Forum Discussion

Nicolas_Martin-'s avatar
May 26, 2021

APM Guided Config - Zero Trust - Identity Aware Proxy and WebTop

Hi !

I'm experimenting some configuration with AGC and the Identity Aware Proxy and have issue when using webtop with AzureAD Auth.

The configuration is :

-AzureAd contains 2 Enterprise Applications to provide IDP with and without MFA to F5:

-IDP-MFA :EntityID = | reply URL :

-IDP-NOMFA : EntityID = | reply URL :


In BigIP the following config is done in AGC "Identity Aware Proxy" configuration (using templates v7.0) :

Case 1 (without webtop : working good) :

-Config properties : All disabled


-Virtual Server : Nothing special, just IP/Port + SSL profile

-User Identity : 2 Auth servers (AzureIDP with and without MFA

They are both configured the same way :

-Authentication type = SAML

-Entity ID : or

-Host :

-External IDP Connector : Configured from metada provided by Azure



-Applications :

-Auth domain :

3 Apps : App1 : FQDN = | App2 = | App3 =

Each app with some random backend resources.







-Contextual Access :

3 rules : 1 for each App

-App1 => Primary Authication = IDP-MFA

-App2 =>Primary Authication = IDP-NoMFA

-App3 =>Primary Authication = IDP-NoMFA


This configuration deploy successfully and work as expected :

Browsing : redirect to Auth Domain : wich redirect the user to the IDP-NoMFA => redirect back to SP (which is actually the auth domain) and finally get redirected to App1.

Browsing : user is asked by idp to provide mfa ... everything works well


Now if in the Identity Aware Proxy Configuration, in the very first tab "Config Properties" I enable Webtop :




(A few adjustments are needed in "Contextual Access") I am no longer able to access App1, 2 and 3. Only the webtop is available at when trying to connect App1 (by cliquing the link in webtop or directly typing URL in browser) I get caught in an infinite redirect loop between IDP and


Note : I also tried the same configuration replacing SAML with ActiveDirectory AAA and have the same issue.

In APM logs I can see " Session deleted (restarted). " Between each loop. 


Anyone have this kind of configuration working ?





No RepliesBe the first to reply