APM Configuration to Support Duo MFA using iRule
Overview
BIG-IP APM has supported Duo as an MFA provider for a long time with RADIUS-based integration. Recently, Duo has added support for Universal Prompt that uses Open ID Connect (OIDC) protocol to provide two-factor authentication. To integrate APM as an OIDC client and resource server, and Duo as an Identity Provider (IdP), Duo requires the user’s logon name and custom parameters to be sent for Authentication and Token request.
This guide describes the configuration required on APM to enable Duo MFA integration using an iRule. iRules addresses the custom parameter challenges by generating the needed custom values and saving them in session variables, which the OAuth Client agent then uses to perform MFA with Duo. This integration procedure is supported on BIG-IP versions 13.1, 14.1x, 15.1x, and 16.x.
To integrate Duo MFA with APM, complete the following tasks:
1. Choose deployment type: Per-request or Per-session
2. Configure credentials and policies for MFA on the DUO web portal
3. Create OAuth objects on the BIG-IP system
4. Configure the iRule
5. Create the appropriate access policy/policies on the BIG-IP system
6. Apply policy/policies and iRule to the APM virtual server
Choose deployment type
APM supports two different types of policies for performing authentication functions.
- Per-session policies: Per-session policies provide authentication and authorization functions that occur only at the beginning of a user’s session. These policies are compatible with most APM use cases such as VPN, Webtop portal, Remote Desktop, federation IdP, etc.
- Per-request policies: Per-request policies provide dynamic authentication and authorization functionality that may occur at any time during a user’s session, such as step-up authentication or auditing functions only for certain resources. These policies are only compatible with Identity Aware Proxy and Web Access Management use cases and cannot be used with VPN or webtop portals.
This guide contains information about setting up both policy types.
Prerequisites
Ensure the BIG-IP system has DNS and internet connectivity to contact Duo directly for validating the user's OAuth tokens.
Configure credentials and policies for MFA on Duo web portal
Before you can protect your F5 BIG-IP APM Web application with Duo, you will first need to sign up for a Duo account.
1. Log in to the Duo Admin Panel and navigate to Applications.
2. Click Protect an application.
Figure 1: Duo Admin Panel – Protect an Application
3. Locate the entry for F5 BIG-IP APM Web in the applications list and click Protect to get the Client ID, Client secret, and API hostname. You will need this information to configure objects on APM.
Figure 2: Duo Admin Panel – F5 BIG-IP APM Web
4. As DUO is used as a secondary authentication factor, the user’s logon name is sent along with the authentication request. Depending on your security policy, you may want to pre-provision users in Duo, or you may allow them to self-provision to set their preferred authentication type when they first log on.
To add users to the Duo system, navigate to the Dashboard page and click the Add New... -> Add User button. A Duo username should match the user's primary authentication username. Refer to the https://duo.com/docs/enrolling-users link for the different methods of user enrollment.
Refer to Duo Universal Prompt for additional information on Duo’s two-factor authentication.
Create OAuth objects on the BIG-IP system
Create a JSON web key
When APM is configured to act as an OAuth client or resource server, it uses JSON web keys (JWKs) to validate the JSON web tokens it receives from Duo.
To create a JSON web key:
1. On the Main tab, select Access > Federation > JSON Web Token > Key Configuration.
The Key Configuration screen opens.
2. To add a new key configuration, click Create.
3. In the ID and Shared Secret fields, enter the Client ID and Client Secret values respectively obtained from Duo when protecting the application.
4. In the Type list, select the cryptographic algorithm used to sign the JSON web key.
Figure 3: Key Configuration screen
5. Click Save.
Create a JSON web token
As an OAuth client or resource server, APM validates the JSON web tokens (JWT) it receives from Duo.
To create a JSON web token:
1. On the Main tab, select Access > Federation > JSON Web Token > Token Configuration.
The Token Configuration screen opens.
