Certified: February 14, 2025
Solution Summary
This guide describes F5 BIG-IP APM integration with RSA ID Plus. Use this information to determine which use case and integration type your deployment will employ.
Use Case
F5 BIG-IP APM can be integrated with RSA using RADIUS, SAML My Page SSO, SAML Relying Party, Authentication Agent, and Risk-Based Authentication. When integrated, F5 BIG-IP APM users must authenticate with RSA to sign in to F5 BIG-IP APM.
Integration Types
RADIUS integrations provide a text-driven interface for RSA within the partner application. RADIUS provides support for most RSA authentication methods and flows.
Authentication Agent integrations use an embedded RSA agent to provide RSA and Authenticate Tokencode authentication methods within the partner’s application. Authentication agents are simple to configure and support the highest rate of authentications.
Risk-Based Authentication integrations use customized scripts to direct users’ browsers to RSA for authentication. Risk-Based Authentication leverages an Authentication Agent or RADIUS integration to sign in to the partner application.
My Page SSO provides Single-Sign-On (SSO) to F5 BIG-IP APM users leveraging RSA self-service portal My Page. Both SP-initiated SSO and IdP-initiated SSO are supported.
Modern Cloud-hosted SSO with My Page replaces the existing SAML SSO support with the IDR.
Existing SSO integrations using IDR My Applications continue to be supported and will be listed in this document as applicable.
Note: RSA will continue to maintain existing SAML SSO integrations using IDR My Applications. At a to-be-determined future date, RSA will announce the end-of-life (EOL) date for the SAML SSO support with the IDR. For more information Available Now: My Page SSO Enhancements.
Relying Party integration allows F5 BIG-IP APM users’ web browsers to be automatically redirected to RSA Cloud Authentication Service for authentication. With Relying Party integration, Cloud Authentication Service can manage either additional authentication only or both primary authentication (for example, user ID and password) and additional authentication depending on the service provider's capability.
Internal Applications and/or Identity Management System: When integrated, users must authenticate with RSA ID Plus to create sessions to internal applications and/or identity management systems using adapters.
Bridge between RSA SAML IdP and Partner Service Providers: When integrated, users must authenticate with RSA ID Plus to create sessions to partner Service Providers using authentication policy contracts.
Supported Features
This section shows all the supported features by integration type and by RSA components. Use this information to determine which integration type and RSA component your deployment will use. The next section in this guide contains the instruction steps for how to integrate RSA with F5 BIG-IP APM using each integration type.
F5 BIG-IP APM Integration with RSA Cloud Authentication Service
| Authentication Methods | RSA MFA API (REST) | RADIUS | Relying Party | My Page SSO |
| Approve | - | |||
| LDAP Password | - | |||
| SecurID OTP | - | |||
| Authenticate OTP | - | |||
| Device Biometrics | - | |||
| SMS OTP | - | |||
| Voice OTP | - | |||
| FIDO Security Key | - | n/a | ||
| QR Code | - | |||
| Emergency Access Code | - |
F5 BIG-IP APM Integration with RSA Authentication Manager
| Authentication Methods | RSA MFA API (REST) | RADIUS | Authentication Agent |
|---|---|---|---|
| RSA SecurID | - | ||
| On Demand Authentication | - | ||
| Risk-Based Authentication | n/a |
| Supported | |
| - | Not supported |
| n/t | Not yet tested or documented, but may be possible |
| n/a | Not applicable |
Configuration Summary
This section contains instruction steps that show how to integrate F5 BIG-IP APM with RSA for cloud administrators using all of the integration types.
This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components.
All RSA and F5 BIG-IP APM components must be installed and working prior to the integration.
All the supported use cases of RSA with F5 BIG-IP APM require both server-side and client-side configuration changes. This section of the guide includes links to the appropriate sections for configuring both sides for each use case.
Integration Configuration
RSA Cloud Authentication Service
RSA Authentication Manager
Use Case Configuration
Coexistence with AD Authentication and SSO Configuration
RSA Terminology Changes
The following table describes the differences in the terminologies used in the different versions of RSA products and components.
| Previous Version | New Version | Examples/Comments |
| Company ID | Organization ID | |
| Account | Credential | |
| Token | OTP Credential | SecurID OTP Credential |
| Tokencode | OTP/Access Code | SecurID OTP, SMS OTP, Voice OTP Emergency Access Code, Disable Access Code |
| Hardware Token | Hardware Authenticator | |
| Device Serial Number | Binding ID | |
| Device | Credential/Authenticator | |
| Device Registration Code | Registration Code | |
| Authenticate App | Authenticator App |
Certification Details
RSA Cloud Authentication Service
RSA Authentication Manager 8.3, Virtual Appliance
RSA Authentication Agent API 8.1 for C
F5 BIG-IP APM 12.2
Known Issues
No known issues.
