Forum Discussion

OM's avatar
OM
Icon for Altocumulus rankAltocumulus
Aug 08, 2025
Solved

SAML F5 SP - Microsoft Entra

Hi,

I have an F5 APM currently authenticating users with their sAMAccountname. most of them (more than 7000) don't know their UPN.

we need to leverage Microsoft Entra with MFA using SAML F5 acting as SP and Microsoft as IDP.

in APM I am able to extract the UPN, but I am unable to POST it to Microsoft ENTRA along with the SAML request.

step1 : user connects to F5.

step2: user enters the username (SAMACCOUNTNAME)

step3: apm AD query extracts the UPN.

step4: apm triggers the SAML request.

step5: apm redirects the user to MicrosoftEntra with the SAML request and the username (UPN).

step6: the user enters the password.

step7: the user is redirected to F5 with the SAML ticket response.

step8 : APM checks the SAML ticket and connects the user to the service in the backend.

 

did any one implement successfully such  scenario?

 

thanks.

 

 

om

application delivery
devops
security
  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Aug 08, 2025

    you can use this guide https://my.f5.com/manage/s/article/K53313351

    You just need to create a new Authentication Redirect Request under Access  ››  Federation : OAuth Client / Resource Server : Request and select it in VPE OAuth config
    Clone /Common/MSIdentityPlatform2.0AuthRedirectRequest and just add a new parameter with name login_hint and value %{session.ad.last.attr.userPrincipalName}

    Should look like this 

     

6 Replies

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Nacreous rankNacreous
    Aug 08, 2025

    Hello OM​ ,

    I have done this yes but with OAuth federation and login_hint.

    You can use login_hint with SAML too but you have to append it as parameter in saml redirect which will need some irule as you cannot just add "?login_hint=%{session.ad.last.attr.userPrincipalName}" in SAML SSO Service Url

    It will be much easier if you do OAuth federation between F5 and Azure 

    You will still use login_hint but with OAuth you can configure it inside OAuth request.

    Let me know if you need help configuring OAuth federation

  • OM's avatar
    OM
    Icon for Altocumulus rankAltocumulus
    Aug 08, 2025

    thanks @Iingeyan

    if you have a step by step oauth configuration in this use-case, it would be great.

    thanks again.

    OM

    • Injeyan_Kostas's avatar
      Injeyan_Kostas
      Icon for Nacreous rankNacreous
      Aug 08, 2025

      you can use this guide https://my.f5.com/manage/s/article/K53313351

      You just need to create a new Authentication Redirect Request under Access  ››  Federation : OAuth Client / Resource Server : Request and select it in VPE OAuth config
      Clone /Common/MSIdentityPlatform2.0AuthRedirectRequest and just add a new parameter with name login_hint and value %{session.ad.last.attr.userPrincipalName}

      Should look like this 

       

    • Injeyan_Kostas's avatar
      Injeyan_Kostas
      Icon for Nacreous rankNacreous
      Aug 08, 2025

      This is exactly what I meant when saying that irule will be needed for SAML login hint 

      Moreover in 17.1.2 version I don't see a redirect but a hidden payload triggering saml request which will need a more complicated irule.

      What version are you running?