Manual Chapter : Creating a local Service Provider for MFA with Azure AD

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9

back-action Seamless SSO: Azure with SAML and MFA

Updated Date: 04/30/2026

Creating a local Service Provider for MFA with Azure AD

Create the local service provider to provide the authentication object that you can reference for MFA in the SAML Auth item in the per-request policy.

  1. On the Main tab, click Access > Federation > SAML Service Provider > Local SP Services.

  2. Click Create.

  3. Specify the app URI for the Entity ID for which you specified MFA on Azure.

    For example, https://app.example.com/admin/.

  4. Select the Scheme, and specify the Host URL.

    For example, app.example.com.

    Note: The Host field should contain the same URL as the non-MFA Service Provider.

  5. Click Security Settings.

  6. Select Sign Authentication Request and select the Message Signing Private Key and Message Signing Certificate.

  7. Click Advanced.

  8. Select Allow Name-Identifier Creation.

  9. From the list, select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

  10. Click OK.

  11. Click Bind/Unbind IdP Connectors.

  12. Click Add New Row.

  13. Select the IdP connector you created for the MFA application.

  14. Click Update, then click OK.