on 27-Jul-2020 11:09
Despite recent advances in security and identity management, relying on password alone no longer provides protection. Here are few facts about passwords:
F5® BIG-IP® Local Traffic Manager™ (LTM) and F5 BIG-IP® Access Policy Manager® (APM) address these challenges by providing multi-factor authentication to access applications when used in conjunction with the Okta identity management platform. This integrated solution allows Okta to support applications with multi-factor authentication (MFA) using a variety of factor types. In addition, the BIG-IP system can act as a reverse proxy for publishing on-premises applications beyond the firewall.
This document will discuss the process of configuring F5 Big-IP and Okta to meet this requirement.
This guide is written for IT professionals who need to design an F5 network and are familiar with Access Policy Manager configuration. These IT professionals can fill a variety of roles:
Providing extended access management capabilities when used in conjunction with the Okta identity management platform, the APM secure all HTTP traffic by acting as a reverse proxy for publishing on-premises applications beyond the firewall.
By adding on MFA, the application is protected by another layer of security to verify the identity of the user.
Okta supports MFA through different factors. One of the factors used in this document is mobile phone. The following procedure will provide examples of Okta MFA Mobile phone configuration as well as BIG-IP APM configuration. These procedures are new for BIG-IP APM by utilizing HTTP Connector feature introduced in 15.1 and Okta Connector feature introduced in 16.0. By using these features, APM is able to use Okta’s API to configure MFA without the RADIUS requirement as in the previous releases.
Use this section to configure Okta for MFA to work with APM by using Okta’s API.
To configure and test Okta MFA with APM, complete the following tasks:
Before configuring Okta admin dashboard, make sure the “Classic UI” is selected:
For API to work, you need to establish a link relationship between an Okta and APM by using Okta API token. The following instructions will create the Okta API token to be added in the APM.
Step 1: In the Okta admin dashboard, click Security>API>Tokens>Create Token, enter a name and then click Create Token.
Step 2: In the Create Token window, copy the Token Value and paste to a text file for later use in APM configuration.
Use this section to create a test user in the Okta Directory named Art Venderlay.
In this section, you'll enable mobile MFA in Okta.
Step 1: In Admin Dashboard, click Security>Multifactor>Factor Types>Okta Verify>Active
Step 2: In the Okta Verify Settings window, click Edit, select the following option and then click Save.
Step 3: In the Multifactor window, click Factor Enrollment>Default Policy>Edit, select the following information in Edit Policy window and then click Update Policy.
Use this section to enable MFA on a mobile device.
Step 1: Download Okta app in App Store or Play Store on a mobile device.
Step 2: In a browser, sign in Okta by using user account created in the previous step.
Step 3: Click Art>Settings
Step 4: Scroll down to Extra Verification panel click Okta Verify>Set Up.
Step 5: In Set up multifactor authentication window, click Configure factor.
Step 6: In Setup Okta Verify window, select iPhone or Android and then click Next.
Step 7: Launch Okta Verify app on the mobile device and scan QR code:
This completes the Okta MFA configuration section.
Use this section to APM to be used with Okta’s API for Multi-factor Authentication.
To configure and test Okta MFA with APM, complete the following tasks:
Step 1: A DNS Resolver object is required for an HTTP Connector Transport. You can select an existing resolver or define one when you create the Connector Transport. Create an HTTP Connector Transport to provide transport level parameters (such as an SSL profile and DNS resolver), used for sending HTTP requests.
Go to Access› Authentication>HTTP Connector>HTTP Connector, click Create. In the General Properties window, complete the following information and then click Save.
Step 2: For Okta MFA API to work, you need to establish a link relationship between APM and Okta using API token created in Configuring Okta MFA section.
Go to Access› Authentication>HTTP Connector>Okta Connector, click Create complete the following information and then click Save.
Step 3: Go to Access>Profiles / Policies>Per-Request Policies click Create complete the following configuration, leave the default options and then click Finished.
Step 4: In the Per-Request Policies page, click Edit under the Per-Request Policies column for Okta_MFA_Connector policy to launch Visual Policy Editor. Go to the new tab for Visual Policy Editor click + to Add item.
Step 5: In the popup window, complete the following information and then click Save.
Step 6: Click + next to Subroutine: Okta_MFA_sub.
Step 8: In the popup window, go to Authentication tab, select the following and click Add Item.
Step 9: In the next window, select the following option, leave the default configurations and then click Save:
Step 10: In the Subroutine: Okta_MFA_sub line, click Edit Terminals.
Step 11: Click Add Terminal, complete the following information and click Save.
Step 12: Off the Okta MFA box of the fallback line, click on the Success box.
Step 13: In the popup window, select the following and then click Save.
Step 14: Between the In and Okta MFA boxes, click on the +.
Step 15: In the popup window, select the following and click Add Item.
Step 16: In the next window, leave the default information and click Save.
Step 17: Under Per-Request Policy: /Common/okta_prp, click on +
Step 18: In the popup window, go to Subroutines tab, select the following and click Add Item.
This completes Visual Policy Editor configuration.
Close the tab.
Step 19: Go to Access > Profiles / Policies>Access Profiles (Per-Session Policies), click Create, select the following, leave default settings, and click Finished.
Step 20: Go to Local Traffic>Virtual Servers, associate the Access Profile (per-session policy) and the per-request policy with the virtual server.
For more information on Virtual Server configuration, please go to the following link: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_vi...
This completes the section on APM configuration for Okta MFA configuration using Okta API.
To test MFA configuration, access the application and the browser should return the logon prompt. Enter user login credential and click Logon.
After successful logon, Okta Verify MFA screen will appear. Click Send push, wait for notification on mobile device, accept the access request by touching “YES, IT’S ME” on the mobile device and the application will appear in the browser.
This concludes the section on testing MFA access using BIG-IP APM and Okta.
Will this solution allow the usage of device fingerprinting to reduce the number of times that MFA prompting is required?