cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

How to develop a second factor authentication plugin/extension?

VKanwade
Nimbostratus
Nimbostratus

Very new to BIG-IP

 

I am trying to port an extension for second factor authentication written for PingFederate.

 

There I have to create a jar and deploy it in PF. Then I can login as admin and configure it as a policy: Login using AD, on success, trigger my plugin which does the OTP and then allow access to the resource.

 

How do I do something similar in BIG-IP?

 

Is APM > AAA Servers the right way to do this?

7 REPLIES 7

boneyard
MVP
MVP

APM is the right module for sure

 

but loading something like a jar is not something you do with F5 BIG-IP APM

 

you can create an access profile, and in the visual policy editor create your auth flow. first AD then your second factor authentication.

 

if that will work depends on the two factor "extension", is it fully custom? can it run somewhere separate where the F5 BIG-IP APM module can communicate with it?

 

this isn't something that is easy without some basic APM knowledge, can your F5 partner or distributor perhaps help?

VKanwade
Nimbostratus
Nimbostratus

Hi  the extension is something I am building and yes it can be run on a separate tomcat.

 

I was able to get to a point where I created a pool, virtual server and access policy. but kind of stuck how to configure the policy to include it.

for me Radius Auth is OTP server but first you need to configure Radius authentication server under APM module0691T000009jXaTQAU.png

 I am trying to build my own extension. So instead of the SSO Credential Mapping step, I have added External Logon Page. But for some reason [ACCESS::policy result] is always not_started instead of in_progress.

SSO credential mapping step not related to login it only take username and password that user inserted on logon page and pass it to application page so user can access application directly without entering credential again.

if you want to configure external logon page you should configure it instead of logon page in the begging but why do you want to configure external logon page??

  The external logon page is not actually logon page. Its a custom implementation of OTP (RSA Adaptive Authentication).

So the AD Auth actually does the authentication and then passes username to the tomcat server. The server talks to RSA AA, which tells which OTP method to use, the user finishes the OTP flow and is then redirected back to APM.

 

This is what I am trying to achieve.

 

Let me know if I am looking at this all wrong!

 

Thanks

are you posting the required information back to the APM at the end of the external logon page?

 

https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-logon-items/about-the-external-logon-page.html

 

i would start with something like this and do the AD stuff afterwards

 

https://devcentral.f5.com/s/question/0D51T00006i7WriSAE/error-with-external-logon-page