Difference between revisions of "Sentry SSO with F5"

From Swivel Knowledgebase
Jump to: navigation, search
(Setup Sentry Application Definition)
 
(4 intermediate revisions by one other user not shown)
Line 3: Line 3:
  
 
== Setup SSO on F5 ==
 
== Setup SSO on F5 ==
 +
  
 
From the F5 BIG-IP Configuration page, select Access Policy -> SAML -> BIG-IP as SP.
 
From the F5 BIG-IP Configuration page, select Access Policy -> SAML -> BIG-IP as SP.
  
"1.png"
+
[[File:F5_SSO_1.png]]
 +
 
  
 
Choose External IdP Connecters and click in Create -> From Metadata  
 
Choose External IdP Connecters and click in Create -> From Metadata  
  
"2.png"
+
[[File:F5_SSO_2.png]]
 +
 
  
 
Here you will need to import the IdP Metadata file that you can download from Sentry SSO administration console or directly from the url: https://<sentry_URL>/sentry/metadata.
 
Here you will need to import the IdP Metadata file that you can download from Sentry SSO administration console or directly from the url: https://<sentry_URL>/sentry/metadata.
Line 16: Line 19:
 
Click browse to upload the file and enter a name for the Identity Provider Name.  
 
Click browse to upload the file and enter a name for the Identity Provider Name.  
  
"3.png"
+
[[File:F5_SSO_3.png]]
 +
 
  
 
After the connector is created, select it from the list and click Edit.
 
After the connector is created, select it from the list and click Edit.
  
"4.png"
+
[[File:F5_SSO_4.png]]
 +
 
  
 
Select Security Settings, activate “Must be signed”, select the Signing Algorithm “RSA-SHA256” and click OK.
 
Select Security Settings, activate “Must be signed”, select the Signing Algorithm “RSA-SHA256” and click OK.
  
"5.png"
+
[[File:F5_SSO_5.png]]
 +
 
  
 
Select Local SP Services and click Create  
 
Select Local SP Services and click Create  
  
"6.png"
+
[[File:F5_SSO_6.png]]
 +
 
  
 
In General Settings, enter a name for the SP service, in the Entity ID enter your F5 URL e.g. https://'''F5_HOSTNAME''', and click OK.
 
In General Settings, enter a name for the SP service, in the Entity ID enter your F5 URL e.g. https://'''F5_HOSTNAME''', and click OK.
  
"7.png"
+
[[File:F5_SSO_7.png]]
 +
 
  
 
After the SP Service is created, select it and click in Bind/Unbind IdP Connectors.
 
After the SP Service is created, select it and click in Bind/Unbind IdP Connectors.
  
"8.png"
+
[[File:F5_SSO_8.png]]
 +
 
  
 
Click “Add New Row” and select under SAML IdP Connectors, the one that you have previously created. For Matching Source, Select %{session.server.landinguri} and for Matching Value enter a custom path for the login url e.g. / or /PATH. Click Update to save and then click Ok.
 
Click “Add New Row” and select under SAML IdP Connectors, the one that you have previously created. For Matching Source, Select %{session.server.landinguri} and for Matching Value enter a custom path for the login url e.g. / or /PATH. Click Update to save and then click Ok.
  
"9.png"
+
[[File:F5_SSO_9.png]]
 +
 
  
 
With the External IdP Connector and the Local SP Service configured, you can now change your existing Access Profile.  
 
With the External IdP Connector and the Local SP Service configured, you can now change your existing Access Profile.  
Line 46: Line 56:
 
Go to Access Policy -> Access Profiles -> Access Profiles List and edit the Access Profile that you want to change or create a new one
 
Go to Access Policy -> Access Profiles -> Access Profiles List and edit the Access Profile that you want to change or create a new one
  
"10.png"
+
[[File:F5_SSO_10.png]]
 +
 
 +
 
 +
[[File:F5_SSO_11.png]]
  
"11.png"
 
  
 
You need to configure your Access Policy in order the have the following actions:
 
You need to configure your Access Policy in order the have the following actions:
  
"12.png"
+
[[File:F5_SSO_12.png]]
 +
 
  
 
Click in the SAML Auth Action to change the properties and change the AAA server to the previously created SP Service.  
 
Click in the SAML Auth Action to change the properties and change the AAA server to the previously created SP Service.  
  
"13.png"
+
[[File:F5_SSO_13.png]]
 +
 
  
 
== Setup Sentry Application Definition ==
 
== Setup Sentry Application Definition ==
  
First we should upload the JIRA logo. Find it using a Google Images search or copy it from here:
+
First we should upload the F5 logo. Find it using a Google Images search or copy it from here:
 +
 
 +
[[File:F5_Networks.png]]
  
"F5_Networks.png"
 
  
 
Login to the AuthControl Sentry Administration Console. Click Application Images in the left hand menu. Click the Upload Image button on the top right.
 
Login to the AuthControl Sentry Administration Console. Click Application Images in the left hand menu. Click the Upload Image button on the top right.
  
"14.png"
+
[[File:F5_SSO_14.jpg]]
 +
 
  
 
Browse to the Logo file you have saved:
 
Browse to the Logo file you have saved:
  
"15.png"
+
[[File:F5_SSO_15.png]]
 +
 
  
 
Then upload the image to the Sentry application and the image should now be available to select, when we go to create a new Application definition for JIRA.
 
Then upload the image to the Sentry application and the image should now be available to select, when we go to create a new Application definition for JIRA.
Line 76: Line 93:
 
Login to the AuthControl Sentry Administration Console. Click Applications in the left-hand menu. To add a new Application definition for JIRA, click the Add Application button and select SAML - Other type.
 
