Tutorial: Configure F5 BIG-IP Easy Button for SSO to SAP ERP
In this article, learn to secure SAP Enterprise Resource Planning (ERP) using Microsoft Entra ID, with F5 BIG-IP Easy Button Guided Configuration 16.1. Integrating a BIG-IP with Microsoft Entra ID has many benefits:
- Zero Trust framework to enable remote work
- What is Conditional Access?
- Single sign-on (SSO) between Microsoft Entra ID and BIG-IP published services
- Manage identities and access from the Microsoft Entra admin center
Learn more:
Scenario description
This scenario includes the SAP ERP application using Kerberos authentication to manage access to protected content.
Legacy applications lack modern protocols to support integration with Microsoft Entra ID. Modernization is costly, requires planning, and introduces potential downtime risk. Instead, use an F5 BIG-IP Application Delivery Controller (ADC) to bridge the gap between the legacy application and the modern ID control plane, through protocol transitioning.
A BIG-IP in front of the application enables overlay of the service with Microsoft Entra preauthentication and headers-based SSO. This configuration improves overall application security posture.
Scenario architecture
The secure hybrid access (SHA) solution has the following components:
- SAP ERP application - a BIG-IP published service protected by Microsoft Entra SHA
- Microsoft Entra ID - Security Assertion Markup Language (SAML) identity provider (IdP) that verifies user credentials, Conditional Access, and SAML-based SSO to the BIG-IP
- BIG-IP - reverse-proxy and SAML service provider (SP) to the application. BIG-IP delegates authentication to the SAML IdP then performs header-based SSO to the SAP service
SHA supports SP and IdP initiated flows. The following image illustrates the SP-initiated flow.
- User connects to application endpoint (BIG-IP).
- BIG-IP Access Policy Manager (APM) access policy redirects user to Microsoft Entra ID (SAML IdP).
- Microsoft Entra ID preauthenticates user and applies enforced Conditional Access policies.
- User is redirected to BIG-IP (SAML SP) and SSO occurs with issued SAML token.
- BIG-IP requests Kerberos ticket from the key distribution center (KDC).
- BIG-IP sends request to back-end application, with the Kerberos ticket for SSO.
- Application authorizes request and returns payload.
Prerequisites
- A Microsoft Entra ID Free account, or higher
- If you don't have one, get an Azure free account
- A BIG-IP or a BIG-IP Virtual Edition (VE) in Azure
- Any of the following F5 BIG-IP licenses:
- F5 BIG-IP® Best bundle
- F5 BIG-IP APM standalone license
- F5 BIG-IP APM add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)
- 90-day BIG-IP full feature trial license
- User identities synchronized from an on-premises directory to Microsoft Entra ID, or created in Microsoft Entra ID and flowed back to the on-premises directory
- One of the following roles: Cloud Application Administrator, or Application Administrator.
- An SSL Web certificate to publish services over HTTPS, or use default BIG-IP certs for testing
- An SAP ERP environment configured for Kerberos authentication
BIG-IP configuration methods
This tutorial uses Guided Configuration 16.1 with an Easy Button template. With the Easy Button, admins don't go between Microsoft Entra ID and a BIG-IP to enable services for SHA. The APM Guided Configuration wizard and Microsoft Graph handle deployment and policy management. This integration ensures applications support identity federation, SSO, and Conditional Access.
Note
Replace example strings or values in this guide with those in your environment.
Register Easy Button
Tip
Steps in this article might vary slightly based on the portal you start from.
Before a client or service accesses Microsoft Graph, the Microsoft identity platform must trust it.
See, Quickstart: Register an application with the Microsoft identity platform
Register the Easy Button client in Microsoft Entra ID, then establishes a trust between SAML SP instances of a BIG-IP published application, and Microsoft Entra ID as the SAML IdP.
Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
Browse to Identity > Applications > App registrations > New registration.
Enter a Name for the new application.
