Yubikey APM and AzureAD question
HEy I'm trying to add the ability to use yubikeys as hardware keys to my Saml/Azureid logins. I saw this doc for how to do it with okta. Application access using YubiKey Authentication with APM and Okta | DevCentral I was wondering if their were similar instructions for Azure AD. It seems like the okta integration relies on okta connecter supporting yubikey in v 16.0. We are currently running 16.1.5, but I don't see something similar in the Azure AD connector. I was wondering how other people have done this? Or if their was something I'm missing? We've been able to add yubikeys to ont eh Azure Ad side, but they never show up when we try to use them as a 2nd factor with The BIG IP Edge client.
APM Portal Links SSO with Azure AD
Hi, We have an APM portal using AD authentication. We recently transitioned to using Azure AD MFA to log into it. This was done by following the solution to integrate APM with Azure AD using the bigIP as a SAML SP and works without issue. However, after logging into the portal and clicking on any of the links for the the various apps (which are also Azure AD integrated) the user must go through the login process with Azure AD all over again which is anyoing. Is there a way to somehow use the original SAML authentication from loging into the portal to seemlessly be logged into the various apps? Interestingly, once the user clicks on subsequent apps after the second login, they are logged in automatically so I believe it's able to use the session tokens stored in the browser for subsequent logins after the second login (but not after the initial log in to the portal).
APM VPN with Azure AD as SAML IdP
Hello there, I'm implementing the APM part of the VPN implementation that should use Azure AD as SAML IdP. The SAML part works fine as such, but there are problems having the Azure AD groups returned in the SAML response. This is the best the Azure AD administrator has got me so far: 410de111-34ab-4b4f-8722-0ecbcd840c39 2463f452-7382-49f5-ace0-bafdc8816b2b So, the groups are UUID only. They have found no way to return the actual group names in the SAML response. I've checked the full SAML response in the "sessiondump --allkeys" output. Does anyone have specific tips that could be tried in the Azure AD side to get it return the AD group names in the SAML response? One workaround was tried so that the AAD admin configured roles for the users: RoleName2 RoleName1 These are shown in APM session variable: da859cb2.session.saml.last.attr.name.http://schemas.microsoft.com/ws/2008/06/identity/claims/role 25 | RoleName2 | RoleName1 | I can parse that output in TCL and translate it in this format: da859cb2.session.ad.last.attr.memberOf 31 | CN=RoleName2 | CN=RoleName1 | And now I can use "AD Group Resource Assign" to match the correct VPN properties based on the roles. So, I'm hoping the be able to get the actual AD group names from Azure AD, instead of using the UUIDs or the admin-generated roles. Any hints? Markku
Pure Azure AD SSO authentication with Silverline
Hi, We're trying to integrate SIlverline with Azure AD but haven't quite got it to work correctly. It appears that Silverline passes the autentication to Azure AD and this does complete successfully but Silverline then simply reports "Could not authenticate you via SAML because "Invalid Token". My guess is we need to map the correct attributes in Azure AD to send back to Silverline in the SAML response but cannot seem to find anything. There is no on-prem AD or AADDS available - it's just pure Azure AD. Has anybody done this and would be able to share what they did.
Office 365's new "Modern Auth"
Hi All, We've just heard a rumor that Microsoft have released a new authentication model for Office 365 which they are using with Exchange Online and Skype for Business to start with. Now we have been told that with this new authentication model that ADFS being fronted by APM for authentication/acting as an ADFS proxy is not and will not be supported due to the change in the way authentication works. From what we can tell, it will only break application clients (ActiveSync/Office/Skype) that aren't just a web page, but we really don't have much detail. Does anyone have any experience with Office 365 off-prem setups and the new Modern Authentication model? Can anyone confirm that it doesn't in fact work? Is there anyone from F5 who has advice on if it's on the road map for being fixed/addressed/investigated? Thanks in advanced.
Problem getting User Information with Oauth and AzureAD
Hi I'm trying to use Azure AD as an Oauth IDP on our F5. I followed the LAB in https://clouddocs.f5.com/training/community/iam/html/class6/lab4.html and authentication works without any Problems. But i need to pass the User Email Address to the Backend after succesfull Authentication. As there is no Session Variable holding the Email-Address, how can we query for that Info after succesfull authenticatoin? As i'm very new to Oauth, a Dummy-Explanation would be realy helpful! Thanks Sbu
APM - Azure AD integration with Oauth
Hi, I have a client that wants to centralize authentication to internal services (Intranet, private applications, etc) with Azure AD via APM using the Oauth protocol. When a user tries to access an internal resource, transparently send the credentials to the APM, it will validate the credentials with Azure AD and the APM will allow access if the credentials are correct. The communication between APM and Azure AD, from what I have read, can only be done through Oauth. I have looked for some examples of how this could be done, but it is not entirely clear to me. Has anyone done that? Do you know of a Cookbook that tells you how to do it? ThanksOffice 365 SAML token rejection
I have configured the Office 365 SAML iApp for authentication, and to all intents and purposes it looks as though APM is successfully authenticating a user and issuing a token. However when the token is submitted to Office 365 I receive the response: Sorry but we're having trouble signing you in. We've received a bad response. AADSTS50000 there was an error issuing a token. I'm using a URI as an identified as opposed to a URN. I've investigated as much as I can (but by no means and expert) confirming certificate thumbprints are uploaded to O365, time is in sync. I have dug into the http requests with Fiddler. I can see the SAML request and response. I see it submitted in the header to O365. Verified users are synchronised to Azure AD. Furthermore I've checked for additional proceeding slashes in the configuration between APM & O365. Really struggling to understand the problem. Any suggestions/ help would be greatly appreciated.
