Skip navigation
Duo Blog
Admin Login
Documentation

F5 BIG-IP APM with OIDC Web Duo Prompt

Last Updated: May 15th, 2025

Contents

Related

The F5 BIG-IP APM supports Duo two-factor authentication via OIDC, offering inline self-service enrollment and authentication with Duo Universal Prompt.

Overview

In this configuration, F5's BIG-IP APM acts as an Open ID Connect (OIDC) client and Duo acts as an identity provider for two-factor authentication, showing the interactive web-based Duo prompt. Unlike the Duo RADIUS configurations for F5 BIG-IP APM, there is no need to deploy any Duo software on your premises.

Use of Duo as an OIDC provider works with either F5 Modern or Standard customization. If your BIG-IP is at version 11 or 12 and you cannot update to a version that supports OIDC/OAuth, consider use of the Duo RADIUS with Auto Push configuration.

Prerequisites

Use of Duo as an OIDC/OAuth provider for BIG-IP APM requires the following:

  • BIG-IP versions 13.1, 14.1x, 15.1x, 16.x, or later. Verify that your BIG-IP is running one of these versions before continuing.
  • A primary authentication server configured for APM logins, typically an Active Directory domain controller or LDAP directory server.
  • Direct outbound access from the BIG-IP to Duo's cloud service via HTTPS/443.
  • DNS configured on the BIG-IP so it can perform lookups and resolve your Duo account's API hostname (i.e. api-XXXXXXXX.duosecurity.com).
  • NTP configured on the BIG-IP with a reachable time server so that the device's time is correct.
  • The URL for accessing APM must be a valid HTTPS URL and port, using an RFC-1034-compliant hostname (not an IP address), with a maximum length of 1024 characters.

First Steps

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to ApplicationsApplication Catalog.
  3. Locate the entry for F5 BIG-IP APM Web with the "2FA" label in the catalog. Click the + Add button to create the application, and get your Client ID, Client secret, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications with Duo and additional application options.
  4. No users can log in to new applications until you grant access. Update the User access setting to grant access to this application to users in selected Duo groups, or to all users. Learn more about user access to applications. If you do not change this setting now, be sure to update it so that your test user has access before you test your setup.

Duo Universal Prompt

The Duo Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.

Universal Prompt Traditional Prompt
 Duo Push in Universal Prompt  Duo Push in Traditional Prompt

We've already updated the Duo F5 BIG-IP APM Web application hosted in Duo's service to support the Universal Prompt, so there's no action required on your part to update the application itself. If you created your F5 BIG-IP APM Web application before March 2024, you can activate the Universal Prompt experience for users from the Duo Admin Panel. F5 BIG-IP APM Web applications created after March 2024 have the Universal Prompt activated by default.

If you created your F5 BIG-IP APM Web application before March 2024, it's a good idea to read the Universal Prompt Update Guide for more information, about the update process and the new login experience for users, before you activate the Universal Prompt for your application.

Activate Universal Prompt

Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications.

The "Universal Prompt" area of the application details page shows that this application is "Ready to activate", with these activation control options:

  • Show traditional prompt: Your users experience Duo's traditional prompt via redirect when logging in to this application.
  • Show new Universal Prompt: (Default) Your users experience the Universal Prompt via redirect when logging in to this application.

The application's Universal Prompt status shows "Activation complete" here and on the Universal Prompt Update Progress report.

Universal Prompt Info - Universal Prompt Activation Complete

Should you ever want to roll back to the traditional prompt, you can return to this setting and change it back to Show traditional prompt. However, this will still deliver the Duo prompt via redirect, not in an iframe. Keep in mind that support for the traditional Duo prompt ended for the majority of applications in March 2024.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.

Configure your BIG-IP APM

Refer to the article APM Configuration to Support Duo MFA using iRule on F5 DevCentral and follow those step-by-step instructions for adding Duo OIDC/OAuth authentication to your APM logins, using the F5 BIG-IP APM Web application you created earlier.

Migration from Duo Authentication Proxy Solutions to Duo OAuth

If you currently protect your F5 BIG-IP logins with a Duo RADIUS with iframe Duo traditional prompt, RADIUS with auto push, or LDAP configuration featuring primary authentication at the Duo Authentication Proxy, please update your F5 BIG-IP access policies so that primary authentication requests route directly to your AD domain controller, LDAP directory server, or RADIUS server instead of passing through the Duo proxy.

Users of the Duo RADIUS with iframe Duo traditional prompt solution should also remove edits made to the header.inc access profile file to add the Duo script URL during initial Duo deployment.

  1. On your F5 BIG-IP device, navigate to Access PolicyCustomizationAdvanced and change the "Edit Mode" to Advanced.

  2. Navigate through the "Access Profiles" tree to the Common folder beneath your Access Policy.

  3. Click on the header.inc item and locate the script tag pointing to Duo:

    <script src="https://api-XXXXXXXX.duosecurity.com/frame/hosted/Duo-F5-BIG-IP-v2.js"></script>
    F5 BIG-IP APM Access Profile Duo Script in Editor

  4. Delete the entire Duo script line, including the closing </script> tag.

  5. Save the customization changes and return to the "Access Profile List" page. The profile you just modified may have a yellow status flag. If so, click the checkbox next to that policy to select it and then click Apply Access Policy. The status flag will turn green.

Test Your Setup

To test your setup, go to the URL you normally use to log in to your F5 BIG-IP APM in a browser window. After you complete primary authentication at the F5 BIG-IP, you'll be redirected to the Duo Prompt or Duo user enrollment. Completing Duo authentication returns you to the BIG-IP to complete your login.

OIDC Duo Prompt

*Universal Prompt experience shown.

The BIG-IP Edge Client also supports authentication with the Duo Prompt.

Grant Access to Users

If you did not already grant user access to the Duo users you want to use this application be sure to do that before inviting or requiring them to log in with Duo.

Troubleshooting

Need some help? Reach out to Duo Support for assistance with creating the F5 BIG-IP APM Web application in Duo, enrolling users in Duo, Duo policy questions, or Duo authentication approval issues. For assistance configuring or managing your BIG-IP device, including creating the iRule or updating the APM access policies, please contact F5 Support.