Application access using YubiKey Authentication with APM and Okta

Despite recent advances in security and identity management, relying on password alone no longer provides protection. Here are few facts about passwords:

  • 64% of users prefer to use a simple password that’s easy to remember.
  • 59% of users reuse passwords across business and personal accounts.
  • Passwords are reused an average of 5 times.
  • Passwords are stolen through phishing attacks.

F5® BIG-IP® Local Traffic Manager™ (LTM) and F5 BIG-IP® Access Policy Manager® (APM) address these challenges by providing multi-factor authentication to access applications when used in conjunction with the Okta identity management platform. This integrated solution allows Okta to support applications with multi-factor authentication (MFA) using a variety of factor types. One of these factor types is the use of YubiKey. In addition, the BIG-IP system can act as a reverse proxy for publishing on-premises applications beyond the firewall.

This document will discuss the process of configuring F5 Big-IP and Okta to meet this requirement.

Audience

This guide is written for IT professionals who need to design an F5 network and are familiar with Access Policy Manager configuration. These IT professionals can fill a variety of roles:

  • Systems engineers who need a standard set of procedures for implementing solutions
  • Project managers who create statements of work for F5 implementations
  • F5 partners who sell technology or create implementation documentation

Deploying Okta YubiKey Authentication and BIG-IP APM integration

Providing extended access management capabilities when used in conjunction with the Okta identity management platform, the APM secure all HTTP traffic by acting as a reverse proxy for publishing on-premises applications beyond the firewall.

Okta supports MFA through different factors. One of the factors used in this document is Yubikey. The following procedure will provide examples of Okta Yubikey configuration as well as BIG-IP APM configuration. These procedures are new for BIG-IP APM by utilizing HTTP Connector feature introduced in 15.1 and Okta Connector feature introduced in 16.0. By using these features, APM is able to use Okta’s API to configure MFA without the RADIUS requirement as in the previous releases.

YubiKey is a hardware-based multi-factor and passwordless authentication. By adding on YubiKey authentication, the application is protected by another layer of security to verify the identity of the user. For more information, visit Yubico’s website: https://www.yubico.com/products/

Prepare YubiKey for use with Okta

Use this section to prepare the YubiKey to work with APM by using Okta’s APIs.

YubiKey identifies itself as an external keyboard, that delivers a one-time passcode (OTP) with a simple touch of a button. Users or administrators can load their own secrets and configuration onto their YubiKey by using Yubico YubiKey Personalization Tool.

To activate Okta YubiKey authentication factor, a YubiKey seed file, also known as the Configuration Secrets file, is required. The seed file is file is a .csv that allows admin to provide authorized YubiKeys to the end users.

To generate a YubiKey seed file, complete the following steps:

Step 1: Download the YubiKey Personalization Tool here: https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/

Step 2: Insert the YubiKey into the USB port.

Step 3: Launch the YubiKey Personalization tool.

Step 4: Go to Settings, select the following and leave default settings.·     Log configuration output: Yubico format

Step 5: Go to Yubico OTP, click Advanced, select the following and leave default settings, then click Write Configuration to generate YubiKey seed file.

  • Configuration Slot: Slot 1
  • Public Identity (1-6 bytes Modhex): Generate
  • Private Identity (6 bytes Hex): Generate
  • Secret Key (16 bytes Hex): Generate
  • Actions: Write Configuration

Step 6: Locate the generated .csv file for later use in Okta configuration.

For more information on programing YubiKeys, please use the following link:

https://support.yubico.com/support/solutions/articles/15000006460-programming-yubikeys-for-okta-adaptive-multi-factor-authentication

https://www.yubico.com/wp-content/uploads/2015/11/Programming_YubiKeys_for_Okta.pdf

The YubiKey preparation should now be complete.


Configuring Okta MFA

Use this section to configure Okta for YubiKey to work with APM by using Okta’s API.

To configure and test Okta MFA with APM, complete the following tasks:

  • Create Okta API Token – for APM Okta Connector (16.0 feature) configuration
  • Add Person to Directory – add users to Okta.
  • Configure Multifactor – enable multi-factor authentication.
  • Setup MFA on Mobile – enable mobile for MFA authentication.

Before configuring Okta admin dashboard, make sure the “Classic UI” is selected:

Create Okta API Token

For the API to work, you need to establish a link relationship between an Okta and APM by using Okta API token. The following instructions will create the Okta API token to be added in the APM.

Step 1: In the Okta admin dashboard, click Security>API>Tokens>Create Token, enter a name and then click Create Token.

Step 2: In the Create Token window, copy the “Token Value" and paste to a text file for later use in APM configuration.

Add Person to Directory

Use this section to create a test user in the Okta Directory named Art Venderlay.

Step 1: In the Admin Dashboard, click Directory, and then select People.

Step 2: Click + Add Person at the top left of the screen.

