Manual Chapter :
Adding Okta MFA to a per-request policy
Applies To:
Show Versions
BIG-IP APM
- 16.0.1, 16.0.0
Adding Okta MFA to a per-request policy
Before you begin, the Okta site needs to be
configured to enable APM policies to interact with Okta Factors API. You need to have
created a per-request policy for Okta API.
For environments wanting to implement zero
trust, APM lets you implement per-request policies that use Okta Multifactor
Authentication (MFA) to authenticate requests at a more granular level. This example
per-request policy performs a second level of authentication using Okta MFA, which must
be created in a subroutine. Additional policy elements are added to make the use case
work.
- On the Main tab, click .The Per-Request Policies screen opens.
- In the Per-Request Policy column of the policy you created, clickEdit.The visual policy editor opens the per-request policy in a separate window.
- In the policy, clickAdd New Subroutine, change the name toOkta MFA, and clickSave.
- Expand the subroutine, click(+)to add a new item.
- Click theAssignmenttab, selectVariable Assign, and clickAdd Item.This step is only needed when the Logon Page agent is configured in a per-session policy as in the use case being developed here. This step is not needed if the Logon Page agent is in the per-request policy.
- ClickAdd new entry, then clickchange.
- On the left, selectCustom Variable,Secure, and typesubsession.logon.last.username.
- On the right, selectSession Variableand typesession.logon.last.username.If, in the Logon Page agent, you enabledSplit domain from full Username, then set the session variable tosession.logon.last.logonnameinstead.
- ClickFinished, thenSave.
- Still in the subroutine, after Variable Assign, click(+)to add a new item.
- Click theAuthenticationtab, selectOkta MFA, and clickAdd Item.
- ForOkta Connector, select a previously created Okta Connector from the dropdown list.
- In the Customization section, you can optionally change the text and captions that will appear to users during multifactor authentication.
- ClickFinished, thenSave.
- Highly recommended: In the subroutine, clickSubroutine Settings/Renameand setSubroutine Timeoutto the maximum allowed value of 600, which is equal to 10 mins.If it takes the user more that two minutes to complete the Okta verification or enrollment and a subroutine timeout occurs, the per-request policy will restart.
- Still in the subroutine, clickEdit Terminalsto change the terminals:
- ClickAdd Terminaland add a terminal calledDeny, make it red, and clickSave.
- On the Fallback branch, click the terminal, selectDeny, then clickSave.
- In the main part of the policy, click(+)to add a new item.
- Click theSubroutinestab, select theOkta MFAsubroutine you created, and clickAdd Item.
You created a simple per-request policy that
performs Okta MFA, which is performed in the Okta MFA step-up subroutine. The
per-request policy you created looks like this:
Make sure to associate the per-session policy
and the per-request policy with the virtual server to protect the resources.
