Tutorial: Configure F5 BIG-IP SSL-VPN for Azure AD SSO
In this tutorial, learn how to integrate F5’s BIG-IP based Secure socket layer Virtual Private Network (SSL-VPN) with Azure Active Directory (AD) for Secure Hybrid Access (SHA).
Enabling a BIG-IP SSL-VPN for Azure AD single sign-on (SSO) provides many benefits, including:
- Improved Zero trust governance through Azure AD pre-authentication and Conditional Access
- Password-less authentication to the VPN service
- Manage Identities and access from a single control plane, the Azure portal
To learn about all of the benefits, see Integrate F5 BIG-IP with Azure Active Directory and What is single sign-on in Azure Active Directory?.
Despite these great value adds, classic VPNs do however remain network orientated, often providing little to zero fine grained access to corporate applications. For this reason, we encourage moving to a more Identity centric approach at achieving Zero Trust access on a per application basis.
Scenario description
In this scenario, the BIG-IP APM instance of the SSL-VPN service will be configured as a SAML Service Provider (SP) and Azure AD becomes the trusted SAML IDP. SSO from Azure AD is then provided through claims-based authentication to the BIG-IP APM, providing a seamless VPN access experience.

Note
All example strings or values referenced throughout this guide should be replaced with those for your actual environment.
Prerequisites
Prior experience or knowledge of F5 BIG-IP isn't necessary, however, you'll need:
An Azure AD free subscription or above
User identities should be synchronized from their on-premises directory to Azure AD.
An account with Azure AD application admin permissions
An existing BIG-IP infrastructure with routing of client traffic to and from the BIG-IP or deploy a BIG-IP Virtual Edition into Azure.
A record for the BIG-IP published VPN service will need to exist in public DNS, or a test client’s localhost file while testing
The BIG-IP should be provisioned with the necessary SSL certificates for publishing services over HTTPS.
Familiarizing yourself with F5 BIG-IP terminology will also help understand the various components referenced throughout the tutorial.
Note
Azure is constantly evolving so don’t be surprised if you find any nuances between the instructions in this guide and what you see in the Azure portal. Screenshots are from BIG-IP v15, however, remain relatively similar from v13.1.
Add F5 BIG-IP from the Azure AD gallery
Setting up a SAML federation trust between the BIG-IP allows the Azure AD BIG-IP to hand off the pre-authentication and Conditional Access to Azure AD, before granting access to the published VPN service.
Sign in to the Azure AD portal using an account with application admin rights
From the left navigation pane, select the Azure Active Directory service
Go to Enterprise Applications and from the top ribbon select New application.
Search for F5 in the gallery and select F5 BIG-IP APM Azure AD integration.
Provide a name for the application, followed by Add/Create to have it added to your tenant. The user can see the name as an icon in the Azure and Office 365 application portals. The name should reflect that specific service. For example, VPN.
Configure Azure AD SSO
With your new F5 application properties in view, go to Manage > Single sign-on
On the Select a single sign-on method page, select SAML. Skip the prompt to save the single sign-on settings by selecting No, I’ll save later.
On the Setup single sign-on with SAML menu, select the pen icon for Basic SAML Configuration to provide the following details:
Replace the pre-defined Identifier URL with the URL for your BIG-IP published service. For example,
https://ssl-vpn.contoso.comDo the same with the Reply URL text box, including the SAML endpoint path. For example,
https://ssl-vpn.contoso.com/saml/sp/profile/post/acsIn this configuration alone the application would operate in an IDP initiated mode, where Azure AD issues the user with a SAML assertion before redirecting to the BIG-IP SAML service. For apps that don’t support IDP initiated mode, specify the Sign-on URL for the BIG-IP SAML service. For example,
https://ssl-vpn.contoso.com.For the Logout URL enter the BIG-IP APM Single logout (SLO) endpoint pre-pended by the host header of the service being published. For example,
https://ssl-vpn.contoso.com/saml/sp/profile/redirect/slr
Providing an SLO URL ensures a user session is terminated at both ends, the BIG-IP and Azure AD, after the user signs out. BIG-IP APM also provides an option for terminating all sessions when calling a specific application URL.
.
Note
From TMOS v16 the SAML SLO endpoint has changed to /saml/sp/profile/redirect/slo
- Select Save before exiting the SAML configuration menu and skip the SSO test prompt.
Observe the properties of the User Attributes & Claims section, as Azure AD will issue these to users for BIG-IP APM authentication.

