Forum Discussion
Nath
Cirrostratus
CirrostratusSAML F5 as SP initiated with Azure MFA Integration
Hi Experts,
I am deploying F5 as SP with Azure MFA, during the deployment we encountered this behavior below(which is expected):
- User access F5 VPN, F5 authenticates users thru local AD
- Users will redirect to Azure MFA for a second verification
- Users will key in their Azure account and Azure will send SMS OTP
- Once verified, users can access applications behind F5 APM
The issue we encountered is when the user login for the 2nd time, there was no challenge/authentication presented to the users, we guess it's because of the SSO or cookie session on the Azure.
- User access F5 VPN, F5 authenticates users thru local AD
- Users will redirect to Azure MFA (no verification/authentication)
- Users can access F5 APM
After we noticed the behavior above, we used the force authentication option in the F5 SAML configuration (which seems to be the answer):
However, we want to minimize the user effort because every time they are redirected to Azure MFA they need to key in their Azure credentials (username & pass).
My question is, is there a way to pass the credentials from the F5 logon page to the Azure MFA login portal thru SAML.
jessperbaylonNimbostratus
Hi,
Did you managed to find a solution for this?
- jessperbaylon
Where did you enable the force authentication option in F5 SAML configuration?
- Nikoolayy1
MVP
This is are the attributes F5 inserts and I do not see username or password as an option:
https://support.f5.com/csp/article/K23078281
Better try from the Azure AD side to fix things without the F5 Force authentication (this is just an attribute F5 SP sends to the IdP) enabled:
You can also test using F5 with Microsoft conditional access:
https://www.f5.com/company/blog/zero-trust-azure-active-directory-access-big-ip-apm
