F5 BIG-IP APM 14.1 - Consecutive Logon Page Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on Jun 25, 2019Last modified by RSA Information Design and Development on Jun 25, 2019
Version 2Show Document
  • View in full screen mode

This section describes how to integrate F5 BIG-IP APM with RSA Authentication Manager using two consecutive login pages. The first page authenticates using RSA SecurID credentials and the second page using AD credentials. This method is compatible with Risk-Based Authentication.

Example Login Page Diagram

Perform these steps in this section to configure F5 BIG-IP APM to use consecutive logon page approach for coexistence of RSA SecurID Access authentication with AD authentication and SSO options.

Note:  It is assumed that F5 BIG-IP APM is integrated and tested with Risk Based Authentication, RSA Authentication Agent, RADIUS with AM or RADIUS with CAS already. The steps here show how to modify the existing access policy to enable use of AD authentication and SSO with already configured RSA SecurID Access authentication. It is also assumed that a Active Directory server is created and configured in F5. Instructions for configuring Active Directory server can be found in F5's documentation.

Note:  This example shows a RSA Authentication Agent integration type coexistence with AD authentication and SSO. If the integration type is RADIUS, all the instructions still hold good. But, the RSA SecurID block is replaced by RADIUS Auth block.

Procedure

1. Click Main > Access > Profiles / Policies > Access Profiles (Per Session Policies).

2. On the Access Profiles page, enter the name of the access profile to be modified in the search box and click Search.

3. Click on Edit... corresponding to the access profile to be modified.

4. Click the + sign on the successful branch of RSA SecurID block.

5. On the pop-up window, click on Logon tab and then click Logon Page radio button.

6. Click Add Item.

7. On the next pop-up window, do the following:

  1. Name: Enter a suitable name for this logon page.
  2. Under Logon Page Agent, edit the following in Row 2:
    • Select Type as None from the drop-down list.
    • Change Post Variable Name to field2.
    • Change Session Variable Name to field2.
  3. Under Logon Page Agent, edit the following in Row 1:
    • Select Type as Password from the drop-down list.
    • Change Post Variable Name to password.
    • Change Session Variable Name to password.
  4. Under Customization section, edit the following:
    • Change the Logon Page Input Field #1 caption to AD Password.
  5. Click Save.

8. Click on the + sign next to fallback branch of AD Logon Page block.

9. On the pop-up window, click on Authentication tab and then click AD Auth radio button.

10. Click Add Item.

11. On the next pop-up window, from the Server drop-down list, select the AD Server to be used for authenticating users. (The server should be created previously from Main > Access > Authentication > Active Directory).

12. Click Save.

13. Click on the + sign on the Successful branch of AD Auth block.

14. On the pop-up window, click on Assignment tab and then click SSO Credential Mapping radio button.

15. Click Add Item.

16. On the next pop-up window, click Save.

17. Click Apply Access Policy and then click Close.

 

Note:  The fully configured access profile for this integration:

 

Configuration is complete.

Return to Configuration Summary.

 

Attachments

    Outcomes