I have a requirement from our customer to do MFA authentication on F5 APM module and use Keycloak as Identity provider to control their access to web application. Since the keycloak is operate by different team, the internal operation team don’t have an authorize to do MFA on keycloak. They will use F5 APM to perform MFA instead.
Protect your web application by deploy F5 as web proxy.
Import your SAML metadata to F5 APM
Start by login to your keycloak console and downlond SAML metadata
Make sure you have right realm selected.
Save as you metadata
Navigate to External IDP connector
Create External IDP connector
Upload your Metadata previously downloaded and name your SAML IDP connector
Create your web.f5test.com certificate.
Navigate to SSL Certificate list console
Create your new certificate
Configuration your parameter and click finish
Create your Local SP Service
Navigate to local SP service console
Click create new SP service
Input name, EntityID and SP name setting
Config POST as assertion consumer service binding
Configuration security setting with certificate generated earlier and click OK
Binding your SP service with IDP connector
Select your newly SP service created
Add new row and select you IDP connector profile.
Import your SP service to Keycloak
Export your SP service
Create new client on Keycloak
Select file downloaded from previous section
Create Access policy
Navigate to Access policy console
Name Access policy, language and click finish
Edit your newly created Policy
Add SAML Auth
Config SAML Auth with SP service created earlier.
Add OTP Generate
Config OTP with 6 digital and click finish
Add logon page
Change username to NONE and config GUI interface and save
Add OTP verify
Use the default setting
Add email to send your OTP
Configuration email setting
Apply your Access policy
Create New VIP
Navigate to Virtual server console
Config parameter for your VIP
Apply Access policies and pool. Click finish
Test your application by access https://web.f5test.com