SSO - Azure AD
Objective
This document provides instructions on how to configure Azure SSO integration to F5® Distributed Cloud Services. For an overview of F5® Distributed Cloud Console, see About.
SSO setup requires you to be of the tenant owner
type user. Navigate to General
> IAM
> Users
. Select on the Show/hide column
, select the Type
field, and select Apply
to display the Type
column. For the tenant owner, the Type
column displays Tenant Owner
and others, it displays User
.
Prerequisites
- A valid Account is required.
- Note: If you do not have an account, see Create an Account.
- Azure Account with credentials to configure SSO.
Configuration
Integrating Azure SSO requires you to register your application in the Azure Active Directory (AD), obtain client ID and secret, obtain a redirect URI, and configure the redirect URI in the Azure AD.
Navigate to Azure AD
You can navigate to the Azure AD in one of the following ways:
-
Microsoft Office 365 AD
-
Azure cloud portal
Office 365 Steps
Perform the following to navigate to Azure AD from Microsoft Office 365 login.
Step 1: Navigate to Microsoft Office 365 administration settings.
- Sign into Office 356 AD.
Figure: Office 365 Admin Centers
- Select
More Services
inAzure services
section in top-right menu to openAll Services
.
Figure: Office 365 Admin Centers
Step 2: Open Azure AD admin center.
Select on Azure Active Directory
on the displayed admin centers list.
Figure: All Services > Azure Active Directory
Note: This opens the Azure AD admin center dashboard.
Step 3: Open Azure AD settings.
Select the Azure Active Directory
box.
Figure: All Services > Azure Active Directory
Step 4: Navigate to app registrations.
- Select
App registrations
on the Azure AD dashboard.
Figure: Office 365 Azure AD Application Registration
- Select
New registration
to start registration for your application.
Figure: Office 365 Azure AD Application Registration
Azure Portal Steps
Perform the following to navigate to Azure AD from the Azure cloud portal.
Step 1: Log into Azure cloud portal.
-
Sign into Azure portal.
-
Select your account in Directory list.
-
Choose Active Directory tenant where you wish to register your application.
Figure: All Services > Azure Active Directory
Step 2: Open app registration in the Azure AD settings.
In the Azure Active Directory pane > select App registrations
.
Figure: Office 365 Azure AD Application Registration
Figure: Office 365 Azure AD Application Registration
Register Application and Setup SSO
Step 1: Setup Application
Note: The registered application in Azure AD needs to have the homepage URL set.
-
Select
View all applications in the directory
. -
Select
Application
Diplay Name
> selectBranding and Properties
inManage
column. -
Copy
Home Page URL
. -
Note
URL
for step 2 form.
Step 2: Enter name and account types for your application.
-
Select
App registrations
-
Choose
+ New registration
. -
Enter
Name
for application, for exampleF5-oidc-test
inRegister an Application
page. -
Choose
Supported account types
as required. -
Select a platform
drop-down menu inRedirect URI
section. -
Enter
URL
ine.g. https://example.com/auth
box copied from step 1. -
Select
Register
button
Figure: Register Application
Step 3: Save Application ID.
Find the Application ID value, and record it for later.
Note: You will need ID value to configure the SSO section in F5 Distributed Cloud Console.
Figure: Retrieve Application ID
Step 4: Configure Client Secret.
-
Select
Certificates and secrets
tab in left-menu to create a Client Secret. -
Select
+ New client secret
. -
Copy the client secret for configuring the SSO section in the F5® Distributed Cloud Console.
Note: The secret copied for F5 Console SSO config is secret value, not secret ID.
Figure: Create Client Secret
Step 5: Obtain a well-known URL.
Well-known URL describes a metadata document that contains most of the information required for an app to perform sign-in. This includes information such as the URLs to use and the location of the service's public signing keys. The same can be obtained using:
https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
-
In
App registrations
> selectOwned Applications
> selectEndpoints
. -
Copy the
OpenID Connect metadata document
URL.
Figure: Homepage
- Import into SSO settings in F5 console.
Note: Replace
{tenant}
with your Azure tenant ID. You can obtain your tenant from the Azure cloud portal by navigating toAzure Active Directory
>Overview
screen.
Step 6: Log into F5 Distributed Cloud Console, start configuring SSO.
- Open
F5 Distributed Cloud Console
homepage, selectAdministration
box.
Note: Homepage is role based, and your homepage may look different due to your role customization. Select
All Services
drop-down menu to discover all options. Customize Settings:Administration
>Personal Management
>My Account
>Edit work domain & skills
button >Advanced
box > checkWork Domain
boxes >Save changes
button.
Figure: Homepage
Note: Confirm
Namespace
feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.
- Select
Tenant Settings
in left column menu > selectTenant Options
.
Note: If options are not showing available, select
Show
link inAdvanced nav options visible
in bottom left corner. If needed, selectHide
to minimize options from Advanced nav options mode.
- Select
Set up SSO
button.
Figure: SSO
-
Select
Azure
inPlease choose a service Provider
in pop-up window. -
Select
Continue
button.
Figure: SSO Setup Page
Step 7: Configure client ID, secret, and default scopes for Azure.
-
Provide
Client ID
andClient Secret
obtained from previous steps. -
Enter
Default Scopes
.
Note: Multiple scope values are used by creating a space delimited, because it is the OIDC standard specification by IETF although we do handle automatic validation/modification.
Default Scopes: OpenID Connect (OIDC) introduces the concept of "scopes" from OAuth 2.0. A scope is a way to limit the amount of information and access given to an application. When a client application wants to access resources on behalf of a user, it requests specific scopes. These scopes inform the user of the type of access the application is requesting during the authorization process.
F5 Distributed Cloud recommends default scopes of openid profile email
NOT openidprofileemail.
Note:
Multiple scope
values are used by creating aSpace Delimited
during SSO setup in F5 console.
Figure: Default Scopes
Note: Any entered value will be combined with preset value:
openid profile email
NOT openidprofileemail. Input spaces between words to include multiple scope values. To avoid additional steps with formUpdate Account Information
, confirmID Token
containsfamily_name
(First Name),given_name
(Last Name),
Step 8: Generate redirect URL.
-
Enter the Well-known URL in
Import from well-known URL
box. -
Select
Import
to populate rest of the fields such asAuthorization URL
,Token URL
, etc. -
Select
Continue
to obtain a Redirect URI.
Figure: Redirect URL
Step 9: Complete SSO setup.
-
Copy the displayed redirect URI.
-
Select
Done.
Step 10: Add Redirect URI in Azure AD.
-
In the Azure Active Directory.
-
Select
App registrations
in left menu. -
Select the registered application in list
F5-oidc-test
.
Figure: Add Redirect URI Option
- Select
Add a Redirect URI
.
Figure: Configure Redirect URI
- Select
+ Add a platform
.
Figure: Configure Redirect URI
- Select
Web Applications
in right pop-up window.
Note: See (Microsoft Docs) [https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application] to learn more.
Figure: Configure Redirect URI
- Provide the
URI
obtained above to complete Azure SSO setup.
Figure: Configure Redirect URI
-
Select
Configure
button. -
To confirm, a
Web
Redirect URIs
section is added toAuthentication
>Platform configurations
.
Figure: Configure Redirect URI