Tutorial: Configure F5 BIG-IP SSL-VPN for Azure AD SSO
In this tutorial, learn how to integrate F5 BIG-IP based secure socket layer virtual private network (SSL-VPN) with Azure Active Directory (Azure AD) for secure hybrid access (SHA).
Enabling a BIG-IP SSL-VPN for Azure AD single sign-on (SSO) provides many benefits, including:
- Improved Zero trust governance through Azure AD pre-authentication and Conditional Access.
- Passwordless authentication to the VPN service
- Manage identities and access from a single control plane, the Azure portal
To learn about more benefits, see
Classic VPNs remain network orientated, often providing little to no fine-grained access to corporate applications. We encourage a more identity-centric approach to achieve Zero Trust. Learn more: Five steps for integrating all your apps with Azure AD.
In this scenario, the BIG-IP APM instance of the SSL-VPN service is configured as a SAML service provider (SP) and Azure AD is the trusted SAML IDP. SSO from Azure AD is provided through claims-based authentication to the BIG-IP APM, a seamless VPN access experience.
Replace example strings or values in this guide with those in your environment.
Prior experience or knowledge of F5 BIG-IP isn't necessary, however, you'll need:
- An Azure AD subscription
- If you don't have one, you can get an Azure free account or above
- User identities synchronized from their on-premises directory to Azure AD.
- An account with Azure AD application admin permissions
- BIG-IP infrastructure with client traffic routing to and from the BIG-IP
- A record for the BIG-IP published VPN service in public DNS
- Or a test client localhost file while testing
- The BIG-IP provisioned with the needed SSL certificates for publishing services over HTTPS
To improve the tutorial experience, you can learn industry-standard terminology on the F5 BIG-IP Glossary.
Some instructions might vary slightly from the Azure portal.
Add F5 BIG-IP from the Azure AD gallery
Set up a SAML federation trust between the BIG-IP to allow the Azure AD BIG-IP to hand off the pre-authentication and Conditional Access to Azure AD, before it grants access to the published VPN service.
- Sign in to the Azure portal with application admin rights.
- From the left navigation pane, select the Azure Active Directory service.
- Go to Enterprise Applications and from the top ribbon select New application.
- In the gallery, search for F5 and select F5 BIG-IP APM Azure AD integration.
- Enter a name for the application.
- Select Add then Create.
- The name, as an icon, appears in the Azure portal and Office 365 portal.
Configure Azure AD SSO
- With F5 application properties, go to Manage > Single sign-on.
- On the Select a single sign-on method page, select SAML.
- Select No, I’ll save later.
- On the Setup single sign-on with SAML menu, select the pen icon for Basic SAML Configuration.
- Replace the Identifier URL with your BIG-IP published service URL. For example,
- Replace the Reply URL, and the SAML endpoint path. For example,
In this configuration, the application operates in an IdP-initiated mode: Azure AD issues a SAML assertion before redirecting to the BIG-IP SAML service.
- For apps that don’t support IdP-initiated mode, for the BIG-IP SAML service, specify the Sign-on URL, for example,
- For the Logout URL, enter the BIG-IP APM Single logout (SLO) endpoint pre-pended by the host header of the service being published. For example,
An SLO URL ensures a user session terminates, at BIG-IP and Azure AD, after the user signs out. BIG-IP APM has an option to terminate all sessions when calling an application URL. Learn more on the F5 article, K12056: Overview of the Logout URI Include option.
From TMOS v16, the SAML SLO endpoint has changed to /saml/sp/profile/redirect/slo.
Skip the SSO test prompt.
In User Attributes & Claims properties, observe the details.
You can add other claims to your BIG-IP published service. Claims defined in addition to the default set are issued if they're in Azure AD. Define directory roles or group memberships against a user object in Azure AD, before they can be issued as a claim.
SAML signing certificates created by Azure AD have a lifespan of three years.
Azure AD authorization
By default, Azure AD issues tokens to users with granted access to a service.
In the application configuration view, select Users and groups.
Select + Add user.
In the Add Assignment menu, select Users and groups.
In the Users and groups dialog, add the user groups authorized to access the VPN
Select Select > Assign.
You can set up BIG-IP APM to publish the SSL-VPN service. Configure it with corresponding properties to complete the trust for SAML pre-authentication.
BIG-IP APM configuration
To complete federating the VPN service with Azure AD, create the BIG-IP SAML service provider and corresponding SAML IDP objects.
