Forum Discussion
keotion
Nimbostratus
NimbostratusYubikey APM and AzureAD question
HEy I'm trying to add the ability to use yubikeys as hardware keys to my Saml/Azureid logins. I saw this doc for how to do it with okta.
Application access using YubiKey Authentication with APM and Okta | DevCentral
I was wondering if their were similar instructions for Azure AD. It seems like the okta integration relies on okta connecter supporting yubikey in v 16.0. We are currently running 16.1.5, but I don't see something similar in the Azure AD connector. I was wondering how other people have done this? Or if their was something I'm missing? We've been able to add yubikeys to ont eh Azure Ad side, but they never show up when we try to use them as a 2nd factor with The BIG IP Edge client.
- Lucas_Thompson
Employee
This kind of integration requires the Edge Client to operate in "OpenID Connect" mode so that your local browser is used for authentication instead of the operating system browser control that EC normally uses for web-logon mode.
Here's an article about how to set this up with Okta. For Azure, the F5 configuration is almost the same:
VPN Access with MFA using Edge Client 7.2.1 and APM 16.0 | DevCentral
Melissa_CModerator
Hello!
Thank you for posting your question. I have gone through trying to locate an article that could assist but I am unable to locate any that would help move you forward. I would suggest if you have a support contract to create a case for assistance directly from an engineer as they will have the ability to look directly at your set up to find what may be missing.
fredlubranoCirrus
Hello, I believe this issue is resolved after reading the release notes for the EDGE client 7.2.5 ?
Windows Edge Client supports SAML Authentication using the default browser of the system
This feature uses the default browser of the system when authenticating users with SAML IDP. This feature will solve the current limitations of Edge Client, which uses IE technology-based Trident embedded browser for authentication. The Trident engine only supports ECMAScript version 5 and earlier. Users who use IDPs that include JavaScript versions later than ES5 were facing issues with earlier versions of Edge Client. This version of Edge Client resolves all such issues.
To enable this feature customers should load iRules and iFiles and map it to the Virtual servers for which Access profiles are configured. Once 725 Edgeclient is installed on windows need to set Windows registry key "UseExternalBrowserForAuth" with DWORD value 1 at location Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\F5 Networks\RemoteAccess
Note:
- Users must raise a support ticket to get iFiles and iRules.
- This feature requires modern customization to be configured in the access policy.
BellaAbzug1I have a question regarding integrating YubiKey with Azure Active Directory (Azure AD) using Adaptive Privilege Management (APM). Specifically, I’m curious about the process of configuring YubiKey as a two-factor authentication method within Azure AD. What steps are necessary to ensure seamless integration, and how can we verify that users can successfully authenticate with their YubiKeys? Additionally, are there any common issues or best practices to consider during this setup? Understanding these aspects is crucial for enhancing our organization's security while providing a smooth user experience. Any insights or guidance on this topic would be greatly appreciated!
