APM Configuration to Support Duo MFA using iRule

Overview BIG-IP APM has supported Duo as an MFA provider for a long time with RADIUS-based integration. Recently, Duo has added support for Universal Prompt that uses Open ID Connect (OIDC) protoco...
0151T0000040JicQAE.png
Updated Mar 01, 2025
Version 8.0
BIG-IP
BIG-IP Access Policy Manager (APM)
big-ip apm
duo
iRules
mfa
OAuth Client
security
Hardeep_Kaur's avatar
Ret. Employee
I document user guides, online help, and release notes for F5's BIG-IP APM, F5 Access Apps, and Edge Client products. I also work on Access Guided Configuration online help and compatibility matrices.
View Profile
delv3chio's avatar
Icon for Employee rankEmployee
Joined May 20, 2019
View Profile
Jerrod_Kimbler's avatar
Icon for Employee rankEmployee
Vintage F5 Employee, Est. 2006
View Profile
Najtkin's avatar
Najtkin
Icon for Nimbostratus rankNimbostratus
Feb 25, 2025

Hello!

I am still new with APMs so while I'm exporing it's possibilities, I found this great guide. To test it, I made a per session policy and followed this guide step by step even using the same naming convention (except for the API token, client ID and Secret part). Duo is granting access however the APM fails with the following error:
"/Common/F5-VPN-Duo_act_oauth_client_ag: OAuth Client: failed for server '/Common/duo_server' using 'authorization_code' grant type (client_id=DIU4YAFEXRHK0R8INSXG), error: Invalid json"

Using F5 software version 17.1.2.1