Lab 5 – FORMS Based Authentication¶
In this lab, we will show you how to configure APM to leverage SSO functionality with an application server that uses forms based authentication.
Note
Lab Requirements:
- BIG-IP with APM licensed and activated
- Server running AD and Web services
- Local Host file entries on the Jump Host
Task – Create a Pool¶
Browse to Local Traffic > Pools and click the ‘+’ next to Pools List to create a new pool.
Name the pool “forms_pool”
Assign the monitor “http” by selecting the monitor and moving it to the left.
Add the following new member/node to the pool and click Finished:
- Node Name: forms, Address: 10.128.20.204, Service Port: 80
Task – Create a Virtual Server¶
Browse to Local Traffic > Virtual Servers and click the ‘+’ next to Virtual Server List to create a new one.
Use the following information to create the virtual server and leave the other settings at their default values, then click Finished:
Name the pool “forms_vs”
Destination Address/Mask: 10.128.10.12
Service Port: 443
HTTP Profile: http
SSL Profile (Client): f5demo
Source Address Translation: Auto Map
- Default Pool: forms_pool
Task – Testing without APM¶
Observe the current behavior of the login page without authentication enforced by APM.
Open your web browser and go to https://forms.f5demo.com. You should see a page that looks as follows:
Log in with the following credentials:
Username: user
Password: Agility1
Once successfully logged in you should see a web page similar to the following:
Logout using the link at the top right-hand corner of the page.
Task – Create Access Policy to use with Forms Based Authentication¶
Open the Wizards > Device Wizards page.
Select Web Application Access Management for Local Traffic Virtual Servers
Click Next
Click Next for Option 1 on the Configuration Options page
Configure Basic Properties for the policy
Configure the Authentication type used for this new policy
Configure Single Sign On
Select “Create New” for “SSO Options”
Choose Form Based for the SSO Method
Uncheck the option for “Use SSO Template”
Enter /Account/Login* in the “Start URI” field
Enter /Account/Login in the “Form Action” field
Enter UserName in the “Form Parameter For User Name” field
Enter Password in the “Form Parameter For Password” field
Click Next
Configure Virtual Server
Review configuration and click Next
Review the “Setup Summary”, which shows all (existing and new) objects associated with this new policy and click Finished.
Add a logout URI Include to the new access policy
Enable SSO
Task – Applying Access Policy Changes¶
After you create or change an access policy, the link Apply Access Policy appears in yellow at the top left of the BIG-IP Configuration utility screen. You must click this link to activate the access policy for use in your configuration.
Click the Apply Access Policy link, which will bring you to the Apply Access Policy screen, with a list of access policies that have been changed.
- Select the new Access Policy and click the Apply button (by default, all access policies that are new or changed are selected).
After you apply the access policy, the Access Profiles list screen is displayed.
Task – Testing with APM Authentication¶
Observe the behavior of the login page now that authentication is enforced by APM.
Task – Testing Logout¶
Earlier in Task 3, Step 9, we defined a Logout URI Include for this Access Policy. This is a list of logoff URIs that the access profile searches for in order to terminate the Access Policy Manager session. The URI we used was /Account/Logout, and the default logout delay is 5 seconds, which was modified to 1 second.
- Logout using the Logout link at the top right-hand corner of the page.
- Wait 1 second
- Click the Home link in the banner at the top of the page
- You should be redirected back to the F5 logon page