For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kgaigl's avatar
kgaigl
Icon for Cirrocumulus rankCirrocumulus
Dec 05, 2019

APM Authentication mith MRH Cookie?

Hello,   we've an Java-based internal Application (developed by an "challenging" partner). Until now, access is managed by software-modul called web_auth, but this is soon End-of-Life.   Now...
application delivery
BIG-IP Access Policy Manager (APM)
LTM
MRH
Yoann_Le_Corvi1's avatar
Yoann_Le_Corvi1
Icon for Cumulonimbus rankCumulonimbus
Dec 11, 2019

Hi

 

Still not very clear unfortunately :-)

 

But many options there, here is just a few :

1- If your internal users MUST authenticate without passwords : then you can do Kerberos Authentication on the F5 itself, then yes you will need a keytab and configuration object on APM to perform authentication. Then, once AUTHENTICATION is done on APM, you can use KCD (Kerberos Constrained Delegation) to perform a Kerberos authentication to the web_auth module. This of course works only for users in the internal domain / REALM

2- If you intend to allow other authentication method on the F5 (like for example strong authentication, MFA...) then you can configure whatever factors you want on APM to authenticate the user. Once done, you can perform KCD again to authenticate to web_auth module on your backend,

 

This allows you to support only one authentication method on your backend, and handling multiple authentication type on the F5 ... But again, your requirements are not cristal clear as of now.

 

I hope this information helps you...

 

Yoann