cancel
Showing results for 
Search instead for 
Did you mean: 
Kai_Chung
F5 Employee
F5 Employee

Despite recent advances in security and identity management, relying on password alone no longer provides protection. Here are few facts about passwords:

  • 64% of users prefer to use a simple password that’s easy to remember.
  • 59% of users reuse passwords across business and personal accounts.
  • Passwords are reused an average of 5 times.
  • Passwords are stolen through phishing attacks.


F5® BIG-IP® Local Traffic Manager™ (LTM) and F5 BIG-IP® Access Policy Manager® (APM) address these challenges by providing multi-factor authentication to access applications when used in conjunction with the Okta identity management platform. This integrated solution allows Okta to support applications with multi-factor authentication (MFA) using a variety of factor types. In addition, the BIG-IP system can act as a reverse proxy for publishing on-premises applications beyond the firewall.

This document will discuss the process of configuring F5 Big-IP and Okta to meet this requirement.

Audience

This guide is written for IT professionals who need to design an F5 network and are familiar with Access Policy Manager configuration. These IT professionals can fill a variety of roles:

  • Systems engineers who need a standard set of procedures for implementing solutions
  • Project managers who create statements of work for F5 implementations
  • F5 partners who sell technology or create implementation documentation

Deploying Okta Multi-factor Authentication and BIG-IP APM integration

Providing extended access management capabilities when used in conjunction with the Okta identity management platform, the APM secure all HTTP traffic by acting as a reverse proxy for publishing on-premises applications beyond the firewall.

By adding on MFA, the application is protected by another layer of security to verify the identity of the user.

Okta supports MFA through different factors. One of the factors used in this document is mobile phone. The following procedure will provide examples of Okta MFA Mobile phone configuration as well as BIG-IP APM configuration. These procedures are new for BIG-IP APM by utilizing HTTP Connector feature introduced in 15.1 and Okta Connector feature introduced in 16.0. By using these features, APM is able to use Okta’s API to configure MFA without the RADIUS requirement as in the previous releases.

Configuring Okta Multi-Factor Authentication

Use this section to configure Okta for MFA to work with APM by using Okta’s API.

To configure and test Okta MFA with APM, complete the following tasks:

  • Create Okta API Token – for APM Okta Connector (16.0 feature) configuration
  • Add Person to Directory – add users to Okta.
  • Configure Multifactor – enable multi-factor authentication.
  • Setup MFA on Mobile – enable mobile for MFA authentication.

Before configuring Okta admin dashboard, make sure the “Classic UI” is selected:

0151T000002drJNQAY.png

Create Okta API Token

For API to work, you need to establish a link relationship between an Okta and APM by using Okta API token. The following instructions will create the Okta API token to be added in the APM.

Step 1: In the Okta admin dashboard, click Security>API>Tokens>Create Token, enter a name and then click Create Token.

0151T000002drJSQAY.png

Step 2: In the Create Token window, copy the Token Value and paste to a text file for later use in APM configuration.

0151T000002drJOQAY.png

Add Person to Directory

Use this section to create a test user in the Okta Directory named Art Venderlay.

  • In the Admin Dashboard, click Directory, and then select People.
  • Click + Add Person at the top left of the screen.
  • In the Add Person window, complete the following information and click Save:
  • User type: User
  • First name: Art
  • Last name: Venderlay
  • Username: avanderlay@email.com

Configure Multifactor

In this section, you'll enable mobile MFA in Okta.

Step 1: In Admin Dashboard, click Security>Multifactor>Factor Types>Okta Verify>Active

0151T000002drJTQAY.png

Step 2: In the Okta Verify Settings window, click Edit, select the following option and then click Save.

  • Enable Push Notification: Check

0151T000002drJXQAY.png

Step 3: In the Multifactor window, click Factor Enrollment>Default Policy>Edit, select the following information in Edit Policy window and then click Update Policy.

  • Assign to groups: Everyone
  • Effective Factors:
  • Okta Verify: Required
  • Okta Verify with Push: Check

0151T000002drJUQAY.png

 

Setup MFA on Mobile

Use this section to enable MFA on a mobile device.

Step 1: Download Okta app in App Store or Play Store on a mobile device.

Step 2: In a browser, sign in Okta by using user account created in the previous step.

0151T000002drJYQAY.png

Step 3: Click Art>Settings

0151T000002drJcQAI.png

Step 4: Scroll down to Extra Verification panel click Okta Verify>Set Up.

0151T000002drJZQAY.png

Step 5: In Set up multifactor authentication window, click Configure factor.

0151T000002drJPQAY.png

Step 6: In Setup Okta Verify window, select iPhone or Android and then click Next.

0151T000002drJQQAY.png

Step 7: Launch Okta Verify app on the mobile device and scan QR code:

0151T000002drJdQAI.png

This completes the Okta MFA configuration section.

Configure F5 BIG-IP APM

Use this section to APM to be used with Okta’s API for Multi-factor Authentication.

