APM and RSA SecurID

If you're referring to SSO as a server side authentication function (APM to server), RSA SecurID is not one of the supported SSO mechanisms. There would be no way for APM to retrieve a SecurID pass code on the user's behalf. If, however, the user entered the pass code into a form on the APM (via logon page on the client side), it should be fairly trivial to relay these credentials to a server which is most likely collecting them in a form logon page.

 

 

If you're referring to SSO as a client side authentication function (client to APM), Access Policy Manager (APM) can definitely perform RSA SecurID in lieu of, or in combination with any other authentication methods. Here's a link to specific configuration information:

 

 

http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/1.htmlunique_1217962019

 

 

One important thing to note is that most of the APM client side authentication mechanisms (AD Auth, LDAP Auth, RADIUS Auth, RSA SeruID, and others) expect the username and password values in the session.logon.last.username and session.logon.last.password session variables, respectively. So if you're using multiple auth mechanisms, like AD Auth and RSA SecurID, where the password fields may be different (password string vs. pass code), you must store the password or pass code in a temporary variable while processing the first auth method, and then re-populate the password variable for the second auth method.

One thing to note also, is that SecurID typically will limit code use to a single successful attempt. If you expect APM to pass the captured SecurID code to a protected application, you most likely will run into issues here. In my experience, SecurID is most useful to protect the initial sign-on to an APM protected service. After that it becomes troublesome.

 

It is possible to adjust the SecurID policy to permit passcode reuse, however I do not recommend it.