Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

APM Configuration With Authentications Against Priority ERP & Duo MFA

maxt
Altostratus
Altostratus

‎11-Sep-2023 07:18

Hi Team,

I have the following scenario and I am looking for ways to implement DUO MFA via APM:

Customer have Priority ERP On-Prem Server with SQL DB, users that connect to Priority login page are authenticated locally with SQL query. I know that SQL query is not supported by big-ip to authenticate users. Now we want to add DUO 2FA to login.

I have followed the arcitle APM Configuration to Support Duo MFA using iRule and was wondering if there is a way to implament the solution with my scenario? I tried with AD Authentication and it works perfect. The problem is as i mentioned users authenticate localy at the server.

The issue is what are my options for First Authentication Factor? I need a way for APM first to pass the user to Priority logon page and after successfull login redirect to DUO 2FA. I have tried to configure "External Logon Page" BUT encountered an endless loop between https:/APM_URL/.my.policy and the logon page.

Can anyone advise which options I have with APM to implament the solution? 

Kind Regards,

Max

Labels:
0 Kudos
3 REPLIES 3

maxt
Altostratus
Altostratus

‎12-Sep-2023 08:06

I found a solution but getting a hard time to write the right iRule.

I can make API call to the server with iRule sideband Connection to make POST with users credentials.

The flow will be:

https://APM_PORTAL_LOGON/.my.policy ------ > user POST credentials ------- > sideband iRule Event to collect users credentials and POST to server for validation ----- if GOOD proceed to DUO.

maxt_0-1694531042482.png

Does anyone has iRule sideband connection to validate users credenials ?

0 Kudos

momahdy
F5 Employee
F5 Employee

‎13-Sep-2023 01:01

Hi Maxt,
Have you tried using External Logon page ? https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/access-...

0 Kudos

maxt
Altostratus
Altostratus
In response to momahdy

‎15-Sep-2023 06:29

I have tried but there is an issue with customers application, we end up with a redirect loop.

I have wrote an sideband connection iRule to do POST request with users credentials and check the status code from the server.

It works perfectly.

Copyright © 2023 Khoros, LLC