F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

kgaigl's avatar
kgaigl
Icon for Cirrocumulus rankCirrocumulus
Dec 05, 2019

APM Authentication mith MRH Cookie?

Hello,   we've an Java-based internal Application (developed by an "challenging" partner). Until now, access is managed by software-modul called web_auth, but this is soon End-of-Life.   Now...
application delivery
BIG-IP Access Policy Manager (APM)
LTM
MRH
Yoann_Le_Corvi1's avatar
Yoann_Le_Corvi1
Icon for Cumulonimbus rankCumulonimbus
Dec 11, 2019

Hi

 

Still not very clear unfortunately :-)

 

But many options there, here is just a few :

1- If your internal users MUST authenticate without passwords : then you can do Kerberos Authentication on the F5 itself, then yes you will need a keytab and configuration object on APM to perform authentication. Then, once AUTHENTICATION is done on APM, you can use KCD (Kerberos Constrained Delegation) to perform a Kerberos authentication to the web_auth module. This of course works only for users in the internal domain / REALM

2- If you intend to allow other authentication method on the F5 (like for example strong authentication, MFA...) then you can configure whatever factors you want on APM to authenticate the user. Once done, you can perform KCD again to authenticate to web_auth module on your backend,

 

This allows you to support only one authentication method on your backend, and handling multiple authentication type on the F5 ... But again, your requirements are not cristal clear as of now.

 

I hope this information helps you...

 

Yoann