F5 BIG-IP APM 14.1 - Shared Logon Page Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Jun 25, 2019Last modified by RSA Information Design and Development Employee on Jun 25, 2019
Version 2Show Document
  • View in full screen mode

This section describes how to integrate F5 BIG-IP APM with RSA Authentication Manager using a shared logon page such that both RSA SecurID Access and Active Directory credentials can be entered on a single logon page. This method is not compatible with Risk-Based Authentication.

Example Login Page Diagram

Perform the steps in this section to configure F5 BIG-IP APM to use shared logon page approach for coexistence of RSA SecurID Access authentication with AD authentication and SSO options.

Note:  It is assumed that F5 BIG-IP APM is integrated and tested with RSA Authentication Agent, RADIUS with AM or RADIUS with CAS already. The steps here show how to modify the existing access policy to enable use of AD authentication and SSO with already configured RSA SecurID Access authentication. It is also assumed that a Active Directory server is created and configured in F5. Instructions for configuring Active Directory server can be found in F5's documentation.

Note:  This example shows a RSA Authentication Agent integration type coexistence with AD authentication and SSO. If the integration type is RADIUS, all the instructions still hold good. But, the RSA SecurID block is replaced by RADIUS Auth block.


1. Click Main > Access > Profiles / Policies > Access Profiles (Per Session Policies).

2. On the Access Profiles page, enter the name of the access profile to be modified in the search box and click Search.

3. Click on Edit... corresponding to the access profile to be modified.

4. Click on the Logon Page block.

5. On the pop-up window, do the following:

  1. Under Logon Page Agent section, edit the 3rd row as follows:
    • Select Type as password from the drop-down list.
    • Enter Post Variable Name as rsapasswd.
    • Enter Session Variable Name as rsapasswd.
  2. On the pop-up window, under Customization section, do the following:
    • Change the Logon Page Input Field #2 caption to AD Password.
    • Change the Logon Page Input Field #3 caption to SecurID Passcode.
  3. Click Save.

6. Click on the RSA SecurID block.

7. On the pop-up window, do the following:

  1. For Password Source change the value to %{session.logon.last.rsapasswd}.
  2. Click Save.

8. Click the + sign on the successful branch of RSA SecurID block.

9. On the pop-up window, click on Authentication tab and then click AD Auth radio button.

10. Click Add Item.

11. On the next pop-up window, from the Server drop-down list, select the AD Server to be used for authenticating users. (The server should be created previously from Main > Access > Authentication > Active Directory).

12. Click Save.

13. Click on the + sign on the Successful branch of AD Auth block.

14. On the pop-up window, click on Assignment tab and then click SSO Credential Mapping radio button.

15. Click Add Item.

16. On the next pop-up window, click Save.

17. Click Apply Access Policy and then click Close.


Note:  The fully configured access profile for this integration:


Configuration is complete.

Return to Configuration Summary.