Lab 2: IDaaS SAML Identity Provider (iDP) Lab (OKTA)

The purpose of this lab is to configure and test a IDaaS SAML Identity Provider. Students will configure a IDaaS based SAML Identity Provider (in this case OKTA) and import and bind to a SAML Service Provider and test IdP-Initiated and SP-Initiated SAML Federation.

Objective:

  • Gain an understanding of integrating a IDaaS SAML Identity Provider(IdP)
  • Gain an understanding of the access flow for IdP-Initiated SAML

Lab Requirements:

  • All Lab requirements will be noted in the tasks that follow
  • Estimated completion time: 25 minutes

Lab 2 Tasks:

TASK 1: Sign Up for OKTA Developer Account

Refer to the instructions and screen shots below:

Note: The following steps provide instruction for setting up an OKTA developer account.

If you already have one, you may elect to use that account. Understand, however, that the

instructions below may need to be modified to match your environment.

  1. Sign Up for an OKTA developer account by navigating to:

    https://developer.okta.com/signup/ and using a VALID email and click Get Started

  2. Upon registration, you will be directed to a hyperlink (hostname) for your developer

    account. This link should be saved for future use.

  3. Additional instructions will be sent to the email address provided during account setup.

image022

image023

  1. Following the instructions received from the generated email, sign into the OKTA

    development environment with your provided, temporary password.

image024
  1. Enter a New Password and the Repeat New Password
  2. Use the drop down to select a Forgot Password Question and provide the Answer
  3. Click a Security Image
  4. Click Create My Account
image025

TASK 2: OKTA Classic UI

Refer to the instructions and screen shots below:

  1. For the purposes of the lab and SAML development, we will be using the OKTA Classic UI

    which provides access to SAML configurations. (Note: At lab publication, the Developer

    Console did not have SAML resources.)

  2. In the top, left hand corner click the <> & select Classic UI from the drop down.

image026

TASK 3: Enable OKTA Multi-Factor Authentication [OPTIONAL]

Refer to the instructions and screen shots below. This task will require a mobile app to enable a second factor.

[OPTIONAL]

Note: Enabling MFA will require a Smart Device with the appropriate OKTA client for your OS

The step can be skipped if you prefer to just use UserID/Password

  1. Click Security from the top navigation, then click Multifactor
image027

[OPTIONAL]

  1. Under OKTA Verify, change the dropdown from Inactive to Active
  2. Click the Edit button next to *OKTA Verify Settings
image028

[OPTIONAL]

  1. Check Enable Push Verification
  2. Check Require TouchID for OKTA Verify (optional)
  3. Click Save
image029

TASK 4: Build SAML Application - OKTA

Refer to the instructions and screen shots below:

  1. In the main menu, click Applications, and Applications from the dropdown in the

    top navigation.

image030
  1. Click Add Application in the Applications dialogue window.
image031
  1. Click Create New App in the Add Application Menu
image032
  1. In the Create a New Application Integration dialogue box, select Web from the

    drop down for Platform.

  2. Select the SAML 2.0 radio button for Sign on Method and click Create.

image033
  1. In the Create SAML Integration screen, enter app.f5demo.com for the App Name.
  2. Leave all other values as default and click Next.
image034
  1. In the Create SAML Integration screen, enter the following values
  2. In the SAML Setting section
    • Single Sign on URL: https://app.f5demo.com/saml/sp/profile/post/acs
    • Audience URI (SP Entity ID): https://app.f5demo.com
  3. Leave all other values as default and click Next.
image035
  1. In the Create SAML Integration screen, select the:

    “I’m an OKTA customer adding an internal app” radio button for

    Are you a customer or partner?

  2. In the resulting expanded window, select:

    “This is an internal app that we have created” for App Type

    and click Finish.

image036
  1. In the resulting application screen for app.f5demo.com, navigate to the

    SAML 2.0 section.

  2. Right Click the Identity Provider Metadata hyperlink and click Save Link As …

  3. Save the metadata.xml to your jumphost desktop. We will be using it in a later step

    in the Lab.

image037

TASK 5: Add User to SAML Application

Refer to the instructions and screen shots below:

  1. Within the app.f5demo.com application screen, Click Assignments then Assign

    and then Assign to People from the dropdown.

image038
  1. In the Assign app.f5demo.com to People dialogue box, select your User ID, click

    Assign, then Done.

image039
  1. Click Save and Go Back.
image040
  1. Click Done.
image041

TASK 6: Add Multi-Factor Authentication Sign-On Policy [OPTIONAL]

Refer to the instructions and screen shots below. This section requires that Task 3 be completed.

[OPTIONAL]

  1. Within the app.f5demo.com application screen, Click Sign On
image042

[OPTIONAL]

  1. Scroll down to the Sign On Policy section and click Add Rule
image043

[OPTIONAL]

  1. In the Add Sign On Rule dialogue box, enter MFA for the Rule Name.
  2. Scroll down to the Actions section.
  3. In the Actions section, under Access, check the box for Prompt for factor.
  4. Ensure Every Sign On radio button is selected.
  5. Click Save.
image044

TASK 7: Create the External IDP Connector

Refer to the instructions and screen shots below:

  1. Login to your lab provided Virtual Edition BIG-IP

  2. Begin by selecting: Access -> Federation -> SAML Service Provider ->

    External IdP Connectors.

image045
  1. In the External IdP Connectors screen, click the downward arrow next to the word

    Create on the Create button (right side)

  2. Select From Metadata from the drop down menu

image046
  1. In the Create New SAML IdP Connector dialogue box, use the Browse button to

    select the metadata.xml from the desktop (created in Task 4).

  2. Name the Identity Provider Name: OKTA_SaaS-iDP.

  3. Click OK.

image047

TASK 8: Change the SAML SP Binding

Refer to the instructions and screen shots below:

  1. Begin by selecting: Access -> Federation -> SAML Service Provider ->

    Local SP Services

  2. Select the checkbox next to app.f5demo.com and click Bind\UnBind IdP Connectors

image048
  1. Check the existing binding and click Delete.
image049
  1. Click Add New Row and use the following values
    • SAML IdP Connectors: /Common/OKTA_SaaS-iDP
    • Matching Source: %{session.server.landinguri}
    • Matching Value: /*
  2. Click Update then OK.
image050

TASK 9: Apply Access Policy Changes

Refer to the instructions and screen shots below:

  1. Click the Apply Access Policy link in the top left corner of the Admin GUI
image051
  1. Ensure app.f5demo.com-policy is checked and click Apply
image052

TASK 10 – Test Access to the app.f5demo.com application

Refer to the instructions and screen shots below:

  1. Using your browser from the Jump Host click on the provided bookmark or navigate to:

    https://app.f5demo.com

image053
  1. Destroy your Active Session by nagivating to Access Overview -> Active Sessions

    Select the checkbox next to your session and click the Kill Selected Session button.

image058
  1. Close your browser and logon to your https://dev-<Dev-ID>.oktapreview.com account.

    Click on your app.f5demo.com application for IDP initiated Access.

  2. After successful authentication, were you returned to the SAML SP?

  3. Were you successfully authenticated (SAML)?

  4. Review your Active Sessions (Access Overview -> Active Sessions).

  5. Review your Access Report Logs (Access Overview -> Access Reports).

image059