Forum Discussion
CirrusF5 APM SAML skip MFA for X days
We have a single sign-on setup that works with SAMLv2 where F5 APM is the Idp and authentication is done via MFA. This works for single sign-on within the same browsing session. If a user connects to the SAML SP application it gets redirected for single sign-on to the SSO VIP with an APM policy behind it
Is it possible to have an option to skip MFA for X days. Where is X is a static value based on the device.
Something like trust this browser throughout different sessions regarding the fact if there is a need to perform Multi factor Authentication or not.
Example: User connects to website 1 and signs in using LDAP credentials and a 2FA mechanism. In the same session user connects to website 2 that is configured with the same IdP policy. No authentication is required. User closes their session. The next day user opens website 1 again and only needs to enter the LDAP credentials not the 2FA part. After X days the user is required to perform the 2FA authentication again.
I already had a look at the different session variables that connect to the SSO VIP with the APM policy, but there is nothing that identifies the device uniquely.
Slayer001We are still looking for a solution for this requirement within F5 LTM/APM platform. Can anyone help with this?
Just thinking out loud here... maybe you could turn on Multi-Domain SSO and create an iRule to set a persistent cookie. In that (encrypted) cookie you set a hash that is created from the combination username, user-agent and IP address. The persistant cookie expires after X days. If the cookie is send and the hash matches, then skip MFA.
- Slayer001
Hi Niels, Thanks for your answer.
Can you elaborate a bit on why we need multi-domain SSO? We now work with SAML resources in an VPE flow. Is the multi-domain SSO really necessary as SSO is working at the moment?
You mention the IP address but that can change for the same device (e.g using mobile data / wifi). I was thinking about the username, user-agent and something device specific but don't know what to use for that as the user-agent can be the same for multiple devices using the same browser and OS.
Do you perhaps have an example somewhere on how to create the encrypted temporary cookie with a hash value in an iRule?
Hi Slayer,
When using multi-domain SSO there is only one Primary Authentication URI. I think this will help, so you only will have to set one cookie for the Primary Authenticaton URI. If you use multiple websites with each it's own access policy, the cookie that is set for example to website1 will not be send by the browser when accessing website2, unless all websites are part of the same domain, then you could set a domain cookie.
It's difficult to fingerprint a specific device, unless these are managed devices and you could do certificate auth.
But maybe a hash of the username and user-agent are sufficient, because the device will present a cookie. The cookie will probably get stored on the local device only. This will limit the 'skip MFA' to this specific device only.
I will try and create an example iRule for you. Hope to get some time this week to do this.
Hi Slayer,
You can find the iRule here:
https://devcentral.f5.com/s/articles/Suppress-MFA-for-a-period-of-time?page=1
