APM Cookbook: Okta MFA Integration
Since the launch of the Okta and F5 Integration Guide I've seen interest in leveraging this partnership take off. One aspect I've enjoyed is watching how customers address pain points they were not able to address previously. For example, providing multi-factor authentication (MFA) for Microsoft Exchange Outlook Web Access (OWA).
This particular customer standardized on Okta's MFA solution but OWA was behind Microsoft Threat Management Gateway (TMG) and could not easily integrate with Okta. For this solution F5's Access Policy Manager (APM) will replace the TMG servers and leverage Okta's on-premises RADIUS agent for MFA via Okta Verify, which supports push notification - by far my favorite feature. I've included a video below that walks through the process of configuring Okta for RADIUS based multifactor as well as configuring APM to leverage Okta's RADIUS agent. https://youtu.be/jpoVo0nuilQ?list=PLAVmgu9Rja5Cyu7KhQ3CUJFNOI5Tr-Wk2
Okta Configuration
On the Okta administrator portal you'll need to create a new Okta Sign-on policy: Security -> Policies. Once you name the new policy you'll need to add a rule:
The crucial part here is to select RADIUS for the And Authenticates via option.
F5 Configuration
The F5 APM configuration is pretty straight forward since you can use the built-in VPE macro template for RADIUS authentication but we'll need to create a RADIUS AAA object first.
Once the RADIUS AAA object is created go ahead and create a new Access Profile and customize your VPE as shown below - for detailed steps please watch the attached video.
Pretty easy solution and we're just scratching the surface on what is possible. Can't wait to start playing with Okta's API via iRules LX!
- The-messengerCirrostratus
Thanks Cody, I have asked on the Okta side, they report that the "send push automatically" option will be available for Radius later this year. I thought, since there is an http response here, that it might be possible to build an iRule to automatically send a response.
I've watched your videos on Okta and F5 integration. Is there info someplace where you dig into the Kerberos or http auth APM policy?
- Cody_GreenEmployee
The integration is via the Okta RADIUS server so this is really a requirement of Okta, not F5. The RADIUS server issues a challenge which is displayed to the user via the APM login. This question has come up in the past and I'm not sure if it's on Okta's roadmap or not.
You can open a support case with Okta and request a feature enhancement that would allow for immediate push notification.
- The-messengerCirrostratus
How could set the MFA response to automatically be push verify? The login page that prompts for Push or Push Verify is pretty unattractive.
- The-messengerCirrostratus
What does this look like from the APM page? Does Okta have an option for an iframe that presents an Okta MFA page?