Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

How to develop a second factor authentication plugin/extension?

VKanwade
Nimbostratus
Nimbostratus

‎04-Nov-2020 07:49

Very new to BIG-IP

 

I am trying to port an extension for second factor authentication written for PingFederate.

 

There I have to create a jar and deploy it in PF. Then I can login as admin and configure it as a policy: Login using AD, on success, trigger my plugin which does the OTP and then allow access to the resource.

 

How do I do something similar in BIG-IP?

 

Is APM > AAA Servers the right way to do this?

Labels:
0 Kudos
7 REPLIES 7

boneyard
MVP
MVP

‎08-Nov-2020 08:07

APM is the right module for sure

 

but loading something like a jar is not something you do with F5 BIG-IP APM

 

you can create an access profile, and in the visual policy editor create your auth flow. first AD then your second factor authentication.

 

if that will work depends on the two factor "extension", is it fully custom? can it run somewhere separate where the F5 BIG-IP APM module can communicate with it?

 

this isn't something that is easy without some basic APM knowledge, can your F5 partner or distributor perhaps help?

VKanwade
Nimbostratus
Nimbostratus

‎10-Nov-2020 20:36 - last edited on ‎24-Mar-2022 01:14 by Fog

Hi  the extension is something I am building and yes it can be run on a separate tomcat.

 

I was able to get to a point where I created a pool, virtual server and access policy. but kind of stuck how to configure the policy to include it.

0 Kudos

Ahmed_Galal
Cirrostratus
Cirrostratus
In response to VKanwade

‎11-Nov-2020 01:16

for me Radius Auth is OTP server but first you need to configure Radius authentication server under APM module0691T000009jXaTQAU.png

0 Kudos

VKanwade
Nimbostratus
Nimbostratus
In response to Ahmed_Galal

‎12-Nov-2020 18:44 - last edited on ‎24-Mar-2022 01:14 by Fog

 I am trying to build my own extension. So instead of the SSO Credential Mapping step, I have added External Logon Page. But for some reason [ACCESS::policy result] is always not_started instead of in_progress.

0 Kudos

Ahmed_Galal
Cirrostratus
Cirrostratus
In response to Ahmed_Galal

‎15-Nov-2020 00:08

SSO credential mapping step not related to login it only take username and password that user inserted on logon page and pass it to application page so user can access application directly without entering credential again.

if you want to configure external logon page you should configure it instead of logon page in the begging but why do you want to configure external logon page??

0 Kudos

VKanwade
Nimbostratus
Nimbostratus
In response to Ahmed_Galal

‎19-Nov-2020 15:45 - last edited on ‎24-Mar-2022 01:14 by Fog

  The external logon page is not actually logon page. Its a custom implementation of OTP (RSA Adaptive Authentication).

So the AD Auth actually does the authentication and then passes username to the tomcat server. The server talks to RSA AA, which tells which OTP method to use, the user finishes the OTP flow and is then redirected back to APM.

 

This is what I am trying to achieve.

 

Let me know if I am looking at this all wrong!

 

Thanks

0 Kudos

boneyard
MVP
MVP
In response to Ahmed_Galal

‎20-Nov-2020 04:26

are you posting the required information back to the APM at the end of the external logon page?

 

https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-logon-items/about-the-external-logon-page.html

 

i would start with something like this and do the AD stuff afterwards

 

https://devcentral.f5.com/s/question/0D51T00006i7WriSAE/error-with-external-logon-page

0 Kudos
Copyright © 2023 Khoros, LLC