Hello all. I would like to see if there is a way for us to call a "BIG-IP as SAML Service Provider" macro when a user attempts to access a Portal Access Resource assigned to their webtop. We would like to MFA this particular resource using OneLogin (IdP).
I will try to provide an example as specific as I can below and hope it makes sense.
Users currently log into APM (remoteurl.domain.com) and are redirected to a OneLogin page. After successful SAML auth, OneLogin redirects them to their F5 webtop. This webtop contains various Portal Access and RDP resources. Most of these resources do not contain sensitive data and do not require MFA. We would like the 1-2 "sensitive data" resources to require MFA, using OneLogin and physical YubiKeys.
The only solution I've cobbled together so far is to create an entirely new APM profile (this would include OneLogin SSO with the required MFA), have a Portal Access resource point to said profile, and add the ACTUAL resource to the webtop there. I feel like there is probably an easier way to do this, but I've yet to find one.
Why do it that way? I would love to just MFA them from the start, but I've been told I cannot MFA everyone from the get-go... only certain people and at the time of access. I hope this makes some semblance of sense.
Thank you all in advance for any insight you can provide.
I wonder if you could accomplish this with a per-request policy and URL branching agent. I haven't tested this but my thought is if the system can see either the portal rewrite URL or the actual URL, you might be able to trigger the call to your MFA solution through a subroutine. Obviously I would test this in a non-production setting but its possible it could help here.
See this for more info: https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-per-request-policies/using-s...
Thanks for the suggestion. I found https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-per-request-policies/using-s... but the page contents are blank. I opened a case about the blank documentation and it turns out that "support for SAML Step -Up authentication in Per Request Policies is still a work in progress and not yet fully supported."
I ended uphaving to create a branch rule based on a "secured app" AD group. The branch rule contains a user decision box offerinf the choice of "Secure Apps Portal" or "Normal Access". If they choose Secured Apps, the end terminal is a redirect to a different APM profile that uses SAML auth and MFA.