APM Configuration to Support Duo MFA using iRule

Overview BIG-IP APM has supported Duo as an MFA provider for a long time with RADIUS-based integration. Recently, Duo has added support for Universal Prompt that uses Open ID Connect (OIDC) protoco...
0151T0000040JicQAE.png
Updated Mar 01, 2025
Version 8.0
BIG-IP
BIG-IP Access Policy Manager (APM)
big-ip apm
duo
iRules
mfa
OAuth Client
security
Hardeep_Kaur's avatar
Ret. Employee
I document user guides, online help, and release notes for F5's BIG-IP APM, F5 Access Apps, and Edge Client products. I also work on Access Guided Configuration online help and compatibility matrices.
View Profile
delv3chio's avatar
Icon for Employee rankEmployee
Joined May 20, 2019
View Profile
Jerrod_Kimbler's avatar
Icon for Employee rankEmployee
Vintage F5 Employee, Est. 2006
View Profile
aefting's avatar
aefting
Icon for Altostratus rankAltostratus
Sep 28, 2023

I wanted to post a follow up to this issue:

Regarding the OAuth branch rule, I was also failing with the rule set to 1. The following fixed it for me. I’m also not clear why this is the case.

            Expression: expr {[mcget {session.oauth.client.last.authresult}] == 1}  <-- Changed to 0

 

I opened a ticket with support and they found my problem, I had a typo in my irule -- notice the double "/oauth/v1/token" in this line.  When I corrected it, everything worked with the "=1" expression like it should.

set aud https://api-xxxxxdac.duosecurity.com/oauth/v1/token/oauth/v1/token