cancel
Showing results for 
Search instead for 
Did you mean: 

APM Guided Config - Zero Trust - Identity Aware Proxy and WebTop

Hi !

I'm experimenting some configuration with AGC and the Identity Aware Proxy and have issue when using webtop with AzureAD Auth.

The configuration is :

-AzureAd contains 2 Enterprise Applications to provide IDP with and without MFA to F5:

-IDP-MFA :EntityID = https://f5-iap-auth.example.com/nomfa | reply URL : https://f5-iap-auth.example.com

-IDP-NOMFA : EntityID = https://f5-iap-auth.example.com/mfa | reply URL : https://f5-iap-auth.example.com

 

In BigIP the following config is done in AGC "Identity Aware Proxy" configuration (using templates v7.0) :

Case 1 (without webtop : working good) :

-Config properties : All disabled

0691T00000CoghyQAB.png 

-Virtual Server : Nothing special, just IP/Port + SSL profile

-User Identity : 2 Auth servers (AzureIDP with and without MFA

They are both configured the same way :

-Authentication type = SAML

-Entity ID : https://f5-iap-auth.example.com/nomfa or https://f5-iap-auth.example.com/mfa

-Host : f5-iap-auth.example.com

-External IDP Connector : Configured from metada provided by Azure

 

0691T00000CogjQQAR.png 

-Applications :

-Auth domain : f5-iap-auth.example.com

3 Apps : App1 : FQDN = f5-iap-app1.example.com | App2 = f5-iap-app1.example.com | App3 = f5-iap-app3.example.com

Each app with some random backend resources.

 

 

0691T00000CogkxQAB.png 

 

 

 

-Contextual Access :

3 rules : 1 for each App

-App1 => Primary Authication = IDP-MFA

-App2 =>Primary Authication = IDP-NoMFA

-App3 =>Primary Authication = IDP-NoMFA

 

This configuration deploy successfully and work as expected :

Browsing : f5-iap-app1.example.com redirect to Auth Domain : https://f5-iap-auth.example.com wich redirect the user to the IDP-NoMFA => redirect back to SP (which is actually the auth domain) and finally get redirected to App1.

Browsing f5-iap-app2.example.com : user is asked by idp to provide mfa ... everything works well

 

Now if in the Identity Aware Proxy Configuration, in the very first tab "Config Properties" I enable Webtop :

 

0691T00000Cogm0QAB.png 

 

(A few adjustments are needed in "Contextual Access") I am no longer able to access App1, 2 and 3. Only the webtop is available at f5-iap-auth.example.com when trying to connect App1 (by cliquing the link in webtop or directly typing URL in browser) I get caught in an infinite redirect loop between IDP and f5-iap-auth.example.com.

 

Note : I also tried the same configuration replacing SAML with ActiveDirectory AAA and have the same issue.

In APM logs I can see " Session deleted (restarted). " Between each loop. 

 

Anyone have this kind of configuration working ?

 

Thanks.

 

Regards,

0 REPLIES 0