APM Configuration to Support Duo MFA using iRule

Overview BIG-IP APM has supported Duo as an MFA provider for a long time with RADIUS-based integration. Recently, Duo has added support for Universal Prompt that uses Open ID Connect (OIDC) protoco...
0151T0000040JicQAE.png
Updated Mar 01, 2025
Version 8.0
BIG-IP
BIG-IP Access Policy Manager (APM)
big-ip apm
duo
iRules
mfa
OAuth Client
security
Hardeep_Kaur's avatar
Ret. Employee
I document user guides, online help, and release notes for F5's BIG-IP APM, F5 Access Apps, and Edge Client products. I also work on Access Guided Configuration online help and compatibility matrices.
View Profile
delv3chio's avatar
Icon for Employee rankEmployee
Joined May 20, 2019
View Profile
Jerrod_Kimbler's avatar
Icon for Employee rankEmployee
Vintage F5 Employee, Est. 2006
View Profile
steve_michaels's avatar
steve_michaels
Icon for Cirrus rankCirrus
Apr 29, 2021

Hi -

I have this setup on our F5 APM and using it for a MS Sharepoint Website. I've configured it as per-request policy and I can authenticate via DUO MFA using the Oauth Client in the policy and it gets me into the site. The problem I am encountering comes when an authenticated user tries to open a document in the "native", local Office application (Word, Excel Powerpoint). It doesn't work for that use case, Do you have any ideas on that?

We have been using the F5 APM DUO RADIUS integration and we have the same issue with that. That is why I am trying this new Oauth/iRule integration that you have published here.

By the way. Nice job on this config and write up!

Thanks

-Steve