Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Frank_ten_Wolde's avatar
Frank_ten_Wolde
Icon for Altostratus rankAltostratus
Oct 06, 2023

APM Edge client logout when revoking user from AzureAD/MS Entra

When using APM Edge Client with AzureAD/MS Entra/SAML authentication, is it possible to actively disconnect a user's VPN connection when he/she is 'removed' or 'revoked' from AzureAD? I.e., can I se...
security
VishnuGatla's avatar
VishnuGatla
Icon for Cumulonimbus rankCumulonimbus
Oct 08, 2023

In F5 APM , there's a feature called "Session Lifetime" that controls how long a user's session can be active. However, this feature is based on a defined time interval, not on changes in a user's status in AzureAD. This means that if a user is removed or revoked from AzureAD, their active session will not be immediately terminated but will continue until the session lifetime expires.

For the kind of real-time revocation you're looking for, the F5 APM would need the ability to query AzureAD in real-time to check the status of a user, which to the best of my knowledge, isn't a built-in feature.

However, you might be able to achieve something similar by implementing a custom solution involving AzureAD's API and F5 iRules or using a third-party identity management solution that supports real-time revocation.

As for the Edge Client, it has features for checking system parameters like antivirus status, but I'm not aware of it having a built-in feature for real-time checking of a user's status in AzureAD.




Frank_ten_Wolde's avatar
Frank_ten_Wolde
Icon for Altostratus rankAltostratus
Oct 09, 2023

Exactly my thought as well. Perhaps there is a way to have something updated in the registry, based on the AzureAD state of the user. Then, we can use a client (ongoing) registry check to validate the session.

I will have to think about this. In the meantime, if anyone has a bright idea :-)...