How to enable RSA SecurID Browser Plug-In for APM

We are currently installing an Edge Gateway in our network and we use RSA Soft Tokens for authentication.  We were looking for the browser plug-in option like there is on the firepass device and couldn't find it.  I have summited an RFE for this but we needed a work around quick.  I have listed the steps below to integrate the browser plug-in into the Edge.  This will work if you are using the "password" field as your token code input.  If you are trying to do 2 factor auth using and AD or LDAP password also then you will need to modify this code.  If you need help please message me.

 

- Login to the management UI and navigate to “Access Policy” -> “Customization”.

- Change the view of the editor to “Advanced”.

- Navigate to your logon page include file.  My file was located at “Access Profiles/Common/<profile name>/Macros/Logon Page and Auth/Logon Pages/Logon Page” and there should be a logon.inc file.  Your location may vary depending on where the logon page is in your policy.  This instance the logon page is in a Macro called “Logon Page and Auth”.

- Add the following code to the logon.inc file.  The code to replace will be in the part where the code prints the input tags in the HTML (this was on line 386 for me).  Be careful because there are two lines that look the same.  I am updating the first line because my configuration prints the input box below the label not on the same line.  If you print on the same line you will replace the second instance of this code. 

 

REPLACE THIS CODE:

<input type=<? print( $field_settings["type"] ); ?> name=<? print( $field_settings["name"] ); ?> class="credentials_input_<? print( $field_settings["type"] ); print( $_disabled ) ?>" <? print( $disabled ); ?> value="<? print( $field_settings["value"] ); ?>" id="<? print( "input_{$id}" ); ?>" autocomplete="off" autocapitalize="off">

 

WITH THIS CODE:

<? if( $field_settings["name"] == "password" ) { ?>

  <input type="<? print( $field_settings["type"] ); ?>" name="<? print( $field_settings["name"] ); ?>" class="credentials_input_<? print( $field_settings["type"] ); print( $_disabled ) ?>" <? print( $disabled ); ?> value="<? print( $field_settings["value"] ); ?>" id="<? print( "input_{$id}" );?>" onfocus="querySoftToken();" autocomplete="off" autocapitalize="off">

<? } else { ?>

  <input type="<? print( $field_settings["type"] ); ?>" name="<? print( $field_settings["name"] ); ?>" class="credentials_input_<? print( $field_settings["type"] ); print( $_disabled ) ?>" <? print( $disabled ); ?> value="<? print( $field_settings["value"] ); ?>" id="<? print( "input_{$id}" );?>" autocomplete="off" autocapitalize="off">

<? } ?>

 

- Now we need to add a few more things to make this work.

The following code needs to be added around line 134…  I added mine above the “getFormCompatibility()” function.

//Add compatability for using the RSA Token with the browser.

function querySoftToken()

{

    if(typeof(document.sdui.sdAuth) == "undefined")

       return;

 

       var form = document.getElementById( globalFormId );

       var date = new Date();

       var time = Math.round(date.getTime()/1000);

       var user = form.username.value;

       var state = 0;

       var systempin, pin_min, pin_max, pin_type, pin_mode, rsa_status, e;

      

       if(form.rsa_pin != null) {

              systempin = form.rsa_pin.value;

       } else {

              systempin = 0;

       }

       if (form.rsa_status == null) {

              rsa_status = "99";

       } else {

              rsa_status = form.rsa_status.value;

       }

 

       switch(rsa_status) {

       case "6": // 6 = next tokencode

              if (typeof(document.sdui.sdNext) != "undefined" && document.sdui.sdNext() == 1 ) {

                     form.password.value = document.sdui.getNext();

                     form.username.value = document.sdui.getUsername();

                     break;

              } else return;

       case "7": // user must select pin or use system pin

       case "9": // user must select pin

              pin_min = form.rsapin_min.value;

              pin_max = form.rsapin_max.value;

              if (form.rsapin_type.value == 0)

                     pin_type = 1; // alnum

              else

                     pin_type = 0; // num

              if (rsa_status == 7)

                     pin_mode = 1;

              else

                     pin_mode = 2;

                           if (typeof(document.sdui.sdPin) != "undefined"

              && document.sdui.sdPin(pin_min, pin_max, pin_mode, pin_type, systempin) == 1) {

                     form.password.value = document.sdui.getPin();

                     form.rsaChallenge.value = form.password.value;

                     break;

              } else {

                     form.password.value = "cancel_new_pin_mode";

                     form.rsaChallenge.value = form.password.value;

                     break;

              }

       case "8": // user must use system  PIN

              if (typeof(document.sdui.sdPin) != "undefined" && document.sdui.sdPin(0, 0, 0, 0, systempin) == 1) {

                     form.password.value = systempin;

                     form.rsaChallenge.value = systempin;

                     break;

              } else {

                     form.password.value = "cancel_new_pin_mode";

                     form.rsaChallenge.value = form.password.value;

                     break;

              }

       case "10": // pin accepted, next passcode

              if (document.sdui.sdAuth(time, user, state) == 1) {

                     form.username.value = document.sdui.getUsername();

                     form.password.value = document.sdui.getNext();

                     break;

              } else window.location='/my.logon.php3';

       case "99":    // initial logon page (no status yet)

       default:      // access denied, pin rejected, etc.

              if (document.sdui.sdAuth(time, user, state) == 1) {

                     form.username.value = document.sdui.getUsername();

                     form.password.value = document.sdui.getPasscode();

                     break;

              } else return;

       }

       if (form.login != null) form.login.disabled=1;

       e = document.createElement("input");

       e.setAttribute("name", "rsa_soft_token");

       e.setAttribute("type", "hidden");

       e.setAttribute("value","on");

       form.appendChild(e);

       form.submit();

}

 

 

- Last thing to add will be the reference to the object.  I added this on line 96 just below the link reference to the apm.css stylesheet.

 

<object hidden="true" name="sdui" id="sdui" classid="clsid:99548BB4-F895-11D0-93CA-00A024D1214D"></object>

 

 

- Now you have to apply your access policy.

 

If you have installed a newer version of the Soft Token you need to make sure to do a custom install and select the browser plugin option.  This only works in IE.

 

Seth Cooper

Published Jul 30, 2012
Version 1.0
  • Hi Seth,

     

     

    Cool article on integrating RSA webui with APM, i am just wondering what would be changes required or things to consider while integrating it with custom login page, i have completely replaced logon.inc.

     

     

    Any inputs are appreciated :-)

     

     

    Best Regards
  • Hello Seth, We're in the process of implementing APM and wanted the RSA pop-up because we had it in Firepass. It seems that in BIG-IP version 11.6 the code is a little different than what you posted. Could you suggest where/what to change to make it work with 11.6? I can send you the logon.inc file contents (I tried posting it here but it didn't seem to take). We have both Radius and AD authentication used. Thanks!