Forum Discussion

Frank_ten_Wolde's avatar
Icon for Nimbostratus rankNimbostratus
Oct 06, 2023

APM Edge client logout when revoking user from AzureAD/MS Entra

When using APM Edge Client with AzureAD/MS Entra/SAML authentication, is it possible to actively disconnect a user's VPN connection when he/she is 'removed' or 'revoked' from AzureAD?

I.e., can I setup Edge Client in such a way that the client periodically checks that the user still has the access rights to use the Edge Client connection? Like the 'continuous' client check if AV is still running (if AV stops, Edge Client terminates the connection).

2 Replies

  • f51's avatar
    Icon for Cirrostratus rankCirrostratus

    In F5 APM , there's a feature called "Session Lifetime" that controls how long a user's session can be active. However, this feature is based on a defined time interval, not on changes in a user's status in AzureAD. This means that if a user is removed or revoked from AzureAD, their active session will not be immediately terminated but will continue until the session lifetime expires.

    For the kind of real-time revocation you're looking for, the F5 APM would need the ability to query AzureAD in real-time to check the status of a user, which to the best of my knowledge, isn't a built-in feature.

    However, you might be able to achieve something similar by implementing a custom solution involving AzureAD's API and F5 iRules or using a third-party identity management solution that supports real-time revocation.

    As for the Edge Client, it has features for checking system parameters like antivirus status, but I'm not aware of it having a built-in feature for real-time checking of a user's status in AzureAD.

    • Frank_ten_Wolde's avatar
      Icon for Nimbostratus rankNimbostratus

      Exactly my thought as well. Perhaps there is a way to have something updated in the registry, based on the AzureAD state of the user. Then, we can use a client (ongoing) registry check to validate the session.

      I will have to think about this. In the meantime, if anyone has a bright idea :-)...