F5 APM with OIDC Web Duo Prompt

Question

DUO is retiring the iFrame support which has been working well for us. I am trying to implement the replacement found at https://duo.com/docs/f5bigip-web and APM Configuration to Support Duo MFA using iRule | DevCentral

This is our first JSON / OAuth implementation and I think I missed something in the setup

The DUO subroutine is implemented after the initial AD Authentication and Query

When I attempt to log on with the VPN client I get past the AD Authenticiaton but when the DUO challenge is to appear it fails and rolls back to the AD Authentication prompt screen.

The error I pulled out of the access report is

/Common/duosubroutine_act_oauth_client_ag: OAuth Client: authorization_code is required to get access_token for server '/Common/duo_server'

I am attempting to configure this as a per session policy. To my limited understanding I believe the secret is not being properly passed.

Could anyone provide steps for troubleshooting this?

Thank You

vulcana · Accepted Answer

For those who may run into this in the future sometimes it can be difficult to distinguish a _ from a - in the article.&nbsp; Should you run into this check for&nbsp;client_id&nbsp;parameter with type client-idresponse_type&nbsp;parameter with type response-typegrant_type&nbsp;parameter with type grant-typeredirect_uri&nbsp;parameter with type redirect-uri

thanu · Answer

Hi,We have configured F5 APM with Duo Universal prompt. When I try to access VDI, it gives login page and then redirects to api host but gets 404 error, Can anyone help me with this? I have been troubleshooting this but not getting anywhere.&nbsp;Thanks in Advance!

vulcana · Answer

As a 404 is not found I would check to make sure that you have correctly copied the API host name. This would be api-xxxxx.duosecurity.com in the URLs authentication and token URLs during the OAUTH provider configuration step. Make sure auto JWT is off.

Also check in the JSON web token creation step as that uses the API host name as well.

Finally double check that name in the irule. (around line 40)

I hope that gives you places to dig. Good luck.

thanu · Answer

Thanks for the quick response!&nbsp;I copied again and updated the api host api-xxxxx.duosecurity.com.&nbsp;On the iRule also I did change to api-xxxxx.duosecurity.com. After changes, it redirects to Duo.com page appended with our CLIENT ID.&nbsp;&nbsp;Suspecting API is found but client ID is hitting DUO page.&nbsp;Do we need to change or check anything from Duo side?&nbsp;Just another Question- While creating iRule event on VPE, ID should be iRule name, is it?

vulcana · Answer

DUO side is fairly straight forward.&nbsp; &nbsp;I have the universal prompt enabled, I have also turned on username normalization but I don't think you are actually getting as far as the username.&nbsp;&nbsp;&nbsp;The irule event id is JWT_CREATE&nbsp;This matches this line in the iruleif { $irname eq "JWT_CREATE" } {&nbsp;Which is around line 62

Forum Discussion

F5 APM with OIDC Web Duo Prompt

5 Replies

Recent Discussions

Ansible modules for F5OS

VPN fragmented IP packets dropped

iRule interpretation assistance

F5 Access Guard Deprecated: ZTA APM

Inquiry on F5's Maintenance Mode Feature for Pool Members

Related Content

Request and validate OAuth / OIDC tokens with APM

How to customise Azure AD OIDC user ID token for APM integration

Using Shape IBD to protect OIDC IdP from Bot Attacks in Open Banking scenarios

F5 edge client with OIDC and yubikey

Help with OIDC F5 Setup