F5 BIG-IP APM 14.1 - Risk-Based Authentication Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Jun 25, 2019Last modified by RSA Information Design and Development Employee on Jun 25, 2019
Version 2Show Document
  • View in full screen mode

This section describes how to integrate RSA SecurID Access with F5 BIG-IP APMusing Risk Based Authentication.

Architecture Diagram

Configure RSA Authentication Manager

To configure your RSA Authentication Manager for risk-based authentication with F5 BIG-IP APM, you must create an agent host record and enable it for risk-based authentication in the RSA Authentication Manager Security Console. You will need to download the sdconf.rec and the risk-based authentication integration script for the appropriate device type to configure the agent. RSA Authentication Manager can integrate risk-based authentication with UDP-based or RADIUS agents only.

The latest risk-based authentication script template is at the following link.


Download this file and copy it to the following directory in your primary RSA Authentication Manager server.


Refer to RSA Authentication Manager Administrator's Guide for more information on RBA integration scripts.

Note:  The version of F5 BIG-IP APM indicated in the script name may not be up to date. See the certification details in this document for exact product versions used for this certification activity.


Configure F5 BIG-IP APM

Perform these steps to configure F5 BIG-IP APM for risk-based authentication with RSA Authentication Manager.

Note:  It is assumed that F5 BIG-IP APM is integrated and working using RSA Authentication Agent or RADIUS with AM already. The steps here show how to modify the existing configuration to enable use of Risk Based Authentication.


1. Click Main > Access > Profiles/Policies > Customization > Advanced.

2. Click Customization Settings > Access Profiles > /Common/<ACCESS-PROFILE-NAME> > Access Policy > Logon Pages > Logon Page > logon.inc, where <ACCESS-PROFILE-NAME> is the name of the access profile which you want to edit (this access profile should already be configured for authentication with either RSA Authentication Agent or RADIUS with AM).

3. On the editor, erase the entire contents of logon.inc file and replace with following:


$fields_settings = array(

1 => array( "type" => "text", "name" => "username", "varname" =>"username", "rw" => "1", "caption" => '%[logon_field_1]', "selectvalues" => "" ),

2 => array( "type" => "password", "name" => "password", "varname" =>"password", "rw" => "1", "caption" => '%[logon_field_2]', "selectvalues" => "" ),

3 => array( "type" => "none", "name" => "field3", "varname" =>"field3", "rw" => "1", "caption" => '%[logon_field_3]', "selectvalues" => "" ),

4 => array( "type" => "none", "name" => "field4", "varname" =>"field4", "rw" => "1", "caption" => '%[logon_field_4]', "selectvalues" => "" ),

5 => array( "type" => "none", "name" => "field5", "varname" =>"field5", "rw" => "1", "caption" => '%[logon_field_5]', "selectvalues" => "" ),





<script language="javascript">





<form id="auth_form" name="e1" method="post" action="<?window.location.href ?>" onsubmit="javascript: return masterSubmit(this);" autocomplete="off">


<script language="javascript"> window.onload = redirectToIdP();



4. Replace the am_integration.js above with the contents of the am_integration.js file downloaded from RSA Authentication Manager Security Console > Agent Configuration page.

5. Click Save.

6. Click Apply Access Policy.

7. Click the check-box next to the Access Policy which was just edited and Click Apply.


Note:  The fully configured access profile for this integration:


Configuration is complete.

Return to Configuration Summary.