Forum Discussion

  • Hello Kees

    Do you have any example for BIG-IP setup as an IdP for the Azure IdP?

  • Correct. But for SSO you need the username and password on the BIG-IP.

    In order to get this you need the BIG-IP also to be setup as an IdP for the Azure IdP.

    It can happen in any partition. See K20465715 for the APM route domain limitations.

     

    Cheers,

     

    Kees

  • wow first time to see that, but shouldn't APM act as SP and Azure as IDP ? does that have to happen within the common partition ?

  • Hello,

     

    I think the Horizon client does support SAML, have a look at this example. So I think that with the BIG-IPO being both IdP and SP (global context) you should be able to perform SSO and use MS authenticator.

     

    Cheers,

     

    Kees

  • Hello,

     

    You could setup your BIG-IP as an IDP for microsoft Azure. And as an SP for the App. Create the application plus authentication (Azure MFA with SAML, BIG-IP is the IdP for the Azure authentication, Azure will handle the 2nd factor via the app).

    Once you have that up and running point your SP to the Azure IdP.

    https://docs.microsoft.com/nl-nl/azure/active-directory/manage-apps/f5-big-ip-forms-advanced

     

    Or use Azure AD without the BIG-IP being the IdP.

     

    Cheers,

     

    Kees

    • malakibrahim's avatar
      malakibrahim
      Icon for Nimbostratus rankNimbostratus

      Hello Kees

      My client is not a web app, its vmware horizon client (VDI) and I think it doesn't support SAML.any recommendations?

  • Hi Rohit,

     

    I've got google authenticator working but I'm unsure of what I need to change in the code to use mircosoft authenticator.

     

    Any help would be greatly appreciated.

     

    • HJMartini_13991's avatar
      HJMartini_13991
      Icon for Nimbostratus rankNimbostratus

      Now I have the Solution with Microsoft NPS implemented and it works with the Microsoft Authenticator APP. It's important to setup the right options in Azure for the users to use the Authenticator APP. You can configure inside the azure-user-accounts how the requests from the OnPremis-NPS (Radius) will be handled. So you can use "enable", "disable" and "restrict". And the user have to configure his own Microsoft Authenticator APP during the initial installation and setup process. The user sccount in active directory (OnPrem) have to setup for remote access and the NPS-options (setting inside the AD-user-account). Your F5-APM-Policy should have a Radius-Auth after the AD-Auth. The Radius-Auth connects the OnPrem-Radius (NPS). And on the NPS your have to configure a Policy for the F5-Access as a radius-client (don't forget to configure a NAS-ID, e.g.) and a Policy for the radius-flow. I use https://docs.microsoft.com/de-de/azure/active-directory/authentication/ for MFA-Setup in Azure.

       

    • Daniel_W__13795's avatar
      Daniel_W__13795
      Icon for Nimbostratus rankNimbostratus

      I have the same requirement, using AzureMFA (Challenge Response) with APM.

       

      One solution that works is to use MS NPS Server with AzureMFA Plugin. You can authenticate with AD / Kerberos / LDAP to your local domain on APM and then request MFA with username (password can be empty) via Radius to the NPS.

       

      I'm unhappy with that solution cause I can't provide any feedback to the user. As soon as I trigger the Radius Request in APM, the page waits in "Loading" state. A solution with better user experience would be nice.

       

      Any hints appreciated.

       

    • HJMartini_13991's avatar
      HJMartini_13991
      Icon for Nimbostratus rankNimbostratus

      Can I use Microsoft Authenticator (SmartPhone MS-Authenticator-APP) with a kind of Challenge Response. Because I will not ask for the Token within my APM-Logon-Page. User should only do "accept the Authentication with the MS-Authenticator APP".

       

  • Hi,

     

    Microsoft Authenticator algorithm is the same as Google Authenticator.

     

    You can use existing Google authenticator codes.