Use of big-IP APM to replace an ADFS between on-premise and Azure AD Premium

Question

Dear all&nbsp;
We are currently designing the Authentication &amp; Authorization model of a new web solution and I have the following questions that are key before making the final choice.
The reference registry for all the users will be Azure AD Premium.
We haven't completely decided yet if we will go for SAML or OpenID/OAUTH2 regarding the AAA protocol, but it seems SAML is more adapted to our needs. hence the questions below are more SAML related.&nbsp;
The token generation can be handled either by Azure AD or a local AD that is federated with Azure. Microsoft recommends the second option though I don't know the exact reasons.&nbsp;
Anyway, the questions regarding Big-IP are:&nbsp;
When we talk about APM replacing ADFS, does it simply sync the tokens that are generated by the main AD or can it act as the token provider itself ?What are the pros &amp; cons of having Big-IP handling that completely with the Azure AD compare to connecting the APM to a local ADFS (federated with the Azure AD) ?

pesp_275235 · Answer

Very interesting. No answer from F5 support ?&nbsp;

sercacor · Answer

I am also interesting in this scenario.
Any feedback?&nbsp;

algebraic_mirror · Answer

To answer your first question, APM acts as a SAML IDP. It will generate SAML claims for you, which your users will be able to present as tokens to federated sites.&nbsp;
As for your second question, I think Azure AD has limitations compared to on-prem AD, and also, to have users in Azure AD I think you have to periodically sync them to Azure AD from your local on-prem AD, which is your source of truth. APM is nice because as a SAML IDP, when a user types in their username and password, APM will directly authenticate them against your local active directory servers, and then issue them their SAML claim. There won't be any need to synchronize users up to Azure AD, and Azure AD won't be needed by APM (now whether there are reasons to put users in Azure AD that don't involve APM, I can't advise you, but APM has no need of Azure AD).&nbsp;

Forum Discussion

Use of big-IP APM to replace an ADFS between on-premise and Azure AD Premium

3 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

iRule causing requests to be duplicated (sometimes)

Cisco TACACS+ Config on ISE LTM Pair

Related Content

Protect an application on-premises or in the cloud with F5 XC WAAP Customer Edge

Feed Your On-Premises Data into Amazon Bedrock RAG using F5 Distributed Cloud and NetApp

Distributed Cloud Support for NAS Migrations from On-Premises Approaches to Azure NetApp Files

ADFS Proxy Replacement on F5 BIG-IP

string first replacement procedure for ID999881

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS