APM Configuration to Support Duo MFA using iRule

Overview BIG-IP APM has supported Duo as an MFA provider for a long time with RADIUS-based integration. Recently, Duo has added support for Universal Prompt that uses Open ID Connect (OIDC) protoco...
0151T0000040JicQAE.png
Updated Sep 19, 2024
Version 6.0
BIG-IP
BIG-IP Access Policy Manager (APM)
big-ip apm
duo
iRules
mfa
OAuth Client
security
ScottE's avatar
ScottE
Icon for MVP rankMVP
Jul 28, 2022

I was with JoshBecigneul in wondering if we could change the iRule so that it didn't demote the VS from CMP.

I came up with the following change to the last two sections:

when ACCESS_POLICY_AGENT_EVENT {
   set irname [ACCESS::policy agent_id]
   if { $irname eq "JWT_CREATE" } {
      table set duo_uname [ACCESS::session data get "session.logon.last.username"] 604800
      ACCESS::session data set session.custom.jwt_duo [call createJwt [table lookup duo_uname] ]
      ACCESS::session data set session.custom.jwt_duo_token [call createJwtToken]
   }
}

when ACCESS_PER_REQUEST_AGENT_EVENT {
   set irname [ACCESS::perflow get perflow.irule_agent_id]
   if { $irname eq "JWT_CREATE" } {
      table set duo_uname [ACCESS::session data get "session.logon.last.username"] 604800
      ACCESS::perflow set perflow.custom [call createJwt [table lookup duo_uname] ]
      ACCESS::perflow set perflow.scratchpad [call createJwtToken]
   }
}

It seems to be working as expected for me and I no longer receive the CMP warnings.  I have not done a lot of work with the table command or global tables in iRules so if someone with more knowledge sees a flaw in this code please let me know.

I did not want the records left in the table forever so I chose a timeout (604800) that works for me and my usual session lengths.

Thanks

Scott