The F5 BIG-IP APM supports Duo two-factor authentication via OIDC, offering inline self-service enrollment and authentication with Duo Universal Prompt.
In this configuration, F5's BIG-IP APM acts as an Open ID Connect (OIDC) client and Duo acts as an identity provider for two-factor authentication, showing the interactive web-based Duo prompt. Unlike the Duo RADIUS configurations for F5 BIG-IP APM, there is no need to deploy any Duo software on your premises.
Use of Duo as an OIDC provider is supported in BIG-IP versions 13.1, 14.1x, 15.1x, and 16.x and works with either F5 Modern or Standard customization. Verify that your BIG-IP is running one of these versions before continuing. If your BIG-IP is at version 11 or 12 and you cannot update, consider use of the Duo RADIUS with Auto Push configuration.
Previously, the Client ID was called the "Integration key" and the Client secret was called the "Secret key".
The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.
| Universal Prompt | Traditional Prompt |
 |
 |
We've already updated the Duo F5 BIG-IP APM Web application hosted in Duo's service to support the Universal Prompt, so there's no action required on your part to update the application itself. You can activate the Universal Prompt experience for users of new and existing Duo F5 BIG-IP APM Web applications from the Duo Admin Panel.
Before you activate the Universal Prompt for your application, it's a good idea to read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.
Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications.
The "Universal Prompt" area of the application details page shows that this application is "New Prompt Ready", with these activation control options:
Enable the Universal Prompt experience by selecting Show new Universal Prompt, and then scrolling to the bottom of the page to click Save.
Once you activate the Universal Prompt, the application's Universal Prompt status shows "Update Complete" here and on the Universal Prompt Update Progress report.
Should you ever want to roll back to the traditional prompt, you can return to this setting and change it back to Show traditional prompt. However, this will still deliver the Duo prompt via redirect, not in an iframe.
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.
Refer to the article APM Configuration to Support Duo MFA using iRule on F5 DevCentral and follow those step-by-step instructions for adding Duo authentication to your APM logins, using the F5 BIG-IP APM Web application you created earlier.
To test your setup, go to the URL you normally use to log in to your F5 BIG-IP APM in a browser window. After you complete primary authentication at the F5 BIG-IP, you'll be redirected to the Duo Prompt or Duo user enrollment. Completing Duo authentication returns you to the BIG-IP to complete your login.
*Universal Prompt experience shown.
The BIG-IP Edge Client also supports authentication with the Duo Prompt.
Need some help? Reach out to Duo Support for assistance with creating the F5 BIG-IP APM Web application in Duo, enrolling users in Duo, Duo policy questions, or Duo authentication approval issues. For assistance configuring or managing your BIG-IP device, including creating the iRule or updating the APM access policies, please contact F5 Support.