APM Configuration to Support Duo MFA using iRule

Overview BIG-IP APM has supported Duo as an MFA provider for a long time with RADIUS-based integration. Recently, Duo has added support for Universal Prompt that uses Open ID Connect (OIDC) protoco...
0151T0000040JicQAE.png
Updated Sep 19, 2024
Version 6.0
BIG-IP
BIG-IP Access Policy Manager (APM)
big-ip apm
duo
iRules
mfa
OAuth Client
security
aefting's avatar
aefting
Icon for Altostratus rankAltostratus
Sep 21, 2023

I am implementing this for the per-session method of authentication.  Thanks for the write up and all the comments. I ran into a few of the same issues that some of you did and wanted to document it here.

I ran into the same iPhone F5 Access client issue.  To resolve it,

Under Access -> Federation -> OAuth Client / Resource Sever: Request -> DuoAuthSubsessionRedirectRequest

            Add Parameter Type: redirect-uri

           Add Parameter Value: redicrect_uri

 

Regarding global variables, it looks to me that it refers to the ::duo_uname

            I just deleted the :: to make it a local variable in the spots in the irule that reference it

            Both ways seems to work (global and local), but global is now deprecated

 

Regarding the OAuth branch rule, I was also failing with the rule set to 1. The following fixed it for me. I’m also not clear why this is the case.

            Expression: expr {[mcget {session.oauth.client.last.authresult}] == 1}  <-- Changed to 0

 

Regarding the DNS resolver, I just used the existing f5-aws-dns resolver that already existed on my system