Forum Discussion

Krisztian_Gulya's avatar
Krisztian_Gulya
Icon for Nimbostratus rankNimbostratus
Apr 07, 2020

Customize APM Logon Page for Duo Security auth with Modern Template, v15.1+

Hi,

 

I would like to use Modern Template on v15.1+ and integrate Duo Security with APM's Logon Page.

 

I tried to follow these guides:

https://devcentral.f5.com/s/articles/Advanced-Customization-Quick-Start-Guide-for-Modern-Template-APM-15-1

https://duo.com/docs/f5bigip

 

Based on Lucas' (btw fantastic) guide I tried to add the link from Duo (https://api-XXXXXXXX.duosecurity.com/frame/hosted/Duo-F5-BIG-IP-v2.js) in Customization Tool, General Customization, on Text tab, under Customization Settings -> Access Profiles -> /Common/<AccessProfile> -> Common -> External Scripts/Styles section. I copied the JS link as the value of External Javascript 1 Address.

 

I tried to generate the SRI hash on https://www.srihash.org/, but I got the following error message:

Error: this resource is not eligible for integrity checks. See https://enable-cors.org/server.html

 

Therefore I did not configured an External Javascript 1 Subresource Integrity value...

 

With the above settings, after logging in with username and password the following message appeared:

Initializing two-factor authentication... DUO-TXID(api-XXXXXXXX.duosecurity.com|XXXXXXXXXXXXXXXXXXXX)

 

On F5, I ran tcpdump and I can see Duo Authentication Proxy is communicating with Duo on port 443.

 

But authentication is not completed, user does not appear in User list, even not as Pending Enrollment.

 

Is there anyone who managed to successfully integrate Modern Template with Duo Security and could help me how to fix it?

 

UPDATE: I created a test policy with Standard Customization Type. User self-enrollment and also authentication worked like a charm. So my infrastructure is correctly set, just would need some guidance, how to integrate the Duo Javascript within Modern Template.

  • Hi there,

     

    We had a similar issue with our deployment while attempting to integrate Duo MFA. The DUO-TXID would appear in the login box on our customised login page, but the Duo integration didn't seem to fire.

     

    We're on 14.1, but have a pretty heavily customised Sign-In page. Perhaps this contributes somewhat to load times, etc for page elements.

     

    I spent some time in Firefox with Developer tools, prettified the Duo code, and set some break points. In stepping through the execution flow, I found that the Duo script actually embeds a specific version of the jQuery library, and triggers on the j(document).ready condition, which is equivalent to the DOMContentLoaded event. This was firing ahead of the Body OnLoad event that triggers the Login Page's function to populate the logon form (OnLoad).

     

    The net effect is that when the Duo function triggers, and looks for the DUO-TXID, it is not there yet.

     

    The workaround/fix was the following:

     

    Edit the policy's Logon Page's logon.inc in advanced customisation and locate the following code section:

     

        disableSubmit(form);
        return true;
    }
    //-->
    </script>
    </head>
     
    <body onload="OnLoad()">
     
    <?

    To adjust the way the triggers work, replace the above code section with:

     

        disableSubmit(form);
        return true;
    }
     
    document.addEventListener("DOMContentLoaded", function()
    {
        OnLoad();
    }, false);
    //-->
    </script>
    </head>
     
    <body>
     
    <?

    What this does is replace the effective OnLoad handler with a DOMContentLoaded handler to call the OnLoad function that populates the logon form.

     

    In our case, this seems to have resolved the timing issues, though there is not really a guarantee that this will work in all cases.

     

    I hope this solution helps out other folks.

     

    Regards,

     

    JohnB

    • Eelke's avatar
      Eelke
      Icon for Altocumulus rankAltocumulus

      There is no logon.inc in the modern template. so you want be able to do so.

  • Hi  ,

     

    I may not have realised at the time, my solution did not use the Modern Template. When performing an upgrade recently we discovered that there are limitations in the Modern Template that could not be overcome at the time. This prevents Duo Auth from being integrated.

     

    I hope that F5 and/or Duo or other vendors come up with a suitable solution at some point.

     

    Regards,

    JohnB

    • Eelke's avatar
      Eelke
      Icon for Altocumulus rankAltocumulus

      yes indeed.

       

      i hope they will make it possible to change the code on the new template

  • Eelke, did you find a solution for this?   I have a case opened with F5 support for this same question.

    • Eelke's avatar
      Eelke
      Icon for Altocumulus rankAltocumulus
      The-messenger no never found one. I doubt it will be possible. Did you get any response on this topic from F5 support?