Manual Chapter : Prerequisite items to configure in Azure AD

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9
Manual Chapter

Prerequisite items to configure in Azure AD

Prerequisites to configure

Because the configuration for items on non-F5 products can change, we provide only the details of what needs to be configured, and not the procedures for configuring those items.
In the Microsoft Azure portal, configure the items listed.
  • Create a basic SAML configuration for the first application, which requires only normal authentication:
    • Entity ID: this is the unique identifier of the entity. The entity is an immutable name for the entity, which is also the unique identifier of the service provider. This value must match the Entity ID of the SAML Service Provider configured on the BIG-IP. For example,
      https://app.example.com/
      .
    • Reply URL (Assertion Consumer Service URL): The address (based on the app address)
      <app-address>/saml/sp/profile/post/acs
      . For example,
      https://app.example.com/saml/sp/profile/post/acs
      .
  • Download the Azure STS Metadata for the application after you have created it. In the SAML Signing Certificate area, next to Federation Metadata XML, click
    Download
    .
  • Assign users and groups to the application, using the Users and Groups panel in Azure.
  • Create a basic SAML configuration for the second application, which requires MFA:
    • Entity ID: this is a URI, and matches the BIG-IP virtual server address for the application. For example,
      https://app.example.com/admin/
      .
    • Reply URL (Assertion Consumer Service URL): The address (based on the app address)
      <app-address>/saml/sp/profile/post/acs
      . Note that this address should be the same as the address for the previous application. For example,
      https://app.example.com/saml/sp/profile/post/acs
      .
  • Download the Azure STS Metadata for the application after you have created it. In the SAML Signing Certificate area, next to Federation Metadata XML, click
    Download
    .
  • Assign users and groups to the application, using the Users and Groups panel in Azure. The users and groups you configure for this application should be the same as the users and groups you configure for the first application. Only the Conditional Access policy should change.
  • Create a Conditional Access policy for the app that configures multifactor authentication. This policy should include:
    • The policy must specify the cloud app to which the policy applies (for example, the
      https://app.example.com/admin/
      policy specified above).
    • The policy must specify the users and groups to which the policy applies.
    • The policy must require multifactor authentication.