In Accounts in this organizational directory only, specify who can use the application.
Select Register.
Navigate to API permissions.
Authorize the following Microsoft Graph Application permissions:
- Application.Read.All
- Application.ReadWrite.All
- Application.ReadWrite.OwnedBy
- Directory.Read.All
- Group.Read.All
- IdentityRiskyUser.Read.All
- Policy.Read.All
- Policy.ReadWrite.ApplicationConfiguration
- Policy.ReadWrite.ConditionalAccess
- User.Read.All
Grant admin consent for your organization.
On Certificates & Secrets, generate a new client secret.
Note the secret.
From Overview, note the Client ID and Tenant ID.
Configure the Easy Button
- Initiate the APM Guided Configuration.
- Launch the Easy Button template.
- From a browser, sign-in to the F5 BIG-IP management console.
- Navigate to Access > Guided Configuration > Microsoft Integration.
- Select Microsoft Entra Application.
- Review the configuration list.
- Select Next.
- Follow the configuration sequence under Microsoft Entra Application Configuration.
Configuration Properties
The Configuration Properties tab has service account properties and creates a BIG-IP application config and SSO object. The Azure Service Account Details section represents the client you registered as an application, in the Microsoft Entra tenant. Use the settings for BIG-IP OAuth client to individually register a SAML SP in the tenant, with the SSO properties. Easy Button does this action for BIG-IP services published and enabled for SHA.
Note
Some settings are global and can be re-used to publish more applications.
- Enter a Configuration Name. Unique names differentiate Easy Button configurations.
- For Single Sign-On (SSO) & HTTP Headers, select On.
- For Tenant ID, Client ID, and Client Secret, enter the Tenant ID, Client ID, and Client Secret you noted during tenant registration.
- Select Test Connection. This action confirms the BIG-IP connects to your tenant.
- Select Next.
Service Provider
Use the Service Provider settings to define SAML SP instance properties of the application secured by SHA.
For Host, enter the public fully qualified domain name (FQDN) of the application being secured.
For Entity ID, enter the identifier Microsoft Entra ID uses to identify the SAML SP requesting a token.
(Optional) Use Security Settings to indicate Microsoft Entra ID encrypts issued SAML assertions. Assertions encrypted between Microsoft Entra ID and the BIG-IP APM increase assurance that content tokens aren't intercepted, nor data compromised.
From Assertion Decryption Private Key, select Create New.
Select OK.
The Import SSL Certificate and Keys dialog appears in a new tab.
To import the certificate and private key, select PKCS 12 (IIS).
Close the browser tab to return to the main tab.
For Enable Encrypted Assertion, check the box.
If you enabled encryption, from the Assertion Decryption Private Key list, select the private key for the certificate BIG-IP APM uses to decrypt Microsoft Entra assertions.
If you enabled encryption, from the Assertion Decryption Certificate list, select the certificate BIG-IP uploads to Microsoft Entra ID to encrypt the issued SAML assertions.
Microsoft Entra ID
Easy Button has application templates for Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, SAP ERP, and a generic SHA template.
To start Azure configuration, select SAP ERP Central Component > Add.
Note
You can use the information in the following sections when manually configuring a new BIG-IP SAML application in a Microsoft Entra tenant.
Azure Configuration
For Display Name enter the app BIG-IP creates in the Microsoft Entra tenant. The name appears on the icon in the My Apps portal.
(Optional) leave Sign On URL (optional) blank.
Next to Signing Key select refresh.
Select Signing Certificate. This action locates the certificate you entered.
For Signing Key Passphrase, enter the certificate password.
(Optional) Enable Signing Option. This option ensures BIG-IP accepts tokens and claims signed by Microsoft Entra ID
User and User Groups are dynamically queried from your Microsoft Entra tenant. Groups help authorize application access.
Add a user or group for testing, otherwise access is denied.
