Application access using Multi-factor Authentication with APM and Okta
Despite recent advances in security and identity management, relying on password alone no longer provides protection. Here are few facts about passwords:
- 64% of users prefer to use a simple password that’s easy to remember.
- 59% of users reuse passwords across business and personal accounts.
- Passwords are reused an average of 5 times.
- Passwords are stolen through phishing attacks.
F5® BIG-IP® Local Traffic Manager™ (LTM) and F5 BIG-IP® Access Policy Manager® (APM) address these challenges by providing multi-factor authentication to access applications when used in conjunction with the Okta identity management platform. This integrated solution allows Okta to support applications with multi-factor authentication (MFA) using a variety of factor types. In addition, the BIG-IP system can act as a reverse proxy for publishing on-premises applications beyond the firewall.
This document will discuss the process of configuring F5 Big-IP and Okta to meet this requirement.
Audience
This guide is written for IT professionals who need to design an F5 network and are familiar with Access Policy Manager configuration. These IT professionals can fill a variety of roles:
- Systems engineers who need a standard set of procedures for implementing solutions
- Project managers who create statements of work for F5 implementations
- F5 partners who sell technology or create implementation documentation
Deploying Okta Multi-factor Authentication and BIG-IP APM integration
Providing extended access management capabilities when used in conjunction with the Okta identity management platform, the APM secure all HTTP traffic by acting as a reverse proxy for publishing on-premises applications beyond the firewall.
By adding on MFA, the application is protected by another layer of security to verify the identity of the user.
Okta supports MFA through different factors. One of the factors used in this document is mobile phone. The following procedure will provide examples of Okta MFA Mobile phone configuration as well as BIG-IP APM configuration. These procedures are new for BIG-IP APM by utilizing HTTP Connector feature introduced in 15.1 and Okta Connector feature introduced in 16.0. By using these features, APM is able to use Okta’s API to configure MFA without the RADIUS requirement as in the previous releases.
Configuring Okta Multi-Factor Authentication
Use this section to configure Okta for MFA to work with APM by using Okta’s API.
To configure and test Okta MFA with APM, complete the following tasks:
- Create Okta API Token – for APM Okta Connector (16.0 feature) configuration
- Add Person to Directory – add users to Okta.
- Configure Multifactor – enable multi-factor authentication.
- Setup MFA on Mobile – enable mobile for MFA authentication.
Before configuring Okta admin dashboard, make sure the “Classic UI” is selected:
Create Okta API Token
For API to work, you need to establish a link relationship between an Okta and APM by using Okta API token. The following instructions will create the Okta API token to be added in the APM.
Step 1: In the Okta admin dashboard, click Security>API>Tokens>Create Token, enter a name and then click Create Token.
Step 2: In the Create Token window, copy the Token Value and paste to a text file for later use in APM configuration.
Add Person to Directory
Use this section to create a test user in the Okta Directory named Art Venderlay.
- In the Admin Dashboard, click Directory, and then select People.
- Click + Add Person at the top left of the screen.
- In the Add Person window, complete the following information and click Save:
- User type: User
- First name: Art
- Last name: Venderlay
- Username: avanderlay@email.com
Configure Multifactor
In this section, you'll enable mobile MFA in Okta.
Step 1: In Admin Dashboard, click Security>Multifactor>Factor Types>Okta Verify>Active
Step 2: In the Okta Verify Settings window, click Edit, select the following option and then click Save.
-
Enable Push Notification: Check
Step 3: In the Multifactor window, click Factor Enrollment>Default Policy>Edit, select the following information in Edit Policy window and then click Update Policy.
- Assign to groups: Everyone
- Effective Factors:
- Okta Verify: Required
- Okta Verify with Push: Check
Setup MFA on Mobile
Use this section to enable MFA on a mobile device.
Step 1: Download Okta app in App Store or Play Store on a mobile device.
Step 2: In a browser, sign in Okta by using user account created in the previous step.
Step 3: Click Art>Settings
Step 4: Scroll down to Extra Verification panel click Okta Verify>Set Up.
Step 5: In Set up multifactor authentication window, click Configure factor.
Step 6: In Setup Okta Verify window, select iPhone or Android and then click Next.
Step 7: Launch Okta Verify app on the mobile device and scan QR code:
This completes the Okta MFA configuration section.
Configure F5 BIG-IP APM
Use this section to APM to be used with Okta’s API for Multi-factor Authentication.
