cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

SAML F5 as SP initiated with Azure MFA Integration

Nath
Cirrostratus
Cirrostratus

Hi Experts,

I am deploying F5 as SP with Azure MFA, during the deployment we encountered this behavior below(which is expected):

  • User access F5 VPN, F5 authenticates users thru local AD
  • Users will redirect to Azure MFA for a second verification
  • Users will key in their Azure account and Azure will send SMS OTP
  • Once verified, users can access applications behind F5 APM

The issue we encountered is when the user login for the 2nd time, there was no challenge/authentication presented to the users, we guess it's because of the SSO or cookie session on the Azure.

  • User access F5 VPN, F5 authenticates users thru local AD
  • Users will redirect to Azure MFA (no verification/authentication)
  • Users can access F5 APM

After we noticed the behavior above, we used the force authentication option in the F5 SAML configuration (which seems to be the answer):

Nath_0-1652149231713.png

However, we want to minimize the user effort because every time they are redirected to Azure MFA they need to key in their Azure credentials (username & pass).

My question is, is there a way to pass the credentials from the F5 logon page to the Azure MFA login portal thru SAML.

1 REPLY 1

This is are the attributes F5 inserts and I do not see username or password as an option:

https://support.f5.com/csp/article/K23078281

 

Better try from the Azure AD side to fix things without the F5 Force authentication (this is just an attribute F5 SP sends to the IdP) enabled:

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concepts-azure-multi-factor-a...

 

You can also test using F5 with Microsoft conditional access:

 

https://www.f5.com/company/blog/zero-trust-azure-active-directory-access-big-ip-apm

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-...