSWAT MetaAccess can be easily integrated with an existing F5 BIG-IP & Salesforce integration to ensure that a device is compliant with the organization's security policy before it is granted access to Salesforce. This ensures that the device is not only authenticated by the IdP, but also checked for security risks and vulnerabilities such as encryption, infections or unpatched versions of operating systems, BEFORE it access an organization's cloud services.
You can learn more details for each step here at 3.1.1. How to set it up?
Step 1. Enable Access Control on your MetaAccess account
-
Login to the MetaAccess console
-
Navigate to Access Control and then Configurations
-
Check on the box "Enable access control" and configure a port for the cross-domain API. Note that you must select a port which no applications on endpoints is running.
-
Click SAVE.
Step 2. Enable Single Sign-On on F5 BIG-IP APM
Note: if you already enabled single sign-on on F5 BIG-IP APM and integrated Salesforce app there, you can jump to step 2-9 to download a certificate which you configured for Salesforce app on F5 BIG-IP APM for later use. You can refer F5 - Module 1: SAML Identity Provider for more details.
-
Login to your F5 BIG-IP console
-
Go to Access → Federation → SAML Identity Provider → Local IDP Service then click Create
-
General Settings:
IDP Service Name: an unique name, for ex: F5_AS_IDP
Idp Entity ID: uniqe ID, for ex: https:<ip address>/F5_AS_IDP
Scheme: https
Host: your host name or IP address -
Assertion Settings:
Assertion Subject Type: Unspecificed
Assertion Subject Value: %{session.logon.last.username} -
Security Settings
Choose your Singing Key and Signing Certificate, we use default key and value for this demo -
Then click OK.
-
-
Go to Access → Webtops → Webtop Lists to create new Webtop
Name: an unique name, for ex: full_webtop
Type: FullThen click Finished
-
Go to Access → Federation → SAML Resources to create new SAML Resource
Name: an unique name, for ex: Salesforce
Publish on Webtop: check Enable
SSO Configuration: choose the one created in step 2.2
Click Finished
-
Authentication: F5 BIGIP provides many authentication methods like Kerberos, Active Directory, LDAP,... We use Local User DB for this demo.
-
Go to Access → Profiles / Policies → Access Profiles then click on Create
Name: an unique name, for ex: F5_AS_IDP
Profile Type: All
Then click on Finished
-
Edit Access Policy for the Access Profile
-
Click Edit in the Per-Session Policy field of the newly created Access profile
-
Logon Page is default
-
LocalDB Auth
-
LocalDB Auth is for demonstration purposes only
-
For this example, select a valid LocalDB Instance that you can populate
-
-
Advanced Resource Assign:
Add an expression for LocalDB Auth has Passed and assign the previously created Webtop and SAML Resource based on that success.
-
Change the result of the fallback Branch for Advanced Resource Assign to Allow.
-
-
Create Virtual Server for IdP Service and Webtop
-
Go to Local Traffic → Virtual Servers → Virtual Server List then click Create
-
General Properties :
Name : an unique name
Type : Standard
Source Address : 0.0.0.0/0
Destination Address/Mask : your IP address
Service Port : An available port that aligns with the port specified or implied in previous steps. For ex: 443, HTTPS
State : Enabled
-
Configuration : (basic)
-
Access policy
Access Profile : Select the access profile configured in step 2.6
-
Click Finished
-
-
Download certificate: you need to upload this certificate to MetaAccess later
-
Go to System → Certificate Management → Traffic Certificate management → SSL Certificate List
-
Choose certificate that is used to singing SAML data. We use default certificate for demo purpose
-
Click Export
-
Step 3. Configure SSO settings on applications
-
On MetaAccess console, navigate to Access Control > Configurations
-
Click Download OPSWAT certificate to download a self-signed certificate MetaAccess generated for your account
-
Go to Local IDP Services in BIGIP and choose the one created in step 2.2
Click on Export Metadata -
Login to Salesforce as administrator
-
Navigate to Setup > Security Controls > Single Sign-On Settings , click on New from Metadata File then choose the file get from above step
Upload OPSWAT certificate from your MetaAccess account which you downloaded from Step 3.2
-
Get Login URL:
-
Get Logout URL
-
You can find "Logout" link when you click on your name
-
Right-click Logout link and select "Copy link address" to copy logout URL
-
Step 4. Add Application on MetaAccess
-
Login to the MetaAccess console
-
Navigate to Access Control and then Configurations
-
Add new IDP Provider
-
On the Identity Providers tab, click " Add New Identity Provider " to add your IdP
-
Fill in required fields for the Identity Provider
-
IdP Name : an IdP name, for example: F5
-
IdP Certificate : upload F5 certificate you downloaded in Step 2.9
-
Click Add IDP
-
Click Save
-
-
-
Add Application:
-
Expand the F5 BIG_IP APM IdP settings you have just added above.
-
Click Add New Application
-
Enter required field:
-
Application : application name, for example: Salesforce
-
IdP Login URL: https://<BIGIP host>/saml/idp/res=?id=/<SAML Resource path>/ <SAML Resource name>. For ex: https://10.0.4.83 /saml/idp/res=/Common/Saleforce
-
Application Login URL : application login URL which you have from Step 3.6
-
Application Logout URL : application logout URL which you have from Step 3.7
-
Access Mode : pick an access mode you prefer.
-
Click Save
-
-
-
After saving your changes sucessfully, click the Setup Instructions button of the Salesforce application you have just added and then copy the URL MetaAccess generated there.
-
Configure Access Rules
-
On Access Rules tab, click "ADD NEW RULE" to add a new rule for this application OR you can update existing access rules to add this application
-
With a new access rule, you need to specify how you would like to block/allow access a device from the application
-
Rule name: a rule name, for example Block non-compliant devices
-
Action: Block or Allow
-
Configure conditions to do the action. Details at Step 3. Configure Access Rules
-
-
Click ADD RULE
-
Step 5. Update Applications settings on Identity Provider
-
Login to your F5 BIGIP console
-
Go to Access → Federation → SAML Identity Provider → External SP Connector then click Create to create new SP Connector
-
Service Provider Name: an unique service name
-
Service Provider Entity ID: an unique entity ID
-
ACS URL: specific URL user will be redirected after login to BIGIP from Step 4.5
-
Make sure Response must be signed and Assertion must be signed checked
-
Then click OK to finish
-
Now choose the IDP Service just created in Step 2.2 then click on Bind/Unbind SP Connectors and choose the SP Connector created in Step 5.2
-
Step 6: Test your integration
Follow guideline at Step 6: Test your integration to test your integration to verify if it works as your expectation.
DONE! CONGRATULATIONS.