2. To add a new token configuration, click Create.
3. In the Issuer field, enter the API hostname value obtained from Duo when protecting the application.
4. In the Signing Algorithms area, select from the Available list and populate the Allowed and Blocked lists.
5. In the Keys (JWK) area, select the previously configured JSON web key in the allowed list of keys.
Figure 4: Token Configuration screen
6. Click Save.
Configure Duo as an OAuth provider
APM uses the OAuth provider settings to get URIs on the external OAuth authorization server for JWT web tokens.
To configure an OAuth provider:
1. On the Main tab, select Access > Federation > OAuth Client / Resource Server > Provider.
The Provider screen opens.
2. To add a provider, click Create.
3. In the Name field, type a name for the provider.
4. From the Type list, select Custom.
5. For Token Configuration (JWT), select a configuration from the list.
6. In the Authentication URI field, type the URI on the provider where APM should redirect the user for authentication. The hostname is the same as the API hostname in the Duo application.
7. In the Token URI field, type the URI on the provider where APM can get a token. The hostname is the same as the API hostname in the Duo application.
Figure 5: OAuth Provider screen
8. Click Finished.
Configure Duo server for APM
The OAuth Server settings specify the OAuth provider and role that Access Policy Manager (APM) plays with that provider. It also sets the Client ID, Client Secret, and Client’s SSL certificates that APM uses to communicate with the provider.
To configure a Duo server:
1. On the Main tab, select Access > Federation > OAuth Client / Resource Server > OAuth Server.
The OAuth Server screen opens.
2. To add a server, click Create.
3. In the Name field, type a name for the Duo server.
4. From the Mode list, select how you want the APM to be configured.
5. From the Type list, select Custom.
6. From the OAuth Provider list, select the Duo provider.
7. From the DNS Resolver list, select a DNS resolver (or click the plus (+) icon, create a DNS resolver, and then select it).
8. In the Token Validation Interval field, type a number.
In a per-request policy subroutine configured to validate the token, the subroutine repeats at this interval or the expiry time of the access token, whichever is shorter.
9. In the Client Settings area, paste the Client ID and Client secret you obtained from Duo when protecting the application.
10. From the Client's ServerSSL Profile Name, select a server SSL profile.
Figure 6: OAuth Server screen
11. Click Finished.
Configure an auth-redirect-request and a token-request
Requests specify the HTTP method, parameters, and headers to use for the specific type of request. An auth-redirect-request tells Duo where to redirect the end-user, and a token-request accesses the authorization server for obtaining an access token.
To configure an auth-redirect-request:
1. On the Main tab, select Access > Federation > OAuth Client / Resource Server > Request.
The Request screen opens.
2. To add a request, click Create.
3. In the Name field, type a name for the request.
4. For the HTTP Method, select GET.
5. For the Type, select auth-redirect-request.
6. As shown in Figure 7, specify the list of GET parameters to be sent:
- request parameter with value depending on the type of policy
- For per-request policy: %{subsession.custom.jwt_duo}
- For per-session policy: %{session.custom.jwt_duo}
- client_id parameter with type client-id
- response_type parameter with type response-type
Figure 7: Request screen with auth-redirect-request (Use “subsession.custom…” for Per-request or “session.custom…” for Per-session)
7. Click Finished.
To configure a token-request:
1. On the Main tab, select Access > Federation > OAuth Client / Resource Server > Request.
The Request screen opens.
2. To add a request, click Create.
3. In the Name field, type a name for the request.
4. For the HTTP Method, select POST.
5. For the Type, select token-request.
6. As shown in Figure 8, specify the list of POST parameters to be sent:
- client_assertion parameter with value depending on the type of policy
- For per-request policy: %{subsession.custom.jwt_duo_token}
- For per-session policy: %{session.custom.jwt_duo_token}
- client_assertion_type parameter with value urn:ietf:params:oauth:client-assertion-type:jwt-bearer
- grant_type parameter with type grant-type
- redirect_uri parameter with type redirect-uri
Figure 8: Request screen with token-request (Use “subsession.custom…” for Per-request or “session.custom…” for Per-session)
7. Click Finished.
Configure the iRule
iRules gives you the ability to customize and manage your network traffic. Configure an iRule that creates the required sub-session variables and usernames for Duo integration.
