I'm experimenting some configuration with AGC and the Identity Aware Proxy and have issue when using webtop with AzureAD Auth.
The configuration is :
-AzureAd contains 2 Enterprise Applications to provide IDP with and without MFA to F5:
In BigIP the following config is done in AGC "Identity Aware Proxy" configuration (using templates v7.0) :
Case 1 (without webtop : working good) :
-Config properties : All disabled
-Virtual Server : Nothing special, just IP/Port + SSL profile
-User Identity : 2 Auth servers (AzureIDP with and without MFA
They are both configured the same way :
-Authentication type = SAML
-Host : f5-iap-auth.example.com
-External IDP Connector : Configured from metada provided by Azure
-Auth domain : f5-iap-auth.example.com
Each app with some random backend resources.
-Contextual Access :
3 rules : 1 for each App
-App1 => Primary Authication = IDP-MFA
-App2 =>Primary Authication = IDP-NoMFA
-App3 =>Primary Authication = IDP-NoMFA
This configuration deploy successfully and work as expected :
Browsing : f5-iap-app1.example.com redirect to Auth Domain : https://f5-iap-auth.example.com wich redirect the user to the IDP-NoMFA => redirect back to SP (which is actually the auth domain) and finally get redirected to App1.
Browsing f5-iap-app2.example.com : user is asked by idp to provide mfa ... everything works well
Now if in the Identity Aware Proxy Configuration, in the very first tab "Config Properties" I enable Webtop :
(A few adjustments are needed in "Contextual Access") I am no longer able to access App1, 2 and 3. Only the webtop is available at f5-iap-auth.example.com when trying to connect App1 (by cliquing the link in webtop or directly typing URL in browser) I get caught in an infinite redirect loop between IDP and f5-iap-auth.example.com.
Note : I also tried the same configuration replacing SAML with ActiveDirectory AAA and have the same issue.
In APM logs I can see " Session deleted (restarted). " Between each loop.
Anyone have this kind of configuration working ?