Manual Chapter : Adding subroutines for SAML Auth with and without MFA

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9

back-action Seamless SSO: Azure with SAML and MFA

Updated Date: 04/30/2026

Adding subroutines for SAML Auth with and without MFA

You should have a per-request policy, and SAML authentication servers for authentication with and without MFA.

Create the subroutines to allow continuous checks and reauthenticate with SAML and MFA when the user goes to a specific URL.

  1. From the Main tab, click Access > Profiles / Policies > Per-Request Policies.

  2. Find the policy you want to edit, and in the Per-Request Policy column, click Edit.

  3. In the per-request policy, click Add New Subroutine.

  4. Name the subroutine for use with SAML Auth and MFA. For example, APP Azure SAML Auth + MFA.

  5. Click Save.

  6. Expand the subroutine, and click the plus to add a new item.

  7. Click the Authentication tab, select SAML Auth, and click Add Item.

  8. Select the AAA Server for SAML Authentication with MFA. For example, /Common/app.example.com-azure-mfa.

  9. Click Save.

  10. In the subroutine, click Edit Terminals.

  11. Click Add Terminal.

  12. Select the red color for the new terminal, and name the unsuccessful terminal, for example, fail.

    Restriction: You cannot name the failure terminal fallback.

  13. Create another subroutine for SAML Auth without MFA, name it accordingly, and for the AAA Server, select the non-MFA AAA server.

    Configure the terminals in the same way.

  14. On the MFA branch of the per-request policy, click the plus symbol.

  15. Click the Subroutines tab, select the SAML Auth with MFA subroutine you created, and click Add Item.

  16. On the non-MFA branch of the per-request policy, click the plus symbol.

  17. Click the Subroutines tab, select the SAML Auth without MFA subroutine you created, and click Add Item.

  18. Add any other items your per-request policy requires.

    This example shows a completed per-request policy with MFA and non-MFA subroutines, assigned by URL branching. A Pool Assign macro has also been added, which assigns a static pool after authentication succeeds. The Start of the policy has been removed for image clarity.

The per-request policy is now configured.

Configure a virtual server for the application, and attach the allow-all access policy and the authentication per-request policy.