Note: This iRule has sections for both per-request and per-session policies and can be used for either type of deployment.
To configure an iRule:
1. On the Main tab, click Local Traffic > iRules.
2. To create an iRules, click Create.
3. In the Name field, type a name for the iRule.
4. Copy the sample code given below and paste it in the Definition field.
Replace the following variables with values specific to the Duo application:
- <Duo Client ID> in the getClientId function with Duo Application ID.
- <Duo API Hostname> in the createJwtToken function with API Hostname. For example, https://api-duohostname.com/oauth/v1/token.
- <JSON Web Key> in the getJwkName function with the configured JSON web key.
Note: The iRule ID here is set as JWT_CREATE. You can rename the ID as desired. You specify this ID in the iRule Event agent in Visual Policy Editor.
Note: The variables used in the below example are global, which may affect your performance. Refer to the K95240202: Understanding iRule variable scope article for further information on global variables, and determine if you use a local variable for your implementation.
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "JWT_CREATE" } {
set duo_uname [ACCESS::session data get "session.logon.last.username"]
# Inline logic for creating JWT
set header "{\"alg\":\"HS512\",\"typ\":\"JWT\"}"
set exp [expr {[clock seconds] + 900}]
set client_id "<Duo Client ID>"
set redirect_uri "https://[ACCESS::session data get session.server.network.name]/oauth/client/redirect"
set payload "{\"response_type\": \"code\",\"scope\":\"openid\",\"exp\":${exp},\"client_id\":\"${client_id}\",\"redirect_uri\":\"${redirect_uri}\",\"duo_uname\":\"${duo_uname}\"}"
set jwt_duo [ACCESS::oauth sign -header $header -payload $payload -alg HS512 -key "<JSON Web Key>"]
ACCESS::session data set session.custom.jwt_duo $jwt_duo
# JWT Token creation
set aud "<Duo API Hostname>"
set jti [string range [clock seconds] 0 31]
set token_payload "{\"sub\": \"${client_id}\",\"iss\":\"${client_id}\",\"aud\":\"${aud}\",\"exp\":${exp},\"jti\":\"${jti}\"}"
set jwt_duo_token [ACCESS::oauth sign -header $header -payload $token_payload -alg HS512 -key "<JSON Web Key>"]
ACCESS::session data set session.custom.jwt_duo_token $jwt_duo_token
}
}
when ACCESS_PER_REQUEST_AGENT_EVENT {
if { [ACCESS::perflow get perflow.irule_agent_id] eq "JWT_CREATE" } {
set duo_uname [ACCESS::session data get "session.logon.last.username"]
set header "{\"alg\":\"HS512\",\"typ\":\"JWT\"}"
set exp [expr {[clock seconds] + 900}]
set client_id "<Duo Client ID>"
set redirect_uri "https://[ACCESS::session data get session.server.network.name]/oauth/client/redirect"
set payload "{\"response_type\": \"code\",\"scope\":\"openid\",\"exp\":${exp},\"client_id\":\"${client_id}\",\"redirect_uri\":\"${redirect_uri}\",\"duo_uname\":\"${duo_uname}\"}"
set jwt_duo [ACCESS::oauth sign -header $header -payload $payload -alg HS512 -key "<JSON Web Key>"]
ACCESS::perflow set perflow.custom $jwt_duo
# JWT Token creation
set aud "<Duo API Hostname>"
set jti [string range [clock seconds] 0 31]
set token_payload "{\"sub\": \"${client_id}\",\"iss\":\"${client_id}\",\"aud\":\"${aud}\",\"exp\":${exp},\"jti\":\"${jti}\"}"
set jwt_duo_token [ACCESS::oauth sign -header $header -payload $token_payload -alg HS512 -key "<JSON Web Key>"]
ACCESS::perflow set perflow.scratchpad $jwt_duo_token
}
}
Note: iRule updated 11/27/2024 to eliminate CMP demotion.
