cancel
Showing results for 
Search instead for 
Did you mean: 

F5 APM Access Policy using Azure MFA via SAML

GeoffG_213492
Nimbostratus
Nimbostratus

Hi,

 

I have been looking through some previous questions relating to integrating Azure MFA into and existing F5 APM policy.

 

We currently use AAA Radius Server On-Prem in our APM policy that takes the OTP variable at the login page and validates against the AAA Radius Servers.

 

I would like to replace this Radius Auth component with Azure MFA to provide the OTP using SAML to perform this part of the Authentication Process. I assume this would follw the following Login pattern:

 

Users Login with AD username and Password SAML process is then triggerd with AD information to generate an SMS text message to the user and a page is displayed asking for the code.

 

Once the code is entered and is valid the Access Policy flow can continue on as per our current configuration

 

I have looked at the following link that describes this but this example is using On-Prem MFA Servers and not using SAML to perform this. https://devcentral.f5.com/articles/heres-how-i-did-it-integrating-azure-mfa-with-the-big-ip-19634

 

Just wondering if anyone out there has done similar to what I need to do and could share how they did it?

 

I'm not all that familiar with SAML yet either but understand the basic principles in how this works

 

Many thanks in advance

 

4 REPLIES 4

nikhil_raj_2965
Nimbostratus
Nimbostratus

Hi Geoff

 

I can see there was no response to this question, where you able to get this working

 

Regards

 

Nikhil

 

I stepped away from this for a while but have now go this working.

 

My only issue is that Azure has a token lifetime with a minimum of 10 mins so I don't know how to make the client re-auth with MFA every time they connect....

 

Cheers and apologies for late response.

scott_bilyeu
Nimbostratus
Nimbostratus

I have not done this with Azure-365 yet but have done this with adfs and okta. Basically you set up the f5 as a sp to the idp, okta for example if you need to chose between IDP's you can use IDP discovery. Now on the remote IDP set up the MFA how you would like. As far as the flow, I normally do sp initiation so it would start at the f5 apm enabled vip, then it redirects/posts you to the IDP, azure, with a saml request, you auth at azure. Then a post sends you to the f5 apm vip with a saml response. Now from there you can land on a webtop with links to your internal non federated resources or you can do want is called IDP chaining, where f5 is now the IDP, and go to another federated resource that is the sp, say concur, google,etc, using contents of the saml, or not. now too be honest the with this config there is a bit of irules need to seamlessly call the f5 idp to sp in a chain, cause it wants to plop you on a webtop, and handling logouts, SLO's, etc, but that is about it.

 

I stepped away from this for a while but have now go this working.

 

My only issue is that Azure has a token lifetime with a minimum of 10 mins so I don't know how to make the client re-auth with MFA every time they connect....

 

Cheers and apologies for late response.