Forum Discussion
NimbostratusAPM 2FA with SSO
hi all,
ran into a problem when i was trying to set up APM that does 2FA Authentication with DS3 and SSO into the portal access.
without the 2FA, the SSO is working perfectly but after putting in the 2FA authentication, because the OTP is configured behind the password.
example. username: testuser password: 123456 OTP: 111111
so i will enter the following username: testuser password: 123456111111
seems like i am unable to stripe the OTP from the password in order for the SSO to work.
has anyone tried this setup before? Would be greatful if anyone could point me to the right resource for this to work.
Thanks.
8 Replies
amolariCirrostratus
before the SSO credential mapping but after the authentication, you'll need an iRule (agent) to strip the last X characters of your password variable. If I remember well, there's no tcl function to strip the last X characters, so you'll need to use other (than trimright) string functions to find the length of string and then find the string with index Len-X. In codeshare you'll find examples.
kunjanWhy don't you have 2 fields, one more otp and another for AD(?) and then reassign the variables as explained here?
henrykay_191137thanks amolari, sounds like the irules is not going to be simple.
kunjan, i have tried 2 fields and reassigning the variables but apm is not taking my custom variables. let me take a look at the link you send. let's see if i can get it to work.
Thanks :)
- henrykay_191137
this is what i tried. but seems like it is not working.
in my logon page, i have 2 fields. password field with variable call pass DS3 token field with variable call pass1
the VPE flow is as per start -> logon -> variable assignment -> radius auth -> resource assign i skip AD authentication for now since we are focusing on getting the 2FA with SSO working.
my variable assignment configuration is as below. session.logon.last.password = expr { "[mcget {session.logon.last.pass}][mcget {session.logon.last.pass1}]" }
however, it seems like i am not able to combine the 2 variable. anyone have any idea why????
Mark_van_DTry this session.logon.last.password = return { "[mcget {session.logon.last.pass}][mcget {session.logon.last.pass1}]" }
- kunjan
May be I missed something. Why need to combine the passwords?
Typically RSA authentication is done first('password' hold RSA pin) and the after RSA auth reassign the 'password1' variable(holding AD password) to the standard variable 'password', before the AD auth.
Use the same variable name (password1) as in the doc. Not relevant here though, but in some scenarios APM expects that.So the key is before AAA auth, populate the session.logon.last.username and session.logon.last.password with the corresponding values.
- henrykay_191137
hi kunjan,
i am using radius for the 2FA. and the issue here is because when i do the password for the following syntax
password+otp which is the format that is taken by the 2FA. i couldn't get SSO to work.
thanks mark for the variable expression. will test it out and revert.
- henrykay_191137
the variable is no good. i am able to capture both variables now but unable to combine them lolz.