Figure 9: iRule screen
5. Click Finished.
Create the appropriate access policy/policies on the BIG-IP system
Per-request policy
Skip this section for a per-session type deployment
The per-request policy is used to perform secondary authentication with Duo. Configure the access policies through the access menu, using the Visual Policy Editor. The per-request access policy must have a subroutine with an iRule Event, Variable Assign, and an OAuth Client agent that requests authorization and tokens from an OAuth server. You may use other per-request policy items such as URL branching or Client Type to call Duo only for certain target URIs.
Figure 10 shows a subroutine named duosubroutine in the per-request policy that handles Duo MFA authentication.
Figure 10: Per-request policy in Visual Policy Editor
Configuring the iRule Event agent
The iRule Event agent specifies the iRule ID to be executed for Duo integration. In the ID field, type the iRule ID as configured in the iRule.
Figure 11: iRule Event agent in Visual Policy Editor
Configuring the Variable Assign agent
The Variable Assign agent specifies the variables for token and redirect requests and assigns a value for Duo MFA in a subroutine. This is required only for per-request type deployment. Add sub-session variables as custom variables and assign their custom Tcl expressions as shown in Figure 12.
- subsession.custom.jwt_duo_token = return [mcget {perflow.scratchpad}]
- subsession.custom.jwt_duo = return [mcget {perflow.custom}]
Figure 12: Variable Assign agent in Visual Policy Editor
Configuring the OAuth Client agent
An OAuth Client agent requests authorization and tokens from the Duo server. Specify OAuth parameters as shown in Figure 13.
- In the Server list, select the Duo server to which the OAuth client directs requests.
- In the Authentication Redirect Request list, select the auth-redirect-request configured earlier.
- In the Token Request list, select the token-request configured earlier.
- Some deployments may not need the additional information provided by OpenID Connect. You could, in that case, disable it.
Figure 13: OAuth Client agent in Visual Policy Editor
Per-session policy
Configure the Per Session policy as appropriate for your chosen deployment type.
- Per-request: The per-session policy must contain at least one logon page to set the username variable in the user’s session. Preferably it should also perform some type of primary authentication. This validated username is used later in the per-request policy.
- Per-session: The per-session policy is used for all authentication. A per-request policy is not used.
Figures 14a and 14b show a per-session policy that runs when a client initiates a session. Depending on the actions you include in the access policy, it can authenticate the user and perform actions that populate session variables with data for use throughout the session.
Figure 14a: Per-session policy in Visual Policy Editor performs both primary authentication and Duo authentication (for per-session use case)
Figure 14b: Per-session policy in Visual Policy Editor performs primary authentication only (for per-request use case)
Apply policy/policies and iRule to the APM virtual server
Finally, apply the per-request policy, per-session policy, and iRule to the APM virtual server. You assign iRules as a resource to the virtual server that users connect. Configure the virtual server’s default pool to the protected local web resource.
Apply policy/policies to the virtual server
Per-request policy
To attach policies to the virtual server:
1. On the Main tab, click Local Traffic > Virtual Servers.
2. Select the Virtual Server.
3. In the Access Policy section, select the policy you created.
4. Click Finished.
Figure 15: Access Policy section in Virtual Server (per-request policy)
Per-session policy
Figure 16 shows the Access Policy section in Virtual Server when the per-session policy is deployed.
Figure 16: Access Policy section in Virtual Server (per-session policy)
Apply iRule to the virtual server
To attach the iRule to the virtual server:
1. On the Main tab, click Local Traffic > Virtual Servers.
2. Select the Virtual Server.
3. Select the Resources tab.
4. Click Manage in the iRules section.
5. Select an iRule from the Available list and add it to the Enabled list.
6. Click Finished.
- enzoAltostratus
Go to
Access ›› Overview : Event Logs : Settings.
Clcik "Create" for new log profile or click the check box next to "default-log-setting" and click "Edit"
The "Edit APM Log Setting" will open.In "General Information" check the box for "Enable Access System Logs" and give it a name if its new.Under "General Information" Choose "Access System Logs" on the left click the drop down for "Access Policy" and choose "Debug". Do the same for "OAuth"In the "Access Profiles" section use the arrow to add the policy your troubleshooting to the "Selected" field
Login to the VIP associated with your DUO access profile
Go to "Access ›› Overview : Active Sessions"
Find your login and click the session ID
Hope this helps
- aeftingAltostratus
I wanted to post a follow up to this issue:
Regarding the OAuth branch rule, I was also failing with the rule set to 1. The following fixed it for me. I’m also not clear why this is the case.
