Deploy Using iApp - colin-stubbs/f5-bigip-auth0-integration GitHub Wiki

Deploy iApp

The iApp is the easiest way to get this working, it will create the following:

  1. Server SSL profile for communicating with the Auth0 server (ensures correct operation with TLS SNI)
  2. OAuth/OpenID Requests Requests
  3. OAuth Provider
  4. OAuth Server
  5. JSON Web Token Definition

If directed it will also create an APM policy which utilises the above. The APM policy is intended for use when providing an APM webtop with resources. Hence the description of the application & API further down this page as being a webtop.

Auth0 Configuration

You should configure an Auth0 native application similar to the below,

Auth0 Application Configuration

For Auth0 to return a JSON Web Token (JWT) as the access token an audience must be specified that is NOT the Auth0 OpenID Connect UserInfo endpoint. You could use the Auth0 management API; however the JWT will then be usable against it which is not something you generally want.

You should configure an Auth0 customer API similar to the below describing your APM application, even if it's not technically an API,

Auth0 API Configuration

iApp Connfiguration

Import the iApp template to BIG-IP,

Import iApp

And deploy a new instance of it, configured similarly to below,

iApp Settings

You should configure the "Advanced Resources Assignment" policy agent and assign what you want to achieve via the policy. By default it's not configured to assign anything.

Advanced Resources Assignment Not Configured

Assign a webtop and a webtop link at minimum for testing.

Advanced Resources Assignment Not Configured

Resulting iApp

iApp Policy

iApp Policy Flow

Associate iApp Built Policy with HTTP Virtual

Manual Virtual Server Configuration

Deploy HTTP Applications iApp

F5 HTTP Applications iApp Configuration

So what does this actually look like ?

As soon as the client browser hits the APM virtual server, it will receive a response setting the standard APM cookies, and receive a redirect to the Auth0 authorization page.

Webtop Login Screen 1

If the client browser has already logged into Auth0 previously, e.g. cookies still in browser cache, their username may be pre-filled and no password may be required.

Webtop Login Screen 1

If you've configured Auth0 with rules, using social login or another connection to complete authentication, Auth0 will send the client browser through that process. I'm using Duo as below.

Webtop Login Screen 1

If you pass Auth0 and everything else the client browser is redirected to APM with an access token, the rest of the policy runs and if you've assigned a webtop and resources you'll get a webtop. If you've assigned a static pool you'll get the content from the pool.

Webtop Login Screen 1

Logout is the normal APM process at this point. To trigger logout on Auth0 you need to customise further to send the client to the Auth0 logout endpoint, e.g. read up on this here: Auth0 Logout

Webtop Login Screen 1