Step 3: In the Add Person window, complete the following information and click Save:

  • User type: User
  • First name: Art
  • Last name: Venderlay
  • Username: avanderlay@email.com

Configure YubiKey Multifactor

Use this section to enable mobile MFA in Okta.

Step 1: In Admin Dashboard, click Security>Multifactor>Factor Types>YubiKey>Active

Step 2: In the YubiKey window, click Browse, locate the YubiKey seed file created in the previous section, click open and then click Upload Seed File.

Step 3: In the Multifactor window, click Factor Enrollment>Default Policy>Edit, select the following information in Edit Policy window and then click Update Policy.

  • Assign to groups: Everyone
  • YubiKey OTP: Required

The Okta YuibiKey Multi-factor configuration should now be complete.

Configure F5 BIG-IP APM

Use this section to configure the APM to be used with Okta’s API for YubiKey factor authentication.

To configure and test YubiKey using Okta Multi-factor with APM, complete the following tasks:

  • Configure HTTP Connector Transport: Provide access to an external API
  • Configure Okta Connector (16.0 feature): Establish relationship between APM and Okta using Okta’s API
  • Configure access policy: Define a policy that executes Okta connector
  • Configure the Pool Properties: enables you to configure a pool of one or more servers. If you have a suitable pool configured already, select it. Otherwise, create a new one. Add servers, select a load balancing method, and, optionally, assign a health monitor to the pool.

Step 1: A DNS Resolver object is required for an HTTP Connector Transport. You can select an existing resolver or define one when you create the Connector Transport. Create an HTTP Connector Transport to provide transport level parameters (such as an SSL profile and DNS resolver), used for sending HTTP requests.

Go to Access› Authentication>HTTP Connector>HTTP Connector, click Create complete the following information and then click Save.

  • Name: Okta_MFA_TS
  • DNS Resolver: /Common/itc.demo
  • Server SSL Profile: /Common/serverssl
  • Maximum Response Size: 32768 (default)
  • Timeout: 5 (default)

Step 2: For Okta MFA API to work, you need to establish a link relationship between APM and Okta using API token created in Configuring Okta MFA section.

Go to Access› Authentication>HTTP Connector>Okta Connector, click Create complete the following information and then click Save.

  • Name: Okta_MFA_Connector
  • HTTP Connector Transport: /Common/Okta_MFA_TS
  • Okta Domain: dev-123456-admin.okta.com (Okta account)
  • Okta API Token: (paste token from previous section)

Step 3: Go to Access>Profiles / Policies>Per-Request Policies click Create complete the following configuration, leave the default options and then click Finished.

  • Configuration Name: okta_prp
  • Languages: English (en)

Step 4: In the Per-Request Policies page, click Edit in the Per-Request Policies column for Okta_MFA_Connector policy to launch Visual Policy Editor. Go to the new tab launched for Visual Policy Editor and then click + to Add item.

Step 5: In the popup window, complete the following information and then click Save.

  • Name: Okta_MFA_sub

 

Step 6: Click + next to Subroutine: Okta_MFA_sub.


Step 8: In the popup window, go to Authentication tab, select the following and click Add Item.

  • Okta MFA

Step 9: In the next window, select the following option, leave the default configurations and then click Save:

  • Okta Connector: /Common/Okta_MFA_Connector

Please note YubiKey factor by scrolling down before click on Save.

Step 10: In the Subroutine: Okta_MFA_sub line, click Edit Terminals.

Step 11: Click Add Terminal, complete the following information and click Save.

  • Name: Success
  • Name: Failure

Step 12: Off the Okta MFA box of the fallback line, click on the Success box.

Step 13: In the popup window, select the following and then click Save.

  • Failure

Step 14: Between the In and Okta MFA boxes, click on the +.

Step 15: In the popup window, select the following and click Add Item.

  • Logon Page

Step 16: In the next window, leave the default information and click Save.

Step 17: Under Per-Request Policy: /Common/okta_prp, click on +

Step 18: In the popup window, go to Subroutines tab, select the following and click Add Item.

  • Okta_MFA_sub

This completes Visual Policy Editor configuration.Close the tab.

Step 19: Go to Access > Profiles / Policies>Access Profiles (Per-Session Policies), click Create, select the following, leave default settings, and click Finished.

  • Name: Allow_Access
  • Profile Type: All

Step 20: Go to Local Traffic>Virtual Servers, associate the per-session policy and the per-request policy with the virtual server.

For more information on Virtual Server configuration, please go to the following link: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_virtualserver.html

This completes the APM configuration.

Test YubiKey Factor Authentication

To test YubiKey factor authentication configuration, access the application and the browser should return the logon prompt. Enter user credential and click Logon.

After successful logon, Okta Verify MFA YubiKey screen will appear. Plug in YubiKey into USB port and touch it. Wait for and the application will appear in the browser.

This concludes the testing of YubiKey factor authentication using BIG-IP APM and Okta.

---

Resources

Validated Products and Versions

  • BIG-IP APM 16.0
Published Jul 22, 2020
Version 1.0