Forum Discussion

Pete_A's avatar
Pete_A
Icon for Altocumulus rankAltocumulus
Jul 24, 2025

SOLVED: sending IsCompliant, IsKnown and IsManaged via SAML (SSO)

Background
We have an EntraID (Azure/Microsoft365) SAML based VPN using the APM module and were keen to provide a different device pool to domain devices, rather than personal devices (BYOD).  We noted that, in the EntraID logs, it included elements such as whether the device IsCompliant, IsKnown and/or IsManaged:



Wrong step first
We followed part of the exceptionally good video from Matthieu Dierick (https://www.youtube.com/watch?v=DBA84d4VJU8) in which he explains how to configure InTune to make the IsCompliant assertion and push a certificate onto the device to identify it..  and then the BIG-IP Edge client will send that certificate back to be used via an API call against InTune (even if EntraID isn't used for your APM authentication).  To get the API bit to function we needed to follow the guidance in https://my.f5.com/manage/s/article/K00943512 But we aren't that far down the route with InTune and, without pushing that certificate, we got the error "Device ID was not found in session variables" (as explained in https://my.f5.com/manage/s/article/K93969130 )

 

To get working: Azure steps
It seems exporting these variables isn't natively available through the GUI although there were some pointers available from Azure AD - SAML - Intune - ismanaged attribute - Microsoft Q&A

In short, Navigate to:

  • https://portal.azure.com/
  • Microsoft EntraID
  • Under Manage > App registrations
  • (this will default to "owned application") choose "all applications" tab
  • Filter by the name of your SAML configuration
  • Manage > Manifest
  • Take a copy of the manifest incase you want to revert (note that it won't let you save it unless it can parse the input)
  • Find the section "optional claims" and inject the following after any groups you pass back:
    "optionalClaims": {
        "accessToken": [],
        "idToken": [],
        "saml2Token": [
            {
                "additionalProperties": [
                    "on_premise_security_identifier"
                ],
                "essential": false,
                "name": "groups",
                "source": null
            },
            {
                "additionalProperties": [
                ],
                "essential": true,
                "name": "is_device_managed",
                "source": null
            },
            {
                "additionalProperties": [
                ],
                "essential": true,
                "name": "is_device_compliant",
                "source": null
            },
            {
                "additionalProperties": [
                ],
                "essential": true,
                "name": "is_device_known",
                "source": null
            }
        ]
    },

 

To get working: APM steps

In the visual policy editor you can now assign variables to those claims of the form:

session.logon.last.isknown = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 4/02/devicecontext/claims/isknown}
session.logon.last.iscompliant = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 4/09/devicecontext/claims/iscompliant}
session.logon.last.ismanaged = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 2/01/devicecontext/claims/ismanaged}

 

So you can end up with a variable assignment box that looks like:

(just be careful with copy/paste that it doesn't introduce spaces in the session variables)

 

Then you can do a new general purpose > empty box with a branch rule evaluating:

expr {[mcget {session.logon.last.ismanaged}] == "true"}

 

Optionally you can record the output of these variables by adding a logging box with the entry:

username=%{session.logon.last.username}, ismanaged=%{session.logon.last.ismanaged}, iscompliant=%{session.logon.last.iscompliant}, isknown=%{session.logon.last.isknown}

 

APM
saml
SAML IDP
SSO
sso apm

6 Replies

    • Pete_A's avatar
      Pete_A
      Icon for Altocumulus rankAltocumulus
      Sep 04, 2025

      Hi Injeyan_Kostas​ 

      Sorry for the delay - didn't see the notification you'd commented and it's the summer holiday season.

      That screen shot looks like it's from Azure - I couldn't find a way to get it to update through the GUI (see "to get working: azure steps") hence the manual coding of the manifest directly.

      Hopefully the above makes sense!

      All the best,


      Pete

      • Injeyan_Kostas's avatar
        Injeyan_Kostas
        Icon for Nacreous rankNacreous
        Sep 04, 2025

        Hello,

        Thanx for the reply.

        I did configured it through manifest. But claims are not be sent and that's what I see in Azure GUI.

  • LiefZimmerman's avatar
    LiefZimmerman
    Icon for Admin rankAdmin
    Aug 19, 2025

    Pete_A​ - notwithstanding the question from Injeyan_Kostas​ this appears to be a Solution you are sharing with the community. Thank you for that!

    This is better suited to be managed in our CrowdSRC (Community Articles or CodeShare) section because it allows you to modify the original content IF there are changes over time. Forum posts, like this one, do not allow modification of the original (by design)

    If you agree - I'd like to move this post to CrowdSRC (and maybe sort out the error question too!).

    Thanks,

    Lief

    • Pete_A's avatar
      Pete_A
      Icon for Altocumulus rankAltocumulus
      Sep 04, 2025

      Hi LiefZimmerman​ - you're the moderator..  do what you will with the post.  I just wanted to help - I know that wrestling with these boxes (has I have done for about 20 years - Firepass and BIG-IP) is a lonely endeavour..

      To the world - IT is seen as mysterious and strange
      To IT - networking is seen as mysterious and strange
      To networking people - certificates, load balancing, multicasting and IPv6 is seen as mysterious and strange

      Hence, we're several levels of weird away from the rest of the world 😆