Many organizations today are migrating day-to-day applications to the public cloud, adopting cloud native apps or Software-as-a-Service (SaaS) in place of apps remaining on-premises or in monolithic data centers.
With this movement toward the public cloud, many organizations are also moving their on-premises identity stores to cloud-based Identity-as-a-Service (IDaaS) solutions. IDaaS integrates seamlessly with cloud-based applications and SaaS, federating identity across cloud applications and platforms, simplifying application login and access for users. IDaaS solutions leverage what are known as modern authentication standards and protocols, such as Secure Assertion Markup Language (SAML), or Open ID Connect (OIDC) for authentication with Open Authorization (OAuth) for authorization. Incorporating modern authentication and authorization standards not only makes life simpler and application access faster for users; it also extends those same benefits to organizations’ application developers (AppDev), security, and IT teams.
While they would like to migrate all of their applications to the public cloud or SaaS, many organizations are finding that’s not possible because many applications are mission-critical with sensitive data behind them, or custom-built created by—and specific to—an organization that have been in service for years. Many of these applications require accessibility from a large portion of, if not all, employees. Most of those mission-critical and custom applications are housed on-premises, in a data center, or in a private cloud. And, most of those applications cannot support identity federation or modern authentication standards and protocols at all, or at the very least, not without significant investment in downtime, staff, and cost, which most organizations cannot afford.
This means that organizations are forced to maintain two identity stores: one on-premises to accommodate the non-modern and custom applications; and one cloud-based to easily support public cloud and SaaS applications. But, it gets even more complicated than this. Organizations often need to create and deploy separate access policies for their on-premises, data center, and private cloud applications, from their cloud and SaaS applications. They will also likely need to maintain separate application access systems, which is costly and time consuming. Most importantly, there is the user experience cost, as users will be forced to access cloud and SaaS applications via one login experience, and then have to authenticate each time they access a new mission-critical and custom application, possibly once for each application.
Microsoft Azure Active Directory, Microsoft’s comprehensive cloud-based Identity-as-a-Service (IDaaS) platform, has been integrated with F5’s trusted application access solution, BIG-IP Access Policy Manager (APM) to overcome the challenges noted above. This seamless integration enables the federation of user identity, authentication, and authorization by closing the identity and access gaps between native public cloud and SaaS-based applications, as well as mission-critical and custom applications located on-premises, in a data center, or private cloud.
Azure AD as an IDaaS delivers a trusted connection to BIG-IP APM. Together, Azure AD and BIG-IP APM offer unified security and user experience between modern and classic applications, providing a single identity control plane and delivering single sign-on (SSO) from any location and any device to all applications, whether they are hosted on-premises or in the cloud, and whether or not they support modern authentication and authorization. This enhances the user experience and employee productivity, but also helps AppDev, security, and IT teams by enabling support for IDaaS without requiring costly re-development or upgrades. The integration also enables all apps to be protected with multi-factor authentication (MFA), enhancing security by integrating MFA for applications that previously couldn’t support it. The integration of Azure Active Directory and BIG-IP APM also increases application security by leveraging password-less authentication, Conditional Access policies based on user, device, location, time-of-day, and other contextual parameters, as well as third-party, API-based user and entity behavior analytics (UEBA).
In the next version of F5 BIG-IP APM—scheduled to be released this summer—the Advanced Guided Configuration (AGC) for APM has added the ability for administrators to simply onboard and operationally manage mission-critical applications (such as select SAP and Oracle applications) to Azure AD. The administrator no longer needs to go back and forth between Azure AD and BIG-IP as the end-to-end operation policy management has been integrated directly into the APM AGC console. This deeper integration between BIG-IP APM and Azure AD delivers an automated “easy button” to ensure such mission-critical applications can quickly, easily support identity federation, SSO, and MFA. This seamless integration between BIG-IP APM and Azure AD reduces management overhead, meaning that the integration now also enhances the administrator experience.
F5 and Microsoft will continue partnership efforts to augment the integration of BIG-IP APM and Azure Active Directory, adding support for the quick setup and deployment of federation, SSO, Conditional Access, and MFA to an array of mission-critical SAP, Oracle, and other third-party applications that do not support modern authentication and authorization, as well as support for custom applications.
It’s the goal of F5 and Microsoft to not only enhance the user experience by enabling seamless user access to any application anywhere but to enrich the administrator experience by simplifying the setup and deployment of the integrated Microsoft Azure Active Directory and F5 BIG-IP APM, reducing the need for administrative support.
For more information on the integration of F5 BIG-IP Access Policy Manager and Microsoft Azure Active Directory, please click here.
For more information on how the integration of BIG-IP APM and Azure Active Directory addresses secure remote access and productivity during the COVID-19 pandemic, please click here.