Go to Access > Federation > SAML Service Provider > Local SP Services.
Enter a Name and the Entity ID defined in Azure AD.
Enter the Host FQDN to connect to the application.
If the entity ID isn't an exact match of the hostname of the published URL, configure SP Name settings, or perform this action if it isn’t in hostname URL format. If entity ID is
urn:ssl-vpn:contosoonline, provide the external scheme and hostname of the application being published.
Scroll down to select the new SAML SP object.
Select Bind/UnBind IDP Connectors.
Select Create New IDP Connector.
From the drop-down menu, select From Metadata
Browse to the federation metadata XML file you downloaded.
For the APM object,provide an Identity Provider Name that represents the external SAML IdP.
To select the new Azure AD external IdP connector, select Add New Row.
Enable the SSL-VPN to be offered to users via the BIG-IP web portal.
Go to Access > Webtops > Webtop Lists.
Enter a portal name.
Set the type to Full, for example,
Complete the remaining preferences.
VPN elements control aspects of the overall service.
Go to Access > Connectivity/VPN > Network Access (VPN) > IPV4 Lease Pools
Enter a name for the IP address pool allocated to VPN clients. For example, Contoso_vpn_pool.
Set type to IP Address Range.
Enter a start and end IP.
A Network access list provisions the service with IP and DNS settings from the VPN pool, user routing permissions, and can launch applications.
Go to Access > Connectivity/VPN: Network Access (VPN) > Network Access Lists.
Provide a name for the VPN access list and caption, for example, Contoso-VPN.
From the top ribbon, select Network Settings.
For Supported IP version: IPV4.
For IPV4 Lease Pool, select the VPN pool created, for example, Contoso_vpn_pool
Use the Client Settings options to enforce restrictions for how client traffic is routed in an established VPN.
Go to the DNS/Hosts tab.
For IPV4 Primary Name Server: Your environment DNS IP
For DNS Default Domain Suffix: The domain suffix for this VPN connection. For example, contoso.com
See the F5 article, Configuring Network Access Resources for other settings.
A BIG-IP connection profile is required to configure VPN client-type settings the VPN service needs to support. For example, Windows, OSX, and Android.
Go to Access > Connectivity/VPN > Connectivity > Profiles
Enter a profile name.
Set the parent profile to /Common/connectivity, for example, Contoso_VPN_Profile.
For more information on client support, see the F5 article, F5 Access and BIG-IP Edge Client.
Access profile configuration
An access policy enables the service for SAML authentication.
Go to Access > Profiles/Policies > Access Profiles (Per-Session Policies).
Enter a profile name and for the profile type.
Select All, for example, Contoso_network_access.
Scroll down and add at least one language to the Accepted Languages list
In the new access profile, on the Per-Session Policy field, select Edit.
The visual policy editor opens in a new tab.
Select the + sign.
In the menu, select Authentication > SAML Auth.
Select Add Item.
In the SAML authentication SP configuration, select the VPN SAML SP object you created
For the Successful branch of SAML auth, select + .
From the Assignment tab, select Advanced Resource Assign.
Select Add Item.
In the pop-up, select New Entry
In the window, select Network Access.
Select the Network Access profile you created.
Go to the Webtop tab.
Add the Webtop object you created.
To change the Successful branch, select the link in the upper Deny box.
The Allow label appears.
Select Apply Access Policy
Close the visual policy editor tab.
Publish the VPN service
The APM requires a front-end virtual server to listen for clients connecting to the VPN.
Select Local Traffic > Virtual Servers > Virtual Server List.
For the VPN virtual server, enter a Name, for example, VPN_Listener.
Select an unused IP Destination Address with routing to receive client traffic.
Set the Service Port to 443 HTTPS.
For State, ensure Enabled is selected.
Set the HTTP Profile to http.
Add the SSL Profile (Client) for the public SSL certificate you created.
To use the created VPN objects, under Access Policy, set the Access Profile and Connectivity Profile.
Your SSL-VPN service is published and accessible via SHA, either with its URL or through Microsoft application portals.
Open a browser on a remote Windows client.
Browse to the BIG-IP VPN service URL.
The BIG-IP webtop portal and VPN launcher appear.
Select the VPN tile to install the BIG-IP Edge client and establish a VPN connection configured for SHA. The F5 VPN application is visible as a target resource in Azure AD Conditional Access. See conditional access policies to enable users for Azure AD password-less authentication.
Submit and view feedback for