APM Edge client logout when revoking user from AzureAD/MS Entra
When using APM Edge Client with AzureAD/MS Entra/SAML authentication, is it possible to actively disconnect a user's VPN connection when he/she is 'removed' or 'revoked' from AzureAD? I.e., can I se...
In F5 APM , there's a feature called "Session Lifetime" that controls how long a user's session can be active. However, this feature is based on a defined time interval, not on changes in a user's status in AzureAD. This means that if a user is removed or revoked from AzureAD, their active session will not be immediately terminated but will continue until the session lifetime expires.
For the kind of real-time revocation you're looking for, the F5 APM would need the ability to query AzureAD in real-time to check the status of a user, which to the best of my knowledge, isn't a built-in feature.
However, you might be able to achieve something similar by implementing a custom solution involving AzureAD's API and F5 iRules or using a third-party identity management solution that supports real-time revocation.
As for the Edge Client, it has features for checking system parameters like antivirus status, but I'm not aware of it having a built-in feature for real-time checking of a user's status in AzureAD.
Exactly my thought as well. Perhaps there is a way to have something updated in the registry, based on the AzureAD state of the user. Then, we can use a client (ongoing) registry check to validate the session.
I will have to think about this. In the meantime, if anyone has a bright idea :-)...