Skip navigation

F5 BIG-IP APM with OIDC Web Duo Prompt

Last Updated: June 14th, 2021

The F5 BIG-IP APM supports Duo two-factor authentication via OIDC, complete with inline self-service enrollment and Duo Prompt.


In this configuration, F5's BIG-IP APM acts as an Open ID Connect (OIDC) client and Duo acts as an identity provider for two-factor authentication, showing the interactive web-based Duo prompt. Unlike the Duo RADIUS configurations for F5 BIG-IP APM, there is no need to deploy any Duo software on your premises.

Use of Duo as an OIDC provider is supported in BIG-IP versions 13.1, 14.1x, 15.1x, and 16.x. Verify that your BIG-IP is running one of these versions before continuing. If your BIG-IP is at version 11 or 12 and you cannot update, consider use of the Duo RADIUS configuration.

First Steps

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate the entry for F5 BIG-IP APM Web in the applications list. Click Protect to the far-right to configure the application. and get your Client ID, Client secret, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.

    Previously, the Client ID was called the "Integration key" and the Client secret was called the "Secret key".

Duo Universal Prompt

Duo's next-generation authentication experience, the Universal Prompt, is coming to web-based applications that display the current Duo Prompt in browsers.

Migration to Universal Prompt for your F5 BIG-IP APM Web application is a two-step process:

  • Duo updates the F5 BIG-IP APM Web application to support the Universal Prompt.
  • You activate the Universal Prompt experience for users of that Duo F5 BIG-IP APM Web application (when the Universal Prompt becomes available).

We've already updated the Duo F5 BIG-IP APM Web application hosted in Duo's service to support the Universal Prompt when it's ready, so there's no action required on your part to update the application. The "Universal Prompt" section of this application's details page in the Admin Panel reflects this status today as "Waiting on Duo".

Universal Prompt Info - Application Updated

Activate Universal Prompt

When the Universal Prompt becomes available, you'll return here to activate it for users of this application. The status will change to "New Prompt Ready", and you'll see the control here for turning it on or off. Until then, your users continue to experience the current Duo prompt.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support.

Read the Universal Prompt Update Guide for more information about the update process to support the new prompt, and watch the Duo Blog for future updates about the Duo Universal Prompt.

Universal Prompt Private Preview

If you're interested in participating in a private preview of the Universal Prompt experience, please apply using this form.

Configure your BIG-IP APM

Refer to the article APM Configuration to Support Duo MFA using iRule on F5 DevCentral and follow those step-by-step instructions for adding Duo authentication to your APM logins, using the F5 BIG-IP APM Web application you created earlier.

Test Your Setup

To test your setup, go to the URL you normally use to log in to your F5 BIG-IP APM in a browser window. After you complete primary authentication at the F5 BIG-IP, you'll be redirected to the Duo Prompt or Duo user enrollment. Completing Duo authentication returns you to the BIG-IP to complete your login.

OIDC Duo Prompt


Need some help? Reach out to Duo Support for assistance with creating the F5 BIG-IP APM Web application in Duo, enrolling users in Duo, Duo policy questions, or Duo authentication approval issues. For assistance configuring or managing your BIG-IP device, please contact F5 Support.