User Attributes & Claims
When users authenticate to Microsoft Entra ID, it issues a SAML token with default claims and attributes identifying the user. The User Attributes & Claims tab shows the default claims to issue for the new application. Use it to configure more claims.
This tutorial is based on a .com domain suffix used internally and externally. No other attributes are required to achieve a functional Kerberos constrained delegation (KCD) SSO implementation.
You can include more Microsoft Entra attributes. For this tutorial, SAP ERP requires the default attributes.
Learn more: Tutorial: Configure F5 BIG-IP Access Policy Manager for Kerberos authentication. See, instructions on multiple domains or user sign in with alternate suffixes.
Additional User Attributes
The Additional User Attributes tab supports distributed systems requiring attributes stored in other directories, for session augmentation. Thus, attributes from a Lightweight Directory Access Protocol (LDAP) source are injected as more SSO headers to control role-based access, Partner IDs, and so on.
Note
This feature has no correlation to Microsoft Entra ID but is another attribute source.
Conditional Access Policy
Conditional Access policies are enforced after Microsoft Entra preauthentication. This action controls access based on device, application, location, and risk signals.
The Available Policies view lists Conditional Access policies without user-based actions.
The Selected Policies view lists policies targeting cloud apps. You can't deselect policies enforced at the tenant level, nor move them to the Available Policies list.
To select a policy for the application being published:
- From the Available Policies list, select the policy.
- Select the right arrow.
- Move the policy to the Selected Policies list.
Selected policies have an Include or Exclude option checked. If both options are checked, the selected policy isn't enforced.
Note
The policy list appears when you initially select this tab. Use the refresh button to query your tenant. Refresh appears when the application is deployed.
Virtual Server Properties
A virtual server is a BIG-IP data plane object represented by a virtual IP address. This server listens for client requests to the application. Received traffic is processed and evaluated against the APM profile associated with the virtual server. Traffic is then directed according to policy.
- Enter a Destination Address. Use the IPv4/IPv6 address BIG-IP uses to receive client traffic. A corresponding record is in the domain name server (DNS), which enables clients to resolve the external URL of BIG-IP published application to this IP. You can use a test computer localhost DNS for testing.
- For Service Port, enter 443.
- Select HTTPS.
- For Enable Redirect Port, check the box.
- For Redirect Port, enter a number and select HTTP. This option redirects incoming HTTP client traffic to HTTPS.
- Select the Client SSL Profile you created. Or, leave the default for testing. The Client SSL Profile enables the virtual server for HTTPS, so client connections are encrypted over Transport Layer Security (TLS).
Pool Properties
The Application Pool tab has services behind a BIG-IP, represented as a pool with application servers.
For Select a Pool, select Create New, or select a pool.
For Load Balancing Method, select Round Robin.
For Pool Servers select a server node, or enter an IP and port for the back-end node hosting the header-based application.
Single Sign-On & HTTP Headers
Use SSO to enable access BIG-IP published services without entering credentials. The Easy Button wizard supports Kerberos, OAuth Bearer, and HTTP authorization headers for SSO. For the following instructions, you need the Kerberos delegation account you created.
On Single Sign-On & HTTP Headers, for Advanced Settings, select On.
For Selected Single Sign-On Type, select Kerberos.
For Username Source, enter a session variable as the user ID source.
session.saml.last.identity
holds the Microsoft Entra claim with the signed-in user ID.The User Realm Source option is required if the user domain differs from the BIG-IP kerberos realm. Thus, the APM session variable contains the signed in user domain. For example,
session.saml.last.attr.name.domain
.For KDC, enter a domain controller IP, or FQDN if the DNS is configured.
For UPN Support, check the box. The APM uses the User Principal Name (UPN) for kerberos ticketing.
For SPN Pattern, enter HTTP/%h. This action informs the APM to use the client-request host header and build the Service Principal Name (SPN) for which it's requesting a kerberos token.
