SSO - Azure AD

Objective
Prerequisites
Configuration
Navigate to Azure AD
From Office 365
From Azure Portal
Register Application and Setup SSO
Concepts
API References

Objective

This document provides instructions on how to configure Azure SSO integration to F5® Distributed Cloud Services. For an overview of F5® Distributed Cloud Console, see About.

Note: SSO setup requires you to be of the tenant owner type user. Navigate to General > IAM > Users. Select on the Show/hide column, select the Type field, and select Apply to display the Type column. For the tenant owner, the Type column displays Tenant Owner and others, it displays User.

Prerequisites

A valid Account is required.

Note: If you do not have an account, see Create an Account.

Azure Account with credentials to configure SSO.

Configuration

Integrating Azure SSO requires you to register your application in the Azure Active Directory (AD), obtain client ID and secret, obtain a redirect URI, and configure the redirect URI in the Azure AD.

Navigate to Azure AD

You can navigate to the Azure AD in one of the following ways:

Microsoft Office 365 AD
Azure cloud portal

From Office 365

Perform the following to navigate to Azure AD from Microsoft Office 365 login.

Step 1: Navigate to Microsoft Office 365 administration settings.

Sign into Office 356 AD.
Select All Services in Azure services section in top-right menu.

AZURE M365HOMEPAGE1 — Figure: Office 365 Admin Centers

Select All Services in Azure services section in top-right menu.

AZURESHOWALL1 1 — Figure: Office 365 Admin Centers

Step 2: Open Azure AD admin center.

Select on Azure Active Directory on the displayed admin centers list.

AZUREACTIVEDIRECTORY1 2 — Figure: All Services > Azure Active Directory

Note: This opens the Azure AD admin center dashboard.

Step 3: Open the Azure AD settings.

Select the Azure Active Directory box.

Step 4: Navigate to app registrations.

Select App registrations on the Azure AD dashboard.

AZURE APPREGISTRATIONS1 4 — Figure: Office 365 Azure AD Application Registration

Select New registration to start registration for your application.

APPREG NEWREG — Figure: Office 365 Azure AD Application Registration

From Azure Portal

Perform the following to navigate to Azure AD from the Azure cloud portal.

Step 1: Log into Azure cloud portal.

Sign into Azure portal.
Select your account in Directory list.
Choose Active Directory tenant where you wish to register your application.

Step 2: Open app registration in the Azure AD settings.

In the Azure Active Directory pane > select on App registrations > choose New registration.

Register Application and Setup SSO

Step 1: Enter name and account types for your application.

Enter a name for the application, for example F5-oidc-test.
Choose account types as required.
Select register.

AZURE REGAPP — Figure: Register Application

Step 2: Save the application ID.

Find the Application ID value, and record it for later.

Note: You'll need it to configure the SSO section in the F5® Distributed Cloud Console.

AZURE REGAPP2 2 — Figure: Retrieve Application ID

Step 3: Configure client secret.

Select Certificates & secrets tab in left-menu to create a Client Secret.
Select + New client secret.
Copy the client secret for configuring the SSO section in the F5® Distributed Cloud Console.

AZURE NEWCLIENTSECRET1 3 — Figure: Create Client Secret

Step 4: Obtain a well-known URL.

Well-known URL describes a metadata document that contains most of the information required for an app to perform sign-in. This includes information such as the URLs to use and the location of the service's public signing keys. The same can be obtained using:


https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration

In App registrations > select Owned Applications > select Endpoints.
Copy the OpenID Connect metadata document URL.

SSO AZURE ENPOINTS 2 2B — Figure: Homepage

Import into SSO settings in F5 console.

Note: Replace {tenant} with your Azure tenant ID. You can obtain your tenant from the Azure cloud portal by navigating to Azure Active Directory > Overview screen.

Step 5: Log into F5® Distributed Cloud Console, start configuring SSO.

Open F5® Distributed Cloud Console homepage, select Administration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

Select Tenant Settings in left column menu > select Tenant Options.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

Select Set up SSO button.

Select Azure in Please choose a service Provider in pop-up window.
Select Continue button.

Step 6: Configure the client ID and secret for Azure.

Provide Client ID and Client Secret obtained from previous steps.

SSO SETUP AZURE — Figure: Client ID and Client Secret

Step 7: Generate redirect URL.

Enter the Well-known URL in Import from well-known URL box.
Select Import to populate rest of the fields such as Authorization URL, Token URL, etc.
Select Continue to obtain a Redirect URI.

Step 8: Complete SSO setup.

Copy the displayed redirect URI.
Select Done.

Step 9: Add the redirect URI in the Azure AD.

In the Azure Active Directory.
Select App registrations in left menu.
Select the registered application in list F5-oidc-test.

SSOAZURE 8 2 — Figure: Add Redirect URI Option

Select Add a Redirect URI.

SSOAZURE 8 4 — Figure: Configure Redirect URI

Select + Add a platform.

SSO AZURE 7 6 — Figure: Configure Redirect URI

Select Web Applications in right pop-up window.

Note: See (Microsoft Docs) [https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application] to learn more.