Forum Discussion

eugeneK_pdx's avatar
eugeneK_pdx
Icon for Nimbostratus rankNimbostratus
Aug 22, 2016

F5 APM One time password as MFA via email using SAML Claim email attribute.

My company is on v11.5.4 LTM/ASM/APM (No Oauth2 & OpenID connect support). I would like to expose internal application to internet. The users are external to my company. Our requirements are use of SAML, Multi-factor authentication (MFA). Azure Active Directory (AAD) is being considered. AAD Premiun is currently off the table because of cost. Which leaves, AAD Business to Consumer (B2C) + MFA and AAD Business to Business (B2B) + partial MFA. AAD B2C is also out as it does not support SAML and v11.5.4 does not support Oauth2. AAD B2B is what I am looking at as a possible solution. However MFA is only available to AAD subscribers that has the MFA feature enabled for their users.

 

The use case is users are invited and authenticated through AAD B2B and F5 APM accepts the SAML Claim and sends OTP via email to user.

 

Assuming that I can get a SAML claim from AAD B2B (with email attribute in SAML claim), is it possible to read the email attribute from the SAML claim and use the F5 APM One Time Password to send email passcode as one of the MFA?

 

Thank you, Eugene Kennedy

 

APM
Azure
security

2 Replies

Sort By
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Aug 22, 2016

    Eugene,

     

    I am not experimented with AAD B2B yet - but if it can send SAML assertion with users email as an attribute value, then APM can certainly extract it and send its own OTP to it. Good luck, and post here please if you make any progress with this solution.

     

  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Aug 23, 2016

    My suggestion is that you make sure you get SAML authentication running completely prior to adding in the email OTP. You certainly could add both at the same time, but it might confuse troubleshooting efforts.