To configure and test Okta MFA with APM, complete the following tasks:
- Configure HTTP Connector Transport: Provide access to an external API
- Configure Okta Connector (16.0 feature): Establish relationship between APM and Okta using Okta’s API
- Configure access policy: Define a policy that executes Okta connector
- Configure the Pool Properties: enables you to configure a pool of one or more servers. If you have a suitable pool configured already, select it. Otherwise, create a new one. Add servers, select a load balancing method, and, optionally, assign a health monitor to the pool.
Step 1: A DNS Resolver object is required for an HTTP Connector Transport. You can select an existing resolver or define one when you create the Connector Transport. Create an HTTP Connector Transport to provide transport level parameters (such as an SSL profile and DNS resolver), used for sending HTTP requests.
Go to Access› Authentication>HTTP Connector>HTTP Connector, click Create. In the General Properties window, complete the following information and then click Save.
- Name: Okta_MFA_TS
- DNS Resolver: /Common/itc.demo
- Server SSL Profile: /Common/serverssl
- Maximum Response Size: 32768 (default)
- Timeout: 5 (default)
Step 2: For Okta MFA API to work, you need to establish a link relationship between APM and Okta using API token created in Configuring Okta MFA section.
Go to Access› Authentication>HTTP Connector>Okta Connector, click Create complete the following information and then click Save.
- Name: Okta_MFA_Connector
- HTTP Connector Transport: /Common/Okta_MFA_TS
- Okta Domain: dev-123456-admin.okta.com (Okta account)
- Okta API Token: (paste token from previous section)
Step 3: Go to Access>Profiles / Policies>Per-Request Policies click Create complete the following configuration, leave the default options and then click Finished.
- Configuration Name: okta_prp
- Languages: English (en)
Step 4: In the Per-Request Policies page, click Edit under the Per-Request Policies column for Okta_MFA_Connector policy to launch Visual Policy Editor. Go to the new tab for Visual Policy Editor click + to Add item.
Step 5: In the popup window, complete the following information and then click Save.
- Name: Okta_MFA_sub
Step 6: Click + next to Subroutine: Okta_MFA_sub.
Step 7: Click + to Add Item.
Step 8: In the popup window, go to Authentication tab, select the following and click Add Item.
- Okta MFA
Step 9: In the next window, select the following option, leave the default configurations and then click Save:
- Okta Connector: /Common/Okta_MFA_Connector
Step 10: In the Subroutine: Okta_MFA_sub line, click Edit Terminals.
Step 11: Click Add Terminal, complete the following information and click Save.
- Name: Success
- Name: Failure
Step 12: Off the Okta MFA box of the fallback line, click on the Success box.
Step 13: In the popup window, select the following and then click Save.
- Failure
Step 14: Between the In and Okta MFA boxes, click on the +.
Step 15: In the popup window, select the following and click Add Item.
- Logon Page
Step 16: In the next window, leave the default information and click Save.
Step 17: Under Per-Request Policy: /Common/okta_prp, click on +
Step 18: In the popup window, go to Subroutines tab, select the following and click Add Item.
- Okta_MFA_sub
This completes Visual Policy Editor configuration.
Close the tab.
Step 19: Go to Access > Profiles / Policies>Access Profiles (Per-Session Policies), click Create, select the following, leave default settings, and click Finished.
- Name: Allow_Access
- Profile Type: All
Step 20: Go to Local Traffic>Virtual Servers, associate the Access Profile (per-session policy) and the per-request policy with the virtual server.
For more information on Virtual Server configuration, please go to the following link: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_virtualserver.html
This completes the section on APM configuration for Okta MFA configuration using Okta API.
Test Multi-factor Authentication
To test MFA configuration, access the application and the browser should return the logon prompt. Enter user login credential and click Logon.
After successful logon, Okta Verify MFA screen will appear. Click Send push, wait for notification on mobile device, accept the access request by touching “YES, IT’S ME” on the mobile device and the application will appear in the browser.
This concludes the section on testing MFA access using BIG-IP APM and Okta.
Resources
- BIG-IP Knowledge Center
- BIG-IP APM Knowledge Center
- Configuring Single Sign-On with Access Policy Manager
Validated Products and Versions
- BIG-IP APM 16.0
- Walter_KacynskiCirrostratus
Will this solution allow the usage of device fingerprinting to reduce the number of times that MFA prompting is required?