SSO - Azure AD

Objective

This document provides instructions on how to configure Azure SSO integration to F5® Distributed Cloud Services. For an overview of F5® Distributed Cloud Console, see About.

SSO setup requires you to be of the tenant owner type user. Navigate to General > IAM > Users. Select on the Show/hide column, select the Type field, and select Apply to display the Type column. For the tenant owner, the Type column displays Tenant Owner and others, it displays User.


Prerequisites

  • Azure Account with credentials to configure SSO.

Configuration

Integrating Azure SSO requires you to register your application in the Azure Active Directory (AD), obtain client ID and secret, obtain a redirect URI, and configure the redirect URI in the Azure AD.


You can navigate to the Azure AD in one of the following ways:

  • Microsoft Office 365 AD

  • Azure cloud portal

From Office 365

Perform the following to navigate to Azure AD from Microsoft Office 365 login.

Step 1: Navigate to Microsoft Office 365 administration settings.
  • Sign into Office 356 AD.

  • Select All Services in Azure services section in top-right menu.

AZURE M365HOMEPAGE1
Figure: Office 365 Admin Centers

  • Select All Services in Azure services section in top-right menu.

AZURESHOWALL1 1
Figure: Office 365 Admin Centers

Step 2: Open Azure AD admin center.

Select on Azure Active Directory on the displayed admin centers list.

AZUREACTIVEDIRECTORY1 2
Figure: All Services > Azure Active Directory

Note: This opens the Azure AD admin center dashboard.

Step 3: Open the Azure AD settings.

Select the Azure Active Directory box.

AZUREACTIVEDIRECTORY1 2
Figure: All Services > Azure Active Directory

Step 4: Navigate to app registrations.
  • Select App registrations on the Azure AD dashboard.

AZURE APPREGISTRATIONS1 4
Figure: Office 365 Azure AD Application Registration

  • Select New registration to start registration for your application.

APPREG NEWREG
Figure: Office 365 Azure AD Application Registration


From Azure Portal

Perform the following to navigate to Azure AD from the Azure cloud portal.

Step 1: Log into Azure cloud portal.
  • Sign into Azure portal.

  • Select your account in Directory list.

  • Choose Active Directory tenant where you wish to register your application.

AZUREACTIVEDIRECTORY1 2
Figure: All Services > Azure Active Directory

Step 2: Open app registration in the Azure AD settings.

In the Azure Active Directory pane > select App registrations.

AZURE APPREGISTRATIONS1 4
Figure: Office 365 Azure AD Application Registration

APPREG NEWREG
Figure: Office 365 Azure AD Application Registration


Register Application and Setup SSO

Step 1: Setup Application

Note: The registered application in Azure AD needs to have the homepage URL set.

  • Select View all applications in the directory.

  • Select Application Diplay Name > select Branding & Properties in Manage column.

  • Copy Home Page URL.

  • Note URL for step 2 form.

Step 2: Enter name and account types for your application.
  • Select App registrations

  • Choose + New registration.

  • Enter Name for application, for example F5-oidc-test in Register an Application page.

  • Choose Supported account types as required.

  • Select a platform drop-down menu in Redirect URI section.

  • Enter URL in e.g. https://example.com/auth box copied from step 1.

  • Select Register button

AZURE REGAPP
Figure: Register Application

Step 3: Save the application ID.

Find the Application ID value, and record it for later.

Note: You will need ID value to configure the SSO section in F5® Distributed Cloud Console.

AZURE REGAPP2 2
Figure: Retrieve Application ID

Step 4: Configure client secret.
  • Select Certificates & secrets tab in left-menu to create a Client Secret.

  • Select + New client secret.

  • Copy the client secret for configuring the SSO section in the F5® Distributed Cloud Console.

Note: The secret copied for F5 Console SSO config is secret value, not secret ID.

AZURE NEWCLIENTSECRET1 3
Figure: Create Client Secret

Step 5: Obtain a well-known URL.

Well-known URL describes a metadata document that contains most of the information required for an app to perform sign-in. This includes information such as the URLs to use and the location of the service's public signing keys. The same can be obtained using:


https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration

  • In App registrations > select Owned Applications > select Endpoints.

  • Copy the OpenID Connect metadata document URL.

SSO AZURE ENPOINTS 2 2B
Figure: Homepage

  • Import into SSO settings in F5 console.

Note: Replace {tenant} with your Azure tenant ID. You can obtain your tenant from the Azure cloud portal by navigating to Azure Active Directory > Overview screen.

Step 6: Log into F5® Distributed Cloud Console, start configuring SSO.
  • Open F5® Distributed Cloud Console homepage, select Administration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

NEW HOMEPAGE 22
Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Tenant Settings in left column menu > select Tenant Options.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

  • Select Set up SSO button.

SSO 1
Figure: SSO

  • Select Azure in Please choose a service Provider in pop-up window.

  • Select Continue button.

SSO 2
Figure: SSO Setup Page

Step 7: Configure the client ID and secret for Azure.

Provide Client ID and Client Secret obtained from previous steps.

SSO SETUP AZURE
Figure: Client ID and Client Secret

Step 8: Generate redirect URL.
  • Enter the Well-known URL in Import from well-known URL box.

  • Select Import to populate rest of the fields such as Authorization URL, Token URL, etc.

  • Select Continue to obtain a Redirect URI.

Step 9: Complete SSO setup.
  • Copy the displayed redirect URI.

  • Select Done.

Step 10: Add the redirect URI in the Azure AD.
  • In the Azure Active Directory.

  • Select App registrations in left menu.

  • Select the registered application in list F5-oidc-test.

SSOAZURE 8 2
Figure: Add Redirect URI Option

  • Select Add a Redirect URI.

SSOAZURE 8 4
Figure: Configure Redirect URI

  • Select + Add a platform.

SSO AZURE 7 6
Figure: Configure Redirect URI

  • Select Web Applications in right pop-up window.

Note: See (Microsoft Docs) [https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application] to learn more.

SSO AZURE 8POPUP
Figure: Configure Redirect URI

  • Provide the URI obtained above to complete Azure SSO setup.

SSO AZURE8 8
Figure: Configure Redirect URI

  • Select Configure button.

  • To confirm, a Web Redirect URIs section is added to Authentication > Platform configurations.

SSOAZURE 8 9
Figure: Configure Redirect URI


Concepts


API References