F5 APM with Microsoft Authenticator

Hello Kees

My client is not a web app, its vmware horizon client (VDI) and I think it doesn't support SAML.any recommendations?

Now I have the Solution with Microsoft NPS implemented and it works with the Microsoft Authenticator APP. It's important to setup the right options in Azure for the users to use the Authenticator APP. You can configure inside the azure-user-accounts how the requests from the OnPremis-NPS (Radius) will be handled. So you can use "enable", "disable" and "restrict". And the user have to configure his own Microsoft Authenticator APP during the initial installation and setup process. The user sccount in active directory (OnPrem) have to setup for remote access and the NPS-options (setting inside the AD-user-account). Your F5-APM-Policy should have a Radius-Auth after the AD-Auth. The Radius-Auth connects the OnPrem-Radius (NPS). And on the NPS your have to configure a Policy for the F5-Access as a radius-client (don't forget to configure a NAS-ID, e.g.) and a Policy for the radius-flow. I use https://docs.microsoft.com/de-de/azure/active-directory/authentication/ for MFA-Setup in Azure.

I have the same requirement, using AzureMFA (Challenge Response) with APM.

One solution that works is to use MS NPS Server with AzureMFA Plugin. You can authenticate with AD / Kerberos / LDAP to your local domain on APM and then request MFA with username (password can be empty) via Radius to the NPS.

I'm unhappy with that solution cause I can't provide any feedback to the user. As soon as I trigger the Radius Request in APM, the page waits in "Loading" state. A solution with better user experience would be nice.

Any hints appreciated.

Can I use Microsoft Authenticator (SmartPhone MS-Authenticator-APP) with a kind of Challenge Response. Because I will not ask for the Token within my APM-Logon-Page. User should only do "accept the Authentication with the MS-Authenticator APP".