Note: Special thanks to the Firepass development team for providing this tip.

As IT departments deploy an ever-growing list of mobile devices, secure authentication becomes an even bigger nightmare to keep IT management awake at night. One option available is RSA SecureID software tokens. (for more details, you can visit http://www.rsa.com/)

If your organization has chosen SecureID software tokens, the F5 development team has documented how F5 FirePass can accommodate this customized configuration using FirePass’ unique WebDAV capabilities. What makes this particularly interesting is that because of its customization capabilities, FirePass can be configured to automatically extract RSA SecureID passcodes via the standard FirePass login page.

After configuring this solution, the user experience will look something like this:

 

Firepass with RSA SecurID Integration


Below, we’ll walk through basics of how it works, how you can configure FirePass to do this in your own organization, as well as a video that demonstrates the user experience.

How it Works
When an end user visits the FirePass logon page, an RSA SecurID soft token application is automatically launched (if the user has the software installed). The end user will then enter their name and pin into the soft token application. FirePass will then take the username entered and generated passcode, auto-fill the FirePass logon form and automatically log the user in.

Setting it Up
Configuration is relatively easy and does not involve any code changes to FirePass. However, you will have to load a WebDAV customization include file to make it work. (For help and documentation on how to do this, please see the FirePass online help under Device Management->Customization for how to enable WebDAV and load up customization files.)

Here is the step by step process for configuration this setup:

  1. Make sure FirePass is configured and works with RSA SecurID through the normal FirePass logon process (where the user must copy/paste the soft token and passcode into the FirePass logon prompts). Please do not proceed to step #2 until you have verified this. FirePass has full SecurID support, but needs to be configured and working before trying the automatic soft token passcode extraction.
  2. Optional: Under Device Management->Customization, Change the “Password prompt:” text from “Password” to “Passcode”, for use with SecurID. Note: This is merely cosmetic – it will not affect how any of this works.
  3. Save the sample code below to a text file named “right.inc”. Load the “right.inc” customization include file onto the FirePass WebDAV sandbox. (For help and documentation on how to do this, please see the FirePass online help under Device Management->Customization for how to enable WebDAV and load up customization files.)


This script loads a pre-installed RSA soft token ActiveX control, calls it to have the user enter their username (if needed) and pin, and then pulls the passcode and auto-submits the FirePass weblogon form. If the user either doesn’t load the ActiveX control or hits cancel, they’ll get the normal logon prompt.

This javascript could be included in more complex WebDAV customization include files, or in a different include file, if you’d like. (For help and documentation on how to do this, see the FirePass online help under Device Management->Customization for how to enable WebDAV and load up customization files.

 

<OBJECT id=sdui classid=clsid:99548BB4-F895-11D0-93CA-00A024D1214D name=sdui hidden="true">
<embed hidden="true" name="sdui" type="application/x-sdclient"></embed>
</OBJECT>

<SCRIPT language=JavaScript>
<!--

/**
 * RSA SecurID software token auth function
 */
function authenticate()
{

		var form = document.forms[0];
    var rc = -1;
		var date = new Date();
		var time = Math.round(date.getTime()/1000);
    var user = form.username.value;
    var state = 0;

    if(typeof(document.sdui.sdAuth) == "undefined")
    {
       rc = -1;
    }
    else
    {
       rc = document.sdui.sdAuth(time, user, state);
    }
    if (rc == 1)
    {
        form.username.value = document.sdui.getUsername();
        form.password.value = document.sdui.getPasscode();
				form.tzoffsetmin.value = 1;
        form.submit();
    }
    else
    {
	    document.cancelForm.submit();
    }


}
 
/**
 * Replace normal FirePass onload function to call RSA SecurID authenticate function
 */
var doNotAutoSubmit = false;
var doAutoSubmit = false;
function maierrar() {
return true;
}
window.onerror=maierrar;

function OnLoad() {
  var form = document.forms[0];

	if(form == null)return;

    try { //POST uRoamTestCookie into /my.activation.php3 to inform cluster slave that client supports cookie  
        if(document.cookie.indexOf("uRoamTestCookie=") != -1){
          var element = document.createElement("input");
          element.setAttribute("name", "uRoamTestCookie");
          element.setAttribute("type", "hidden");
          element.setAttribute("value","TEST");
          document.forms[0].appendChild(element);
        }       
    } catch (e) {
    }    

		if(!doNotAutoSubmit && doAutoSubmit){
      form.tzoffsetmin.value = 1;
      form.submit();
    }
	

	if (form.username != null && form.username.value.length=="" && form.username.type == "text"){
		form.username.focus();	
	}else{ 
		if (form.password != null) form.password.focus();	
	}

  /**
   * Call RSA SecurID software token auth function
   * TODO: Add rsa_status cases to handle auth failures and tokencode requests
   */
  if (form.rsa_status == null) {
	  authenticate();
  }
}

// -->
</SCRIPT>

 


That’s it. This should be fully compatible with pre-logon sequences and all other RSA SecurID functions (token entry, pin change, etc.). Currently, the javascript does not handle other special cases (e.g. entering token, pin change, etc.), but could be easily added.

Conclusion
So, there you have it - a quick way to integrate an authentication solution like SecurID by utilizing FirePass customization capabilities. If you need help or are curious about how this works or how you might extend it, please visit the FirePass Customization Forum insert link here and post your questions.