Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

2FA authentication with SSO on APM

Hi

i have configured two factor authentication with AD and RSA for users to connect to application on APM. but i need SSO configuration on APM to pass the AD credentials to application. the policy i have configured will change session.logon.last.password to password1 to pass the RSA token to RSA server.So how do i get actual AD password session ID to configure SSO.

Policy Logon page -- configured password1 as session variable for RSA--AD auth -- varible assign as below--RSA auth--SSO mapping - backend server Variable assign expr {[mcget session.logon.last.password1]}

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Below is an example of a macro I have used in the past which should do what you require.

Image Text

On the logon page I have a third field which takes the RSA PIN + Token. I have assigned this the session variable session.logon.last.pin

SSO Credential Mapping takes the session variables session.logon.last.password and session.logon.last.username maps them to session.sso.token.last.password and session.sso.token.last.username. We will then use these for various SSO configurations.

Variable Assign re-creates session.logon.last.password and creates it with the contents of session.logon.last.pin so that the RADIUS Auth policy agent can use the PIN + Token for RADIUS Auth.

Image Text

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You need to create a SSO Credential Mapping policy agent in the Visual Policy Editor, that takes the username and password from the logon page, and maps them to variables to be used for SSO services

0
Comments on this Answer
Comment made 16-Jan-2018 by senthil147@gmail.com 253

Yes i understand i need to do SSO credential mapping in Visual policy editor. But if i set the variable as password from Logon page in SSO mapping as"mcget {session.logon.last.password}" that will be now RSA password not AD right.

because variable assign for RSA authentication has following value - this one is before SSO in VPE

session.logon.last.password = expr {[mcget session.logon.last.password1]}

0
Comment made 17-Jan-2018 by senthil147@gmail.com 253

Thank you . I will configure it and get back to you.

0
Comment made 17-Jan-2018 by senthil147@gmail.com 253

Great. That works. Thank you so much

0
Comment made 17-Jan-2018 by Lee Sutcliffe 1815

Not a problem, happy to help. Please accept the answer if it was useful as it will help others if they are looking for a similar solution in the future.

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

One suggestion I have is to validate the SecurID credentials prior to the AD credentials. The reason for this is that it is too easy to lock out AD accounts by purposely entering a wrong password. Depending on the information you track in AD and/or Authentication manager, this also allows you to ensure that people are able to use only their own SecurID token if you so desire. In other words, I could not login with my AD credentials and your SecurID token.

In the policy below I present a logon screen, gather the AD credentials and save them in variables. Based on the user name entered I do some lookups and determine that the person has SecurID. Next is a regular SecurID (or Radius) authentication. Once the SecurID authentication passes I then go back and validate the AD credentials. It is of course possible with this approach to lockout a SecurID but I think in most environments locking out AD has a much larger effect – Activesync for example.

Image Text

The “AD Logon Screen READ-ONLY” macro will present a logon screen with the user name already entered and flagged as read only.

Image Text

0