APM Cookbook – Okta MFA Integration

2016-09-12_21-41-09Since the launch of the Okta and F5 Integration Guide I’ve seen interest in leveraging this partnership take off.  One aspect I’ve enjoyed is watching how customers address pain points they were not able to address previously.  For example, providing multi-factor authentication (MFA) for Microsoft Exchange Outlook Web Access (OWA).

This particular customer standardized on Okta’s MFA solution but
OWA was behind Microsoft Threat Management Gateway (TMG) and could not easily integrate with Okta.  For this solution F5’s Access Policy Manager (APM) will replace the TMG servers  and leverage Okta’s on-premises RADIUS agent for MFA via Okta Verify, which supports push notification – by far my favorite feature.

I’ve included a video below that walks through the process of configuring Okta for RADIUS based multifactor as well as configuring APM to leverage Okta’s RADIUS agent.

Okta Configuration

On the Okta administrator portal you’ll need to create a new Okta Sign-on policy: Security -> Policies.  Once you name the new policy you’ll need to add a rule:

2016-09-12_21-36-23

The crucial part here is to select RADIUS for the And Authenticates via option.

F5 Configuration

The F5 APM configuration is pretty straight forward since you can use the built-in VPE macro template for RADIUS authentication but we’ll need to create a RADIUS AAA object first.

2016-09-12_21-41-09.png

Once the RADIUS AAA object is created go ahead and create a new Access Profile and customize your VPE as shown below – for detailed steps please watch the attached video.

2016-09-12_21-49-24.png

Pretty easy solution and we’re just scratching the surface on what is possible.  Can’t wait to start playing with Okta’s API via iRules LX!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.