APM Configuration to Support Duo MFA using iRule

Overview BIG-IP APM has supported Duo as an MFA provider for a long time with RADIUS-based integration. Recently, Duo has added support for Universal Prompt that uses Open ID Connect (OIDC) protoco...
0151T0000040JicQAE.png
Updated Mar 01, 2025
Version 8.0
BIG-IP
BIG-IP Access Policy Manager (APM)
big-ip apm
duo
iRules
mfa
OAuth Client
security
Hardeep_Kaur's avatar
Ret. Employee
I document user guides, online help, and release notes for F5's BIG-IP APM, F5 Access Apps, and Edge Client products. I also work on Access Guided Configuration online help and compatibility matrices.
View Profile
delv3chio's avatar
Icon for Employee rankEmployee
Joined May 20, 2019
View Profile
Jerrod_Kimbler's avatar
Icon for Employee rankEmployee
Vintage F5 Employee, Est. 2006
View Profile
Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Sep 20, 2024

You need to make two edits to the iRule with your tenant information:

proc getClientId {
 return "PUT YOUR TENANT'S CLIENT ID HERE"
}

proc getJwkName {
 return "PUT THE BIG-IP OBJECT NAME FOR THE JWK HERE"
 #e.g. return "/Common/duo_jwk"
}

 

JHDUKE's avatar
JHDUKE
Icon for Altostratus rankAltostratus
Sep 26, 2024

Thanks for the response. I do have these already configured in the iRule. The warnings seem to be associated only with the 'proc' definitions.. 

 

  • cjrnz's avatar
    cjrnz
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2024

    I get the same warnings, still on version 15 here but in the throes of planning to move to 17 which is where I noticed the warnings.  The script itself works fine.