Showing results for 
Search instead for 
Did you mean: 

Customize APM Logon Page for Duo Security auth with Modern Template, v15.1+




I would like to use Modern Template on v15.1+ and integrate Duo Security with APM's Logon Page.


I tried to follow these guides:


Based on Lucas' (btw fantastic) guide I tried to add the link from Duo ( in Customization Tool, General Customization, on Text tab, under Customization Settings -> Access Profiles -> /Common/<AccessProfile> -> Common -> External Scripts/Styles section. I copied the JS link as the value of External Javascript 1 Address.


I tried to generate the SRI hash on, but I got the following error message:

Error: this resource is not eligible for integrity checks. See


Therefore I did not configured an External Javascript 1 Subresource Integrity value...


With the above settings, after logging in with username and password the following message appeared:

Initializing two-factor authentication... DUO-TXID(|XXXXXXXXXXXXXXXXXXXX)


On F5, I ran tcpdump and I can see Duo Authentication Proxy is communicating with Duo on port 443.


But authentication is not completed, user does not appear in User list, even not as Pending Enrollment.


Is there anyone who managed to successfully integrate Modern Template with Duo Security and could help me how to fix it?


UPDATE: I created a test policy with Standard Customization Type. User self-enrollment and also authentication worked like a charm. So my infrastructure is correctly set, just would need some guidance, how to integrate the Duo Javascript within Modern Template.



Hi there,


We had a similar issue with our deployment while attempting to integrate Duo MFA. The DUO-TXID would appear in the login box on our customised login page, but the Duo integration didn't seem to fire.


We're on 14.1, but have a pretty heavily customised Sign-In page. Perhaps this contributes somewhat to load times, etc for page elements.


I spent some time in Firefox with Developer tools, prettified the Duo code, and set some break points. In stepping through the execution flow, I found that the Duo script actually embeds a specific version of the jQuery library, and triggers on the j(document).ready condition, which is equivalent to the DOMContentLoaded event. This was firing ahead of the Body OnLoad event that triggers the Login Page's function to populate the logon form (OnLoad).


The net effect is that when the Duo function triggers, and looks for the DUO-TXID, it is not there yet.


The workaround/fix was the following:


Edit the policy's Logon Page's in advanced customisation and locate the following code section:


disableSubmit(form); return true; } //--> </script> </head>   <body onload="OnLoad()">   <?

To adjust the way the triggers work, replace the above code section with:


disableSubmit(form); return true; }   document.addEventListener("DOMContentLoaded", function() { OnLoad(); }, false); //--> </script> </head> <body> <?

What this does is replace the effective OnLoad handler with a DOMContentLoaded handler to call the OnLoad function that populates the logon form.


In our case, this seems to have resolved the timing issues, though there is not really a guarantee that this will work in all cases.


I hope this solution helps out other folks.





There is no in the modern template. so you want be able to do so.


Hi  ,


I may not have realised at the time, my solution did not use the Modern Template. When performing an upgrade recently we discovered that there are limitations in the Modern Template that could not be overcome at the time. This prevents Duo Auth from being integrated.


I hope that F5 and/or Duo or other vendors come up with a suitable solution at some point.




yes indeed.


i hope they will make it possible to change the code on the new template


Eelke, did you find a solution for this?   I have a case opened with F5 support for this same question.