Tutorial: Configure F5 BIG-IP SSL-VPN for Microsoft Entra SSO
In this tutorial, learn how to integrate F5 BIG-IP based secure socket layer virtual private network (SSL-VPN) with Microsoft Entra ID for secure hybrid access (SHA).
Enabling a BIG-IP SSL-VPN for Microsoft Entra single sign-on (SSO) provides many benefits, including:
- Improved Zero trust governance through Microsoft Entra pre-authentication and Conditional Access.
- Passwordless authentication to the VPN service
- Manage identities and access from a single control plane, the Microsoft Entra admin center
To learn about more benefits, see
Classic VPNs remain network orientated, often providing little to no fine-grained access to corporate applications. We encourage a more identity-centric approach to achieve Zero Trust. Learn more: Five steps for integrating all your apps with Microsoft Entra ID.
In this scenario, the BIG-IP APM instance of the SSL-VPN service is configured as a SAML service provider (SP) and Microsoft Entra ID is the trusted SAML IDP. SSO from Microsoft Entra ID is provided through claims-based authentication to the BIG-IP APM, a seamless VPN access experience.
Replace example strings or values in this guide with those in your environment.
Prior experience or knowledge of F5 BIG-IP isn't necessary, however, you'll need:
- A Microsoft Entra subscription
- If you don't have one, you can get an Azure free account or above
- User identities synchronized from their on-premises directory to Microsoft Entra ID.
- One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator.
- BIG-IP infrastructure with client traffic routing to and from the BIG-IP
- A record for the BIG-IP published VPN service in public DNS
- Or a test client localhost file while testing
- The BIG-IP provisioned with the needed SSL certificates for publishing services over HTTPS
To improve the tutorial experience, you can learn industry-standard terminology on the F5 BIG-IP Glossary.
Add F5 BIG-IP from the Microsoft Entra gallery
Steps in this article may vary slightly based on the portal you start from.
Set up a SAML federation trust between the BIG-IP to allow the Microsoft Entra BIG-IP to hand off the pre-authentication and Conditional Access to Microsoft Entra ID, before it grants access to the published VPN service.
- Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
- Browse to Identity > Applications > Enterprise applications > All applications, then select New application.
- In the gallery, search for F5 and select F5 BIG-IP APM Azure AD integration.
- Enter a name for the application.
- Select Add then Create.
- The name, as an icon, appears in the Microsoft Entra admin center and Office 365 portal.
Configure Microsoft Entra SSO
- With F5 application properties, go to Manage > Single sign-on.
- On the Select a single sign-on method page, select SAML.
- Select No, I'll save later.
- On the Setup single sign-on with SAML menu, select the pen icon for Basic SAML Configuration.
- Replace the Identifier URL with your BIG-IP published service URL. For example,
- Replace the Reply URL, and the SAML endpoint path. For example,
In this configuration, the application operates in an IdP-initiated mode: Microsoft Entra ID issues a SAML assertion before redirecting to the BIG-IP SAML service.
- For apps that don't support IdP-initiated mode, for the BIG-IP SAML service, specify the Sign-on URL, for example,
- For the Logout URL, enter the BIG-IP APM Single logout (SLO) endpoint pre-pended by the host header of the service being published. For example,
An SLO URL ensures a user session terminates, at BIG-IP and Microsoft Entra ID, after the user signs out. BIG-IP APM has an option to terminate all sessions when calling an application URL. Learn more on the F5 article, K12056: Overview of the Logout URI Include option.
From TMOS v16, the SAML SLO endpoint has changed to /saml/sp/profile/redirect/slo.
Skip the SSO test prompt.
In User Attributes & Claims properties, observe the details.
You can add other claims to your BIG-IP published service. Claims defined in addition to the default set are issued if they're in Microsoft Entra ID. Define directory roles or group memberships against a user object in Microsoft Entra ID, before they can be issued as a claim.
SAML signing certificates created by Microsoft Entra ID have a lifespan of three years.
Microsoft Entra authorization
By default, Microsoft Entra ID issues tokens to users with granted access to a service.
In the application configuration view, select Users and groups.
Select + Add user.
In the Add Assignment menu, select Users and groups.
In the Users and groups dialog, add the user groups authorized to access the VPN
Select Select > Assign.
You can set up BIG-IP APM to publish the SSL-VPN service. Configure it with corresponding properties to complete the trust for SAML pre-authentication.
BIG-IP APM configuration
To complete federating the VPN service with Microsoft Entra ID, create the BIG-IP SAML service provider and corresponding SAML IDP objects.
