Hi team, has anyone tested Microsoft Authenticator with F5 APM for 2FA? Lot of articles are there for google Authenticator, but none for Microsoft Authenticator, pls let me know or point me in right direction if anyone has ever tested it??

Hi, Microsoft Authenticator algorithm is the same as Google Authenticator. You can use existing Google authenticator codes.

Thank YOu it works same as google :)

Hi Rohit, I've got google authenticator working but I'm unsure of what I need to change in the code to use mircosoft authenticator. Any help would be greatly appreciated.

Like explained above, there is nothing to do! Both apps generate same time-based password for same key!

yes just scan the qrcode using any app , google, microsoft, authy all works fine

F5 APM with Microsoft Authenticator

Stanislas_Piro2
Cumulonimbus
Sep 07, 2017
Hi,

Microsoft Authenticator algorithm is the same as Google Authenticator.

You can use existing Google authenticator codes.
Rohit_Singla_17
Nimbostratus
Sep 07, 2017
Thank YOu it works same as google :)
Donamato_01_150
Nimbostratus
Feb 06, 2018
Hi Rohit,

I've got google authenticator working but I'm unsure of what I need to change in the code to use mircosoft authenticator.

Any help would be greatly appreciated.
- Stanislas_Piro2
  Cumulonimbus
  Feb 06, 2018
  Like explained above, there is nothing to do!
  
  Both apps generate same time-based password for same key!
- Rohit_Singla_17
  Nimbostratus
  Feb 06, 2018
  yes just scan the qrcode using any app , google, microsoft, authy all works fine
- Donamato_01_150
  Nimbostratus
  Feb 07, 2018
  thanks, spot on, all working!
malakibrahim
Nimbostratus
Dec 20, 2021
Hello
Since NPS is end of life, are there any other alternatives?
KeesvandenBos
MVP
Dec 20, 2021
Hello,

You could setup your BIG-IP as an IDP for microsoft Azure. And as an SP for the App. Create the application plus authentication (Azure MFA with SAML, BIG-IP is the IdP for the Azure authentication, Azure will handle the 2nd factor via the app).
Once you have that up and running point your SP to the Azure IdP.
https://docs.microsoft.com/nl-nl/azure/active-directory/manage-apps/f5-big-ip-forms-advanced

Or use Azure AD without the BIG-IP being the IdP.

Cheers,

Kees
- malakibrahim
  Nimbostratus
  Dec 20, 2021
  Hello Kees
  My client is not a web app, its vmware horizon client (VDI) and I think it doesn't support SAML.any recommendations?
KeesvandenBos
MVP
Dec 20, 2021
Hello,

I think the Horizon client does support SAML, have a look at this example. So I think that with the BIG-IPO being both IdP and SP (global context) you should be able to perform SSO and use MS authenticator.

Cheers,

Kees
malakibrahim
Nimbostratus
Dec 20, 2021
wow first time to see that, but shouldn't APM act as SP and Azure as IDP ? does that have to happen within the common partition ?
KeesvandenBos
MVP
Dec 20, 2021
Correct. But for SSO you need the username and password on the BIG-IP.
In order to get this you need the BIG-IP also to be setup as an IdP for the Azure IdP.
It can happen in any partition. See K20465715 for the APM route domain limitations.

Cheers,

Kees
malakibrahim
Nimbostratus
Dec 20, 2021
Hello Kees
Do you have any example for BIG-IP setup as an IdP for the Azure IdP?
KeesvandenBos
MVP
Dec 20, 2021
I have been searching for examples:
The key is azure ad idp chaining and run azure in federated mode.
https://www.youtube.com/watch?v=6edKekKIdMg
https://clouddocs.f5.com/training/community/access-solutions/solution15/solution.html
https://clouddocs.f5.com/training/community/iam/html/class3/module1/lab06.html

BIG-IP IdP and Azure AD configuration looks similar to Azure/ADSF federation: https://techdirectarchive.com/2020/02/02/federating-with-adfs-with-azure-active-directory/

Cheers,

Kees