To configure and test Okta MFA with APM, complete the following tasks:

  • Configure HTTP Connector Transport: Provide access to an external API
  • Configure Okta Connector (16.0 feature): Establish relationship between APM and Okta using Okta’s API
  • Configure access policy: Define a policy that executes Okta connector
  • Configure the Pool Properties: enables you to configure a pool of one or more servers. If you have a suitable pool configured already, select it. Otherwise, create a new one. Add servers, select a load balancing method, and, optionally, assign a health monitor to the pool.

Step 1: A DNS Resolver object is required for an HTTP Connector Transport. You can select an existing resolver or define one when you create the Connector Transport. Create an HTTP Connector Transport to provide transport level parameters (such as an SSL profile and DNS resolver), used for sending HTTP requests.

Go to Access› Authentication>HTTP Connector>HTTP Connector, click Create. In the General Properties window, complete the following information and then click Save.

  • Name: Okta_MFA_TS
  • DNS Resolver: /Common/itc.demo
  • Server SSL Profile: /Common/serverssl
  • Maximum Response Size: 32768 (default)
  • Timeout: 5 (default)

0151T000002drJeQAI.png

Step 2: For Okta MFA API to work, you need to establish a link relationship between APM and Okta using API token created in Configuring Okta MFA section.

Go to Access› Authentication>HTTP Connector>Okta Connector, click Create complete the following information and then click Save.

  • Name: Okta_MFA_Connector
  • HTTP Connector Transport: /Common/Okta_MFA_TS
  • Okta Domain: dev-123456-admin.okta.com (Okta account)
  • Okta API Token: (paste token from previous section)

0151T000002drJhQAI.png

Step 3: Go to Access>Profiles / Policies>Per-Request Policies click Create complete the following configuration, leave the default options and then click Finished.

  • Configuration Name: okta_prp
  • Languages: English (en)

0151T000002drJiQAI.png

Step 4: In the Per-Request Policies page, click Edit under the Per-Request Policies column for Okta_MFA_Connector policy to launch Visual Policy Editor. Go to the new tab for Visual Policy Editor click + to Add item.

Step 5: In the popup window, complete the following information and then click Save.

  • Name: Okta_MFA_sub

0151T000002drJRQAY.png

Step 6: Click + next to Subroutine: Okta_MFA_sub.

0151T000002drJjQAI.png

Step 7: Click + to Add Item.

0151T000002drJkQAI.png

Step 8: In the popup window, go to Authentication tab, select the following and click Add Item.

  • Okta MFA

0151T000002drJfQAI.png

Step 9: In the next window, select the following option, leave the default configurations and then click Save:

  • Okta Connector: /Common/Okta_MFA_Connector

0151T000002drJmQAI.png

Step 10: In the Subroutine: Okta_MFA_sub line, click Edit Terminals.

0151T000002drJgQAI.png

Step 11: Click Add Terminal, complete the following information and click Save.

  • Name: Success
  • Name: Failure

0151T000002drJlQAI.png

Step 12: Off the Okta MFA box of the fallback line, click on the Success box.

0151T000002drJaQAI.png

Step 13: In the popup window, select the following and then click Save.

  • Failure

0151T000002drJrQAI.png

Step 14: Between the  In and Okta MFA boxes, click on the +.

0151T000002drJbQAI.png

Step 15: In the popup window, select the following and click Add Item.

  • Logon Page

0151T000002drJnQAI.png

Step 16: In the next window, leave the default information and click Save.

Step 17: Under Per-Request Policy: /Common/okta_prp, click on +

0151T000002drJoQAI.png

Step 18: In the popup window, go to Subroutines tab, select the following and click Add Item.

  • Okta_MFA_sub

0151T000002drJpQAI.png

This completes Visual Policy Editor configuration.
Close the tab.

Step 19: Go to Access > Profiles / Policies>Access Profiles (Per-Session Policies), click Create, select the following, leave default settings, and click Finished.

  • Name: Allow_Access
  • Profile Type: All

0151T000002drJsQAI.png

Step 20: Go to Local Traffic>Virtual Servers, associate the Access Profile (per-session policy) and the per-request policy with the virtual server.

0151T000002drJtQAI.png

For more information on Virtual Server configuration, please go to the following link: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_vi...

This completes the section on APM configuration for Okta MFA configuration using Okta API.

Test Multi-factor Authentication

To test MFA configuration, access the application and the browser should return the logon prompt. Enter user login credential and click Logon.

0151T000002drJuQAI.png

After successful logon, Okta Verify MFA screen will appear. Click Send push, wait for notification on mobile device, accept the access request by touching “YES, IT’S ME” on the mobile device and the application will appear in the browser.

0151T000002drJwQAI.png

This concludes the section on testing MFA access using BIG-IP APM and Okta.

Resources

Validated Products and Versions

  • BIG-IP APM 16.0
Comments
Walter_Kacynski
Cirrostratus
Cirrostratus

Will this solution allow the usage of device fingerprinting to reduce the number of times that MFA prompting is required?

Version history
Last update:
‎27-Jul-2020 11:09
Updated by:
Contributors