Go to Access > Federation > SAML Service Provider > Local SP Services.
Enter a Name and the Entity ID defined in Microsoft Entra ID.
Enter the Host FQDN to connect to the application.
If the entity ID isn't an exact match of the hostname of the published URL, configure SP Name settings, or perform this action if it isn't in hostname URL format. If entity ID is
urn:ssl-vpn:contosoonline, provide the external scheme and hostname of the application being published.
Scroll down to select the new SAML SP object.
Select Bind/UnBind IDP Connectors.
Select Create New IDP Connector.
From the drop-down menu, select From Metadata
Browse to the federation metadata XML file you downloaded.
For the APM object,provide an Identity Provider Name that represents the external SAML IdP.
To select the new Microsoft Entra external IdP connector, select Add New Row.
Enable the SSL-VPN to be offered to users via the BIG-IP web portal.
Go to Access > Webtops > Webtop Lists.
Enter a portal name.
Set the type to Full, for example,
Complete the remaining preferences.
VPN elements control aspects of the overall service.
Go to Access > Connectivity/VPN > Network Access (VPN) > IPV4 Lease Pools
Enter a name for the IP address pool allocated to VPN clients. For example, Contoso_vpn_pool.
Set type to IP Address Range.
Enter a start and end IP.
A Network access list provisions the service with IP and DNS settings from the VPN pool, user routing permissions, and can launch applications.
Go to Access > Connectivity/VPN: Network Access (VPN) > Network Access Lists.
Provide a name for the VPN access list and caption, for example, Contoso-VPN.
From the top ribbon, select Network Settings.
For Supported IP version: IPV4.
For IPV4 Lease Pool, select the VPN pool created, for example, Contoso_vpn_pool
Use the Client Settings options to enforce restrictions for how client traffic is routed in an established VPN.
Go to the DNS/Hosts tab.
For IPV4 Primary Name Server: Your environment DNS IP
For DNS Default Domain Suffix: The domain suffix for this VPN connection. For example, contoso.com
See the F5 article, Configuring Network Access Resources for other settings.
A BIG-IP connection profile is required to configure VPN client-type settings the VPN service needs to support. For example, Windows, OSX, and Android.
Go to Access > Connectivity/VPN > Connectivity > Profiles
Enter a profile name.
Set the parent profile to /Common/connectivity, for example, Contoso_VPN_Profile.
For more information on client support, see the F5 article, F5 Access and BIG-IP Edge Client.
Access profile configuration
An access policy enables the service for SAML authentication.
Go to Access > Profiles/Policies > Access Profiles (Per-Session Policies).
Enter a profile name and for the profile type.
Select All, for example, Contoso_network_access.
Scroll down and add at least one language to the Accepted Languages list
In the new access profile, on the Per-Session Policy field, select Edit.
The visual policy editor opens in a new tab.
Select the + sign.
In the menu, select Authentication > SAML Auth.
Select Add Item.
In the SAML authentication SP configuration, select the VPN SAML SP object you created
For the Successful branch of SAML auth, select + .
From the Assignment tab, select Advanced Resource Assign.
Select Add Item.
In the pop-up, select New Entry
In the window, select Network Access.
Select the Network Access profile you created.
Go to the Webtop tab.
Add the Webtop object you created.
To change the Successful branch, select the link in the upper Deny box.
The Allow label appears.
Select Apply Access Policy
Close the visual policy editor tab.
Publish the VPN service
The APM requires a front-end virtual server to listen for clients connecting to the VPN.
Select Local Traffic > Virtual Servers > Virtual Server List.
For the VPN virtual server, enter a Name, for example, VPN_Listener.
Select an unused IP Destination Address with routing to receive client traffic.
Set the Service Port to 443 HTTPS.
For State, ensure Enabled is selected.
Set the HTTP Profile to http.
Add the SSL Profile (Client) for the public SSL certificate you created.
To use the created VPN objects, under Access Policy, set the Access Profile and Connectivity Profile.
Your SSL-VPN service is published and accessible via SHA, either with its URL or through Microsoft application portals.
Open a browser on a remote Windows client.
Browse to the BIG-IP VPN service URL.
The BIG-IP webtop portal and VPN launcher appear.
Select the VPN tile to install the BIG-IP Edge client and establish a VPN connection configured for SHA. The F5 VPN application is visible as a target resource in Microsoft Entra Conditional Access. See Conditional Access policies to enable users for Microsoft Entra ID password-less authentication.