Get SSO on F5 Firepass with OTP

Some customers use F5 Firepass appliance box for getting remote access to internal resources. One of the good features it have is to wrap a RDP/Citrix session inside a browser (requires a plug-in) and can also take the logon information to do a SSO (Single Sign On) to the backend system.
Some customers are not using ID/PWD as credentials to system but are using two factor authentication logons (two pieces is something you have and something you know). We are using both RSA SecurID and a OTP password generator from Mideye.
One problem we got with the OTP was that SSO stopped working with “wrong username and password”. This was caused by the F5’s variables saving the OTP password instead of the domain password.
Example with SSO not working
  1. Logon to the portal using domain\userid and P@ssword
  2. Getting the OTP on SMS (123456)
  3. Open a Citrix/RDP session (Firepass sends domain\userid and 123456)
  4. Getting error message “wrong username and password”
But F5 Firepass has saved the correct password to another variable that can be set to be used for SSO when logged on to the F5 session.
Change the SSO password to the domain user password entered
  1. Logon to the F5 Firepass admin interface (web)
  2. Users > Groups > Master Groups
  3. Open the correct Master Group
  4. Go to the “SSO” tab
  5. Change/add %username% as the Username:
  6. Change/add %primarypassword% as the Password:
  7. Click Update
Then SSO will work even if two factor authentication is used on the F5 Firepass solution.

No comments: