Forum Discussion

Craig_Gibb_1781's avatar
Craig_Gibb_1781
Icon for Nimbostratus rankNimbostratus
Apr 16, 2016

Problem getting SSO to Sharepoint 2013 to work after DUO push authentication.

Hi we are using Duo security integrated with F5 APM version 12 sp1. I need to publish a Sharepoint 2013 site using Duo Security with push as the two factor solution. I started out by deploying the latest Iapp for Sharepoint 2013 and then replaced the AD authentication in the VPE with Radius Authentication using Duo, the VPE policy is :-

 

 

In the variable assign i am using the following session variables:-

 

 

The SSO looks like this:-

 

 

At the moment the two factor works and login is accepted using only username and domain password followed by acceptance of the push message from Duo, we then receive a 401 and then a ntlm authentication prompt because the variable assign together with SSO are not configured as they should be.

 

Any tips or advice appreciated.

 

/Craig

 

APM
application delivery
security

2 Replies

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 19, 2016

    Hi,

     

    How did you configure the field2 in logon page?

     

    • text
    • password

    if it is defined as password, you must add -secure in mcget command:

     

    session.logon.last.password = [mcget -secure {session.logon.last.field}]

     

  • CGI's avatar
    CGI
    Icon for Altostratus rankAltostratus
    Apr 19, 2016

    Okay i have now managed to solve my problem, it was easier than i thought. The VPE flow is picture below:

     

    There is a Pre Logon variable assign where we set the original password as a variable:

     

    After the Radius Authentication Duo we have the post logon where we set the logon username in the form Domain\username and then pull in the original password variable we set before:

     

    The final part is the SSO Agent which is the the default collecting information from the default variables:

     

    I hope this proves useful to others. /Craig