NimbostratusI have a customer that wants to accomplish SSO using only RSA tokens with no Windows AD. I don't see anything in the documentation that talks about SSO in conjunction with RSA SecurID, and all the discussions about SSO seem to talk only about Windows AD or Kerberos. Is this even possible?
John Meggers
Employee
If you're referring to SSO as a client side authentication function (client to APM), Access Policy Manager (APM) can definitely perform RSA SecurID in lieu of, or in combination with any other authentication methods. Here's a link to specific configuration information:
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/1.htmlunique_1217962019
One important thing to note is that most of the APM client side authentication mechanisms (AD Auth, LDAP Auth, RADIUS Auth, RSA SeruID, and others) expect the username and password values in the session.logon.last.username and session.logon.last.password session variables, respectively. So if you're using multiple auth mechanisms, like AD Auth and RSA SecurID, where the password fields may be different (password string vs. pass code), you must store the password or pass code in a temporary variable while processing the first auth method, and then re-populate the password variable for the second auth method.
One thing to note also, is that SecurID typically will limit code use to a single successful attempt. If you expect APM to pass the captured SecurID code to a protected application, you most likely will run into issues here. In my experience, SecurID is most useful to protect the initial sign-on to an APM protected service. After that it becomes troublesome.
It is possible to adjust the SecurID policy to permit passcode reuse, however I do not recommend it.