Login to the AuthControl Sentry Administration Console. Click Applications in the left-hand menu. To add a new Application definition for JIRA, click the Add Application button and select SAML - Other type.
  
"16.png"
+
[[File:F5_SSO_16.jpg]]
 +
 
  
 
Name: '''F5'''
 
Name: '''F5'''
Line 90: Line 108:
 
Federated Id: email
 
Federated Id: email
  
"17.png"
+
[[File:F5_SSO_17.png]]
  
 
== Testing authentication to Salesforce via Swivel Sentry ==
 
== Testing authentication to Salesforce via Swivel Sentry ==
Line 98: Line 116:
 
Visit your AuthControl Sentry Page with your public DNS entry of your Swivel AuthControl Sentry server, e.g. https://mycompanysentrydomain/sentry/startPage. On a Start Page you will be able to see a new F5 Icon on which you can click and proceed with authentication (as you would by going straight to the F5 page)
 
Visit your AuthControl Sentry Page with your public DNS entry of your Swivel AuthControl Sentry server, e.g. https://mycompanysentrydomain/sentry/startPage. On a Start Page you will be able to see a new F5 Icon on which you can click and proceed with authentication (as you would by going straight to the F5 page)
  
"18.png"
+
[[File:F5_SSO_18.png]]
 +
 
  
 
When you visit this URL you will notice that the domain should redirect to the identity provider login URL that you setup. You should be presented with the Sentry username page.
 
When you visit this URL you will notice that the domain should redirect to the identity provider login URL that you setup. You should be presented with the Sentry username page.
  
"19.png"
+
[[File:F5_SSO_19.png]]
 +
 
  
 
Once you have submitted your username. You should be presented with the page of the Authentication Method which can score enough points to match the points required by the F5 Application definition.
 
Once you have submitted your username. You should be presented with the page of the Authentication Method which can score enough points to match the points required by the F5 Application definition.
  
 
After you enter your authentication credentials you will login into the VPN.
 
After you enter your authentication credentials you will login into the VPN.

Latest revision as of 16:52, 6 August 2020


Setup SSO on F5

From the F5 BIG-IP Configuration page, select Access Policy -> SAML -> BIG-IP as SP.

F5 SSO 1.png


Choose External IdP Connecters and click in Create -> From Metadata

F5 SSO 2.png


Here you will need to import the IdP Metadata file that you can download from Sentry SSO administration console or directly from the url: https://<sentry_URL>/sentry/metadata.

Click browse to upload the file and enter a name for the Identity Provider Name.

F5 SSO 3.png


After the connector is created, select it from the list and click Edit.

F5 SSO 4.png


Select Security Settings, activate “Must be signed”, select the Signing Algorithm “RSA-SHA256” and click OK.

F5 SSO 5.png


Select Local SP Services and click Create

F5 SSO 6.png


In General Settings, enter a name for the SP service, in the Entity ID enter your F5 URL e.g. https://F5_HOSTNAME, and click OK.

F5 SSO 7.png


After the SP Service is created, select it and click in Bind/Unbind IdP Connectors.

F5 SSO 8.png


Click “Add New Row” and select under SAML IdP Connectors, the one that you have previously created. For Matching Source, Select %{session.server.landinguri} and for Matching Value enter a custom path for the login url e.g. / or /PATH. Click Update to save and then click Ok.

F5 SSO 9.png


With the External IdP Connector and the Local SP Service configured, you can now change your existing Access Profile.

Go to Access Policy -> Access Profiles -> Access Profiles List and edit the Access Profile that you want to change or create a new one

F5 SSO 10.png


F5 SSO 11.png


You need to configure your Access Policy in order the have the following actions:

F5 SSO 12.png


Click in the SAML Auth Action to change the properties and change the AAA server to the previously created SP Service.

F5 SSO 13.png


Setup Sentry Application Definition

First we should upload the F5 logo. Find it using a Google Images search or copy it from here:

F5 Networks.png


Login to the AuthControl Sentry Administration Console. Click Application Images in the left hand menu. Click the Upload Image button on the top right.

F5 SSO 14.jpg


Browse to the Logo file you have saved:

F5 SSO 15.png


Then upload the image to the Sentry application and the image should now be available to select, when we go to create a new Application definition for JIRA.

Login to the AuthControl Sentry Administration Console. Click Applications in the left-hand menu. To add a new Application definition for JIRA, click the Add Application button and select SAML - Other type.

F5 SSO 16.jpg


Name: F5

Points: 100 (the number of points the user needs to score from their Authentication Method in order to successfully authenticate to this Application)

Portal URL: URL to access to F5. The PATH needs to match the Matching Value for the previously created SP Service e.g. https://F5_HOSTNAME/PATH

Endpoint URL: Leave blank - not required

Entity ID: Identifier of the F5 SAML request. It needs to match the Identifier for the previously created SP Service. e.g. https://F5_HOSTNAME

Federated Id: email

F5 SSO 17.png

Testing authentication to Salesforce via Swivel Sentry

This should be the final step after all previous elements have been configured.

Visit your AuthControl Sentry Page with your public DNS entry of your Swivel AuthControl Sentry server, e.g. https://mycompanysentrydomain/sentry/startPage. On a Start Page you will be able to see a new F5 Icon on which you can click and proceed with authentication (as you would by going straight to the F5 page)

F5 SSO 18.png


When you visit this URL you will notice that the domain should redirect to the identity provider login URL that you setup. You should be presented with the Sentry username page.

F5 SSO 19.png


Once you have submitted your username. You should be presented with the page of the Authentication Method which can score enough points to match the points required by the F5 Application definition.

After you enter your authentication credentials you will login into the VPN.