Despite recent advances in security and identity management, relying on password alone no longer provides protection. Here are few facts about passwords:
F5® BIG-IP® Local Traffic Manager™ (LTM) and F5 BIG-IP® Access Policy Manager® (APM) address these challenges by providing multi-factor authentication to access applications when used in conjunction with the Okta identity management platform. This integrated solution allows Okta to support applications with multi-factor authentication (MFA) using a variety of factor types. One of these factor types is the use of YubiKey. In addition, the BIG-IP system can act as a reverse proxy for publishing on-premises applications beyond the firewall.
This document will discuss the process of configuring F5 Big-IP and Okta to meet this requirement.
This guide is written for IT professionals who need to design an F5 network and are familiar with Access Policy Manager configuration. These IT professionals can fill a variety of roles:
Providing extended access management capabilities when used in conjunction with the Okta identity management platform, the APM secure all HTTP traffic by acting as a reverse proxy for publishing on-premises applications beyond the firewall.
Okta supports MFA through different factors. One of the factors used in this document is Yubikey. The following procedure will provide examples of Okta Yubikey configuration as well as BIG-IP APM configuration. These procedures are new for BIG-IP APM by utilizing HTTP Connector feature introduced in 15.1 and Okta Connector feature introduced in 16.0. By using these features, APM is able to use Okta’s API to configure MFA without the RADIUS requirement as in the previous releases.
YubiKey is a hardware-based multi-factor and passwordless authentication. By adding on YubiKey authentication, the application is protected by another layer of security to verify the identity of the user. For more information, visit Yubico’s website: https://www.yubico.com/products/
Use this section to prepare the YubiKey to work with APM by using Okta’s APIs.
YubiKey identifies itself as an external keyboard, that delivers a one-time passcode (OTP) with a simple touch of a button. Users or administrators can load their own secrets and configuration onto their YubiKey by using Yubico YubiKey Personalization Tool.
To activate Okta YubiKey authentication factor, a YubiKey seed file, also known as the Configuration Secrets file, is required. The seed file is file is a .csv that allows admin to provide authorized YubiKeys to the end users.
To generate a YubiKey seed file, complete the following steps:
Step 1: Download the YubiKey Personalization Tool here: https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/
Step 2: Insert the YubiKey into the USB port.
Step 3: Launch the YubiKey Personalization tool.
Step 4: Go to Settings, select the following and leave default settings.· Log configuration output: Yubico format
Step 5: Go to Yubico OTP, click Advanced, select the following and leave default settings, then click Write Configuration to generate YubiKey seed file.
Step 6: Locate the generated .csv file for later use in Okta configuration.
For more information on programing YubiKeys, please use the following link:
The YubiKey preparation should now be complete.
Use this section to configure Okta for YubiKey to work with APM by using Okta’s API.
To configure and test Okta MFA with APM, complete the following tasks:
Before configuring Okta admin dashboard, make sure the “Classic UI” is selected:
For the API to work, you need to establish a link relationship between an Okta and APM by using Okta API token. The following instructions will create the Okta API token to be added in the APM.
Step 1: In the Okta admin dashboard, click Security>API>Tokens>Create Token, enter a name and then click Create Token.
Step 2: In the Create Token window, copy the “Token Value" and paste to a text file for later use in APM configuration.
Use this section to create a test user in the Okta Directory named Art Venderlay.
Use this section to enable mobile MFA in Okta.
Step 1: In Admin Dashboard, click Security>Multifactor>Factor Types>YubiKey>Active
Step 2: In the YubiKey window, click Browse, locate the YubiKey seed file created in the previous section, click open and then click Upload Seed File.
Step 3: In the Multifactor window, click Factor Enrollment>Default Policy>Edit, select the following information in Edit Policy window and then click Update Policy.
The Okta YuibiKey Multi-factor configuration should now be complete.
Use this section to configure the APM to be used with Okta’s API for YubiKey factor authentication.
To configure and test YubiKey using Okta Multi-factor with APM, complete the following tasks:
Step 1: A DNS Resolver object is required for an HTTP Connector Transport. You can select an existing resolver or define one when you create the Connector Transport. Create an HTTP Connector Transport to provide transport level parameters (such as an SSL profile and DNS resolver), used for sending HTTP requests.
Go to Access› Authentication>HTTP Connector>HTTP Connector, click Create complete the following information and then click Save.
Step 2: For Okta MFA API to work, you need to establish a link relationship between APM and Okta using API token created in Configuring Okta MFA section.
Go to Access› Authentication>HTTP Connector>Okta Connector, click Create complete the following information and then click Save.
Step 3: Go to Access>Profiles / Policies>Per-Request Policies click Create complete the following configuration, leave the default options and then click Finished.
Step 4: In the Per-Request Policies page, click Edit in the Per-Request Policies column for Okta_MFA_Connector policy to launch Visual Policy Editor. Go to the new tab launched for Visual Policy Editor and then click + to Add item.
Step 5: In the popup window, complete the following information and then click Save.
Step 6: Click + next to Subroutine: Okta_MFA_sub.
Step 8: In the popup window, go to Authentication tab, select the following and click Add Item.
Step 9: In the next window, select the following option, leave the default configurations and then click Save:
Please note YubiKey factor by scrolling down before click on Save.
Step 10: In the Subroutine: Okta_MFA_sub line, click Edit Terminals.
Step 11: Click Add Terminal, complete the following information and click Save.
Step 12: Off the Okta MFA box of the fallback line, click on the Success box.
Step 13: In the popup window, select the following and then click Save.
Step 14: Between the In and Okta MFA boxes, click on the +.
Step 15: In the popup window, select the following and click Add Item.
Step 16: In the next window, leave the default information and click Save.
Step 17: Under Per-Request Policy: /Common/okta_prp, click on +
Step 18: In the popup window, go to Subroutines tab, select the following and click Add Item.
This completes Visual Policy Editor configuration.Close the tab.
Step 19: Go to Access > Profiles / Policies>Access Profiles (Per-Session Policies), click Create, select the following, leave default settings, and click Finished.
Step 20: Go to Local Traffic>Virtual Servers, associate the per-session policy and the per-request policy with the virtual server.
For more information on Virtual Server configuration, please go to the following link: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_v...
This completes the APM configuration.
To test YubiKey factor authentication configuration, access the application and the browser should return the logon prompt. Enter user credential and click Logon.
After successful logon, Okta Verify MFA YubiKey screen will appear. Plug in YubiKey into USB port and touch it. Wait for and the application will appear in the browser.
This concludes the testing of YubiKey factor authentication using BIG-IP APM and Okta.