Forum Discussion
MazeRunner_3283
Nimbostratus
Mar 01, 2018Configuring 2FA for BigIP management interface using RSA
I have a requirement to support two-factor authentication on the BIG-IP MGMT interfaces using RSA as authentication source. The BigIP TMM version is 11.6.1. Looks like RSA option is not avalible for ...
'Persist add' is a generic way to manually insert a persistence record. It doesn't actually include the persistence method.
I think using a cookie per pool would be a good method for this scenario. However, I'm not sure I understand the full scenario. Would a client ever start with a request which is sent to one pool and then during the same browser session make a request which goes to another pool? If so, would you want to remove any previously set cookies, so the client would be sent to the most recently selected pool for requests which don't have a corresponding URI to pool mapping in the class?
I'd think the logic would be something like this:
when HTTP_REQUEST {
If request is to a path which has a corresponding path to pool mapping
Select this pool
Use cookie insert persistence for this pool (persist cookie insert "pool_A_cookie")
Set a variable to track that we're using this pool
Else request is not to a path which has a corresponding path to pool mapping, check for pool cookie
If any pool cookie exists
Select this pool
Use cookie insert persistence for this pool (persist cookie insert "pool_X_cookie")
Set a variable to track that we're using this pool
Else no pool cookie, so take some default action like select default pool, redirect client or send HTTP response?
}
when LB_FAILED {
If pool is down, do something like select default pool, redirect or send HTTP response?
Else if pool is up, reselect a different pool member?
}
when HTTP_RESPONSE {
Expire all the other pool cookies based on the variable which tracks the currently used pool
}
Aaron
Re 1: Yes. You can take the exported SP XML metadata file, and modify it manually the way your IDP needs. Most of the time the data your IDP needs from your SP is just:
- entityID
- X509Certificate
- AssertionConsumerService
- SingleLogoutService
You can copy that info from the exported SP XML metadata and either use some SAML SP generator available on the internet, or just manually edit and create your own SP XML file.
Re 2: No, you do not import such file back to F5.