APM Guided Config - Zero Trust - Identity Aware Proxy and WebTop

Hi !

I'm experimenting some configuration with AGC and the Identity Aware Proxy and have issue when using webtop with AzureAD Auth.

The configuration is :

-AzureAd contains 2 Enterprise Applications to provide IDP with and without MFA to F5:

-IDP-MFA :EntityID = https://f5-iap-auth.example.com/nomfa | reply URL : https://f5-iap-auth.example.com

-IDP-NOMFA : EntityID = https://f5-iap-auth.example.com/mfa | reply URL : https://f5-iap-auth.example.com

In BigIP the following config is done in AGC "Identity Aware Proxy" configuration (using templates v7.0) :

Case 1 (without webtop : working good) :

-Config properties : All disabled

-Virtual Server : Nothing special, just IP/Port + SSL profile

-User Identity : 2 Auth servers (AzureIDP with and without MFA

They are both configured the same way :

-Authentication type = SAML

-Entity ID : https://f5-iap-auth.example.com/nomfa or https://f5-iap-auth.example.com/mfa

-Host : f5-iap-auth.example.com

-External IDP Connector : Configured from metada provided by Azure

-Applications :

-Auth domain : f5-iap-auth.example.com

3 Apps : App1 : FQDN = f5-iap-app1.example.com | App2 = f5-iap-app1.example.com | App3 = f5-iap-app3.example.com

Each app with some random backend resources.

-Contextual Access :

3 rules : 1 for each App

-App1 => Primary Authication = IDP-MFA

-App2 =>Primary Authication = IDP-NoMFA

-App3 =>Primary Authication = IDP-NoMFA

This configuration deploy successfully and work as expected :

Browsing : f5-iap-app1.example.com redirect to Auth Domain : https://f5-iap-auth.example.com wich redirect the user to the IDP-NoMFA => redirect back to SP (which is actually the auth domain) and finally get redirected to App1.

Browsing f5-iap-app2.example.com : user is asked by idp to provide mfa ... everything works well

Now if in the Identity Aware Proxy Configuration, in the very first tab "Config Properties" I enable Webtop :

(A few adjustments are needed in "Contextual Access") I am no longer able to access App1, 2 and 3. Only the webtop is available at f5-iap-auth.example.com when trying to connect App1 (by cliquing the link in webtop or directly typing URL in browser) I get caught in an infinite redirect loop between IDP and f5-iap-auth.example.com.

Note : I also tried the same configuration replacing SAML with ActiveDirectory AAA and have the same issue.

In APM logs I can see " Session deleted (restarted). " Between each loop. 

Anyone have this kind of configuration working ?

Thanks.

Regards,