Expression: expr {[mcget {session.oauth.client.last.authresult}] == 1} <-- Changed to 0
I opened a ticket with support and they found my problem, I had a typo in my irule -- notice the double "/oauth/v1/token" in this line. When I corrected it, everything worked with the "=1" expression like it should.
set aud https://api-xxxxxdac.duosecurity.com/oauth/v1/token/oauth/v1/token
- Pat_KrogelNimbostratus
A follow up on my issue with the iPhone F5 Access app not handling the redirect properly. It turns out you need to include the redirect_uri parameter in the auth-redirect-request.
- Leslie_HubertusRet. Employee
f5administrat0r - you all set, or still needing help?
Hi JacobV
Please double check that you have a DNS resolver profile set in the "Network" section, and with the Forward Zone ( either a dot "." or the domain name of your Duo server) pointed to some DNS resolver.
- JacobVNimbostratus
Thanks, JoshBecigneul
Bringing up the forward zone helped me find the immediate issue.
It seems that this one F5 device can't reach the Duo API endpoint.I'll have to work on getting that resolved.
I had assumed there weren't any connectivity issues as the Duo RADIUS login method relied on a user's browser to load a script from Duo instead of the F5 device communicating directly with Duo. Its communications with the API endpoint were also being handled by a Duo Authentication Proxy that had connectivity.
I'll try to report back when that's cleared up.
In this case I believe the F5 acts as an OAuth client talking directly to the API server at Duo, which is unlike SAML authentication.
I recall running into a similar issue with one of my deployments of this setup.
- aeftingAltostratus
I am implementing this for the per-session method of authentication. Thanks for the write up and all the comments. I ran into a few of the same issues that some of you did and wanted to document it here.
I ran into the same iPhone F5 Access client issue. To resolve it,
Under Access -> Federation -> OAuth Client / Resource Sever: Request -> DuoAuthSubsessionRedirectRequest
Add Parameter Type: redirect-uri
Add Parameter Value: redicrect_uri
Regarding global variables, it looks to me that it refers to the ::duo_uname
I just deleted the :: to make it a local variable in the spots in the irule that reference it
Both ways seems to work (global and local), but global is now deprecated
Regarding the OAuth branch rule, I was also failing with the rule set to 1. The following fixed it for me. I’m also not clear why this is the case.
Expression: expr {[mcget {session.oauth.client.last.authresult}] == 1} <-- Changed to 0
Regarding the DNS resolver, I just used the existing f5-aws-dns resolver that already existed on my system
- aeftingAltostratus
One last followup to my issue with Mac Ventura. I worked with support and after upgrading the client to 7.2.4.5, Ventura began to work. Looks like F5 resolved that bug. Looks like I am finally all set.
- JHDUKEAltostratus
I've got this configured and working on version 17 however there's something about the syntax of the irule that version 17 doesn't like. A 'tmsh load sys config verify' returns warnings for each procedure call and not fluent enough with irules to make the necessary adjustments. Everything works as expected but would like to clean up the warnings as I use the config verify often. Any suggestions would be appreciated..
Validating configuration...
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
There were warnings:
/Common/Duo_MFA_iRULE:3: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:PROC_SCRIPT"130 50][proc getClientId {
return oauthsecret
}]- Lucas_ThompsonEmployee
You need to make two edits to the iRule with your tenant information:
proc getClientId {
return "PUT YOUR TENANT'S CLIENT ID HERE"
}proc getJwkName {
return "PUT THE BIG-IP OBJECT NAME FOR THE JWK HERE"
#e.g. return "/Common/duo_jwk"
}- JHDUKEAltostratus
Thanks for the response. I do have these already configured in the iRule. The warnings seem to be associated only with the 'proc' definitions..