For Send Authorization, disable the option for applications that negotiate authentication. For example, Tomcat.
Session Management
Use BIG-IP session management settings to define conditions when user sessions terminate or continue. Conditions include limits for users and IP addresses, and corresponding user info.
To learn more, go to my.f5.com for K18390492: Security | BIG-IP APM operations guide
The operations guide doesn't cover Single Log-Out (SLO). This feature ensures sessions between the IdP, the BIG-IP, and the user agent terminate when users sign out. The Easy Button deploys a SAML application to the Microsoft Entra tenant. It populates the Logout URL with the APM SLO endpoint. IdP initiated sign out from the My Apps portal terminates the BIG-IP and client session.
During deployment, the published-application SAML federation metadata is imported from the tenant. This action provides the APM the SAML sign out endpoint for Microsoft Entra ID and helps SP-initiated sign out terminate the client and Microsoft Entra session.
Deployment
- Select Deploy.
- Verify the application is in the tenant Enterprise applications list.
- With a browser, connect to the application external URL or select the application icon in My Apps.
- Authenticate to Microsoft Entra ID.
- Redirection takes you to the BIG-IP virtual server and signed in through SSO.
For increased security, you can block direct access to the application and enforce a path through the BIG-IP.
Advanced deployment
The Guided Configuration templates sometimes lack flexibility.
Learn more: Tutorial: Configure F5 BIG-IP Access Policy Manager for Kerberos authentication.
Disable strict management mode
Alternatively, in BIG-IP you can disable Guided Configuration strict management mode. You can change your configurations manually, although most configurations are automated with wizard templates.
Navigate to Access > Guided Configuration.
At the end of the row for your application configuration, select the padlock.
BIG-IP objects associated with the published application are unlocked for management. Changes via the wizard UI are no longer possible.
Note
To re-enable strict management mode and deploy a configuration that overwrites settings outside the Guided Configuration UI, we recommend the advanced configuration method for production services.
Troubleshooting
If you're unable to access the SHA-secured application, see the following troubleshooting guidance.
- Kerberos is time sensitive. Ensure servers and clients are set to the correct time, and synchronized to a reliable time source.
- Ensure the domain controller and web app hostname resolve in DNS.
- Confirm no duplicate SPNs in the environment.
- On a domain computer, at the command line, use the query:
setspn -q HTTP/my_target_SPN
- On a domain computer, at the command line, use the query:
To validate an Internet Information Services (IIS) application KCD configuration, see Troubleshoot KCD configurations for Application Proxy
Go to techdocs.f5.com for Kerberos single sign-on method
Log analysis
Log verbosity
BIG-IP logging isolates issues with connectivity, SSO, policy violations, or misconfigured variable mappings. To start troubleshooting, increase log verbosity.
- Navigate to Access Policy > Overview.
- Select Event Logs.
- Select Settings.
- Select the row for your published application.
- Select Edit.
- Select Access System Logs
- From the SSO list, select Debug.
- Select OK.
- Reproduce your issue.
- Inspect the logs.
When inspection is complete, revert log verbosity because this mode generates excessive data.
BIG-IP error message
If a BIG-IP error message appears after Microsoft Entra preauthentication, the issue might relate to Microsoft Entra ID to BIG-IP SSO.
- Navigate to Access > Overview.
- Select Access reports.
- Run the report for the last hour.
- Inspect the logs.
Use the current session's View session variables link to see if APM receives expected Microsoft Entra claims.
No BIG-IP error message
If no BIG-IP error message appeared, the issue might be related to the back-end request, or BIG-IP to application SSO.
- Navigate to Access Policy > Overview.
- Select Active Sessions.
- Select the link for the current session.
- Use the View Variables link to identify KCD issues, particularly if the BIG-IP APM doesn't obtain correct user and domain identifiers from session variables.
Learn more:
- Go to devcentral.f5.com for APM variable assign examples
- Go to techdocs.f5.com for Session variables