Manual Chapter : Adding subroutines for SAML Auth with and without MFA

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0
Manual Chapter

Adding subroutines for SAML Auth with and without MFA

You should have a per-request policy, and SAML authentication servers for authentication with and without MFA.
Create the subroutines to allow continuous checks and reauthenticate with SAML and MFA when the user goes to a specific URL.
  1. From the Main tab, click
    Access
    Profiles / Policies
    Per-Request Policies
    .
  2. Find the policy you want to edit, and in the Per-Request Policy column, click
    Edit
    .
  3. In the per-request policy, click
    Add New Subroutine
    .
  4. Name the subroutine for use with SAML Auth and MFA. For example,
    APP Azure SAML Auth + MFA
    .
  5. Click
    Save
    .
  6. Expand the subroutine, and click the plus to add a new item.
  7. Click the
    Authentication
    tab, select
    SAML Auth
    , and click
    Add Item
    .
  8. Select the
    AAA Server
    for SAML Authentication with MFA. For example,
    /Common/app.example.com-azure-mfa
    .
  9. Click
    Save
    .
  10. In the subroutine, click
    Edit Terminals
    .
  11. Click
    Add Terminal
    .
  12. Select the red color for the new terminal, and name the unsuccessful terminal, for example,
    fail
    .
    You cannot name the failure terminal
    fallback
    .
  13. Create another subroutine for SAML Auth without MFA, name it accordingly, and for the
    AAA Server
    , select the non-MFA AAA server.
    Configure the terminals in the same way.
  14. On the MFA branch of the per-request policy, click the plus symbol.
  15. Click the Subroutines tab, select the SAML Auth with MFA subroutine you created, and click
    Add Item
    .
  16. On the non-MFA branch of the per-request policy, click the plus symbol.
  17. Click the Subroutines tab, select the SAML Auth without MFA subroutine you created, and click
    Add Item
    .
  18. Add any other items your per-request policy requires.
    This example shows a completed per-request policy with MFA and non-MFA subroutines, assigned by URL branching. A Pool Assign macro has also been added, which assigns a static pool after authentication succeeds. The
    Start
    of the policy has been removed for image clarity.
The per-request policy is now configured.
Configure a virtual server for the application, and attach the allow-all access policy and the authentication per-request policy.