F5 APM Access Policy using Azure MFA via SAML

Question

Hi,&nbsp;
I have been looking through some previous questions relating to integrating Azure MFA into and existing F5 APM policy.&nbsp;
We currently use AAA Radius Server On-Prem in our APM policy that takes the OTP variable at the login page and validates against the AAA Radius Servers.&nbsp;
I would like to replace this Radius Auth component with Azure MFA to provide the OTP using SAML to perform this part of the Authentication Process.  I assume this would follw the following Login pattern:&nbsp;
Users Login with AD username and Password
SAML process is then triggerd with AD information to generate an SMS text message to the user and a page is displayed asking for the code.&nbsp;
Once the code is entered and is valid the Access Policy flow can continue on as per our current configuration&nbsp;
I have looked at the following link that describes this but this example is using On-Prem MFA Servers and not using SAML to perform this.
https://devcentral.f5.com/articles/heres-how-i-did-it-integrating-azure-mfa-with-the-big-ip-19634  
&nbsp;
Just wondering if anyone out there has done similar to what I need to do and could share how they did it?&nbsp;
I'm not all that familiar with SAML yet either but understand the basic principles in how this works&nbsp;
Many thanks in advance&nbsp;

nikhil_raj_2965 · Answer

Hi Geoff&nbsp;
I can see there was no response to this question, where you able to get this working &nbsp;
Regards&nbsp;
Nikhil&nbsp;

scott_bilyeu · Answer

I have not done this with Azure-365 yet but have done this with adfs and okta. Basically you set up the f5 as a sp to the idp, okta for example if you need to chose between IDP's you can use IDP discovery. Now on the remote IDP set up the MFA how you would like. As far as the flow, I normally do sp initiation so it would start at the f5 apm enabled vip, then it redirects/posts you to the IDP, azure, with a saml request, you auth at azure. Then a post sends you to the f5 apm vip with a saml response. Now from there you can land on a webtop with links to your internal non federated resources or you can do want is called IDP chaining, where f5 is now the IDP, and go to another federated resource that is the sp, say concur, google,etc, using contents of the saml, or not. now too be honest the with this config there is a bit of irules need to seamlessly call the f5 idp to sp in a chain, cause it wants to plop you on a webtop, and handling logouts, SLO's, etc, but that is about it.

geoffg · Answer

I stepped away from this for a while but have now go this working.

My only issue is that Azure has a token lifetime with a minimum of 10 mins so I don't know how to make the client re-auth with MFA every time they connect....

Cheers and apologies for late response.

geoffg · Answer

I stepped away from this for a while but have now go this working.

My only issue is that Azure has a token lifetime with a minimum of 10 mins so I don't know how to make the client re-auth with MFA every time they connect....

Cheers and apologies for late response.

Forum Discussion

F5 APM Access Policy using Azure MFA via SAML

Recent Discussions

Need Urgent BIGIP Trial License and VM Image

APM for banner and cert

How to Renew F5 Device Certificate

UCS backup not loading Big IP DNS pool

XC Bot defense question

Related Content

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

APM-DHCP Access Policy Example and Detailed Instructions

Configuring Endpoint Security (Client-Side) Using F5 Access Policy Manager (APM)

F5 Access Policy Authentication Using Domain Prefix

Access policy, LTM policy and iRules

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS