APM Cookbook: Okta MFA Integration

2016-09-12_21-41-09Since the launch of the Okta and F5 Integration Guide I've seen interest in leveraging this partnership take off. One aspect I've enjoyed is watching how customers address pain points they were not able to address previously. For example, providing multi-factor authentication (MFA) for Microsoft Exchange Outlook Web Access (OWA).

This particular customer standardized on Okta's MFA solution but OWA was behind Microsoft Threat Management Gateway (TMG) and could not easily integrate with Okta. For this solution F5's Access Policy Manager (APM) will replace the TMG servers and leverage Okta's on-premises RADIUS agent for MFA via Okta Verify, which supports push notification - by far my favorite feature. I've included a video below that walks through the process of configuring Okta for RADIUS based multifactor as well as configuring APM to leverage Okta's RADIUS agent. https://youtu.be/jpoVo0nuilQ?list=PLAVmgu9Rja5Cyu7KhQ3CUJFNOI5Tr-Wk2

Okta Configuration

On the Okta administrator portal you'll need to create a new Okta Sign-on policy: Security -> Policies. Once you name the new policy you'll need to add a rule:

2016-09-12_21-36-23

The crucial part here is to select RADIUS for the And Authenticates via option.

F5 Configuration

The F5 APM configuration is pretty straight forward since you can use the built-in VPE macro template for RADIUS authentication but we'll need to create a RADIUS AAA object first.

2016-09-12_21-41-09.png

Once the RADIUS AAA object is created go ahead and create a new Access Profile and customize your VPE as shown below - for detailed steps please watch the attached video.

2016-09-12_21-49-24.png

Pretty easy solution and we're just scratching the surface on what is possible. Can't wait to start playing with Okta's API via iRules LX!

Published Sep 13, 2016
Version 1.0
  • Thanks Cody, I have asked on the Okta side, they report that the "send push automatically" option will be available for Radius later this year. I thought, since there is an http response here, that it might be possible to build an iRule to automatically send a response.

     

    I've watched your videos on Okta and F5 integration. Is there info someplace where you dig into the Kerberos or http auth APM policy?

     

  • The integration is via the Okta RADIUS server so this is really a requirement of Okta, not F5. The RADIUS server issues a challenge which is displayed to the user via the APM login. This question has come up in the past and I'm not sure if it's on Okta's roadmap or not.

     

    You can open a support case with Okta and request a feature enhancement that would allow for immediate push notification.

     

  • How could set the MFA response to automatically be push verify? The login page that prompts for Push or Push Verify is pretty unattractive.

     

  • What does this look like from the APM page? Does Okta have an option for an iframe that presents an Okta MFA page?