Im hoping not to make this long but here goes:
Our directive is that our organization wants MFA to get to a BigIP device. The initial directive was AD auth.
Environment: Our LTMs have been partition divided by sometimes app name, team name etc. Its a mess and to clean it up would require a ton of work even for AD to work, then add MFA.
So asked what is the real requirement, do "they" care where the authentication/MFA occurs. No they dont. ok now APM
Objective: user types in bigip weburl https://mybigip01.dns.com, we want them to be directed back to the APM for auth/MFA before they can access the resource.
1) is this possible?
2) we want to use google auth, which we are already using for Remote Access on the APMs
3) If this is possible, do we have to turn on Remote -APM Based and fall back to local. This would turn off local access(I think), which they are all using and this goes back to the earlier mess of partitions i mentioned.
Looking for ideas, solutions etc. Thanks
Ultimate Question: Can we do APM auth checkpoint and then they can access the LTM the way they normally do for now until we can get things cleaned up?
This could be a request for the F5 Sales and PS services as the LTM may need to use irule to check for the APM session cookie (https://my.f5.com/manage/s/article/K15387) and if not present to redirect to the APM url but for the browser to send the APM cookie it could be needed to play with the APM cookie domain options.