Bypass Azure Login Page with OAuth login_hint on F5 BIG-IP APM

Overview

This article demonstrates how to enhance the user experience between F5 BIG-IP APM (OAuth Client) and Azure AD (OAuth Authorization Server) by implementing the login_hint parameter. This approach eliminates the need for users to enter their credentials twice, once on the F5 login page and again on the Azure login page.

 

Problem Statement

When users access applications protected by F5 APM that authenticate against Azure AD using OAuth/OIDC, they often encounter a suboptimal experience:

1. User enters credentials on the F5 login page (often using their familiar sAMAccountName)
2. F5 redirects to Azure AD for OAuth authentication
3. Azure AD presents another login page asking for the same credentials (expecting UPN/email format)

This creates additional friction because users may not know their User Principal Name (UPN) and typically use their sAMAccountName for domain authentication. The login_hint parameter solves this by allowing F5 APM to translate the user's sAMAccountName to their UPN and pre-populate the Azure login page, effectively bypassing the redundant login prompt.

 

Alternative approach

The same functionality can be achieved using SAML, as described here. However, I find the OAuth approach cleaner, as it eliminates the need for an iRule and also allows you to include the prompt parameter. This can be useful when you want to force authentication in Azure instead of relying on an existing session. See herefor details.

 

Prerequisites

• F5 BIG-IP with APM
• Azure AD tenant with application registration
• Basic OAuth/OIDC configuration between F5 and Azure AD (as outlined in https://my.f5.com/manage/s/article/K53313351)

 

Implementation Steps

Step 1: Complete Basic OAuth Setup

Follow the standard F5 APM OAuth configuration with Azure AD:

1. Configure OAuth Server Object
• Navigate to Access ›› Federation ›› OAuth Client/Resource Server ›› OAuth Server
• Create a new OAuth server configuration for Azure AD
• Set the provider type to "Microsoft Identity Platform 2.0"
2. Configure Access Profile
• Create an access profile with OAuth Client agent
• Configure authentication redirect and token requests

 

Step 2: Create Custom Authentication Redirect Request

The key modification involves creating a custom authentication redirect request that includes the login_hint parameter:

1. Navigate to Request Configuration
2. Access ››  Federation ››  OAuth Client/Resource Server ››  Request
3. Clone the Default Request
• Find the existing /Common/MSIdentityPlatform2.0AuthRedirectRequest
• Create a copy
• Name it something descriptive like MSIdentityPlatform2.0AuthRedirectRequest_LoginHint and the same parameters as /Common/MSIdentityPlatform2.0AuthRedirectRequest
4. Add login_hint Parameter
   • Parameter Name: login_hint
   • Parameter Type: custom
   • Parameter Value: %{session.ad.last.attr.userPrincipalName} or any other variable containing user’s UPN based on your environment and Authentication configuration
• In the Parameters section, click Add
• Configure the new parameter:

 

Step 3: Update VPE OAuth Configuration

1. Access the Visual Policy Editor
• Go to Access ›› Profiles/Policies ›› Access Profiles (Per-Session Policies)
• Edit your access profile
• Click Edit to open the VPE
2. Modify OAuth Client Agent
• Locate the OAuth Client agent in your policy
• Edit the OAuth Client agent properties
• In the Authentication Redirect Request dropdown, select your new custom request: MSIdentityPlatform2.0AuthRedirectRequest_LoginHint
3. Apply Access Policy
• Click Apply Access Policy to save changes

 

Step 4: Session Variable Configuration and UPN Translation

The key to successful login_hint implementation is ensuring the proper session variable is populated with a UPN-formatted email address. F5 APM can automatically translate sAMAccountName to UPN during AD authentication.

 

 Complete Policy Flow Example

Start

  ↓

Logon Page (user enters: DOMAIN\john.doe or john.doe)

  ↓

AD Auth (authenticate and populate session variables)

  ↓

AD Query (to fetch user attributes)

  ↓

OAuth Client (with custom redirect request including login_hint=john.doe@company.com)

  ↓

Azure AD (pre-populated with UPN, bypasses login prompt)

  ↓

Application Access

 

 

Troubleshooting

Common Issues

1. login_hint Parameter Not Working
• Verify the session variable contains a valid email address
• Check that the custom request is selected in the OAuth Client agent
• Ensure the parameter type is set to "custom"
2. Session Variable Empty or Wrong Format
• Verify AD authentication and query occurs before OAuth redirect
• Check AD attribute mapping configuration
• Confirm the userPrincipalName attribute exists in your AD schema
• Ensure domain suffix matches Azure AD tenant domain
3. Azure AD Still Prompts for Login
• Verify the email format matches Azure AD expectations
• Check Azure AD application configuration for login_hint support
• Ensure the user exists in the Azure AD tenant

 

Debugging Tips

• Enable APM debug logging: tmsh modify sys db log.apm.level value debug
• Use browser developer tools to inspect the OAuth redirect URL
• Verify session variables using Variable Assign agents in VPE

 

Security Considerations

• The login_hint parameter only pre-populates the username field; users still must provide valid credentials
• This is a user experience enhancement, not a security bypass
• Ensure session variables don't contain sensitive information beyond the username/email

 

Conclusion

Implementing login_hint with OAuth on F5 BIG-IP APM significantly improves user experience by eliminating redundant login prompts. The key advantage is that F5 APM can seamlessly translate users' familiar sAMAccountName credentials to the UPN format required by Azure AD, allowing users to authenticate once with their domain credentials while Azure AD receives the properly formatted UPN for the login_hint.

This approach maintains security while providing a seamless user experience, particularly beneficial in environments where:

• Users are more familiar with their sAMAccountName than their UPN
• Organizations want to minimize authentication friction
• Azure itself is also federated to another IDP and you want transparent rederiction

The solution leverages F5 APM's AD integration capabilities to handle the username format translation automatically, making it transparent to end users.