Trouble implementing multi-stage authentication (AD + Duo)
I'm trying to implement an unusual multi-stage, multi-factor authentication process, and I'm getting hung up for reasons that aren't clear to me.
Here's the existing, and working, system: The user actually authenticates to another system (legacy stuff), then the F5 gets the username and password handed back via HTTP parameters. APM populates session.logon.last.username and .password from this info via iRule and APM Variable Assign. I show the user a blank login page, that has embedded JavaScript; that JS prompts the user to complete Duo's multi-factor auth process. Assuming this is done successfully, the session is established and the user can use our application.
(There's more to it, including iRules that completely disable all of the above for certain on-site IP addresses, but those are the important bits.)
Here's what that looks like in the APM:
(Ignore the "IP Check Macro" in the above; it's not used. The IP checks are now done via iRule, checking an IP list datagroup.)
I've been asked to try to add another step, before presenting the Duo login screen. One of the systems this policy protects is our HR system, and former employees may need to access their tax forms from years past, update contact info, and so on. We don't want to make someone that is no longer affiliated with us, jump through a bunch of extra hoops for a one-off. So, we want to do an AD group check, to see if the user is an active employee. That check is simple enough, by itself. Here's what that all looks like, on a different F5 APM:
If I remove the "AD Group Check Macro" from the main APM flow, everything works perfectly. This is what I'd expect, because everything is identical. Similarly, if the user logging in is NOT a member of a group where the multi-factor check is required, everything works (because nothing happens, and the user is sent straight to an "Allow" terminator).
But if the user is a member of the groups I'm checking for in the AD Query, the whole thing seems to hang. The session log shows that I hit the "Need Duo" end of the macro, but it doesn't proceed past there. The browser appears hung on a "/my.policy" page; the source of that page is AFAICT identical to the source of the page when the macro isn't even in play. (Since it's the same "Logon Page" element, this of course makes sense.)
I'm kinda stumped here. All the values should be completely identical, but when I do a seemingly-unrelated AD query before showing the logon page, the logon page no longer works. Any ideas, or even suggestions on how better to trouble-shoot this?