Feel free to add any other specific claims your BIG-IP published service might expect, while noting that any claims defined in addition to the default set will only be issued if they exist in Azure AD, as populated attributes. In the same way, directory roles or group memberships also need defining against a user object in Azure AD before they can be issued as a claim.

SAML signing certificates created by Azure AD have a lifespan of three years, so will need managing using Azure AD published guidance.
Azure AD authorization
By default, Azure AD will only issue tokens to users that have been granted access to a service.
Still in the application’s configuration view, select Users and groups
Select + Add user and in the Add Assignment menu select Users and groups
In the Users and groups dialog, add the groups of users that are authorized to access the VPN, followed by Select > Assign

- This completes the Azure AD part of the SAML federation trust. The BIG-IP APM can now be set up to publish the SSL-VPN service and configured with a corresponding set of properties to complete the trust, for SAML pre-authentication.
BIG-IP APM configuration
SAML federation
The following section creates the BIG-IP SAML service provider and corresponding SAML IDP objects required to complete federating the VPN service with Azure AD.
- Go to Access > Federation > SAML Service Provider > Local SP Services and select Create

- Enter a Name and the same Entity ID value you defined in Azure AD earlier, and the Host FQDN that will be used to connect to the application

SP Name settings are only required if the entity ID isn't an exact match of the hostname portion of the published URL, or if it isn’t in regular hostname-based URL format. Provide the external scheme and hostname of the application being published if entity ID is urn:ssl-vpn:contosoonline.
- Scroll down to select the new SAML SP object and select Bind/UnBind IDP Connectors.

- Select Create New IDP Connector and from the drop-down menu select From Metadata

Browse to the federation metadata XML file you downloaded earlier and provide an Identity Provider Name for the APM object that will represent the external SAML IDP
Select Add New Row to select the new Azure AD external IDP connector.

- Select Update to bind the SAML SP object to the SAML IDP object, then select OK.

Webtop configuration
The following steps enable the SSL-VPN to be offered to users via BIG-IP’s proprietary web portal.
Go to Access > Webtops > Webtop Lists and select Create.
Give the portal a name and set the type to Full. For example,
Contoso_webtop.Adjust the remaining preferences then select Finished.

VPN configuration
The VPN capability is made up of several elements, each controlling a different aspect of the overall service.
Go to Access > Connectivity/VPN > Network Access (VPN) > IPV4 Lease Pools and select Create.
Provide a name for the pool of IP addresses being allocated to VPN clients. For example, Contoso_vpn_pool
Set type to IP Address Range and provide a start and end IP, followed by Add and Finished.

A Network access list provisions the service with IP and DNS settings from the VPN pool, user routing permissions, and could also launch applications if necessary.
Go to Access > Connectivity/VPN: Network Access (VPN) > Network Access Lists and select Create.
Provide a name for the VPN access list and caption, for example, Contoso-VPN followed by Finished.

From the top ribbon, select Network Settings and add the below settings:
• Supported IP version: IPV4
• IPV4 Lease Pool: Select the VPN pool created earlier, for example, Contoso_vpn_pool

The Client Settings options can be used to enforce restrictions on how the client traffic is routed when a VPN is established.
Select Finished and go to the DNS/Hosts tab to add the settings:
• IPV4 Primary Name Server: IP of your environment's DNS server
• DNS Default Domain Suffix: The domain suffix for this specific VPN connection. For example, contoso.com

F5 article provides details on adjusting the remaining settings according to your preference.
A BIG-IP connection profile is now required to configure the settings for each of the VPN client types that the VPN service needs to support. For example, Windows, OSX, and Android.
Go to Access > Connectivity/VPN > Connectivity > Profiles and select Add.
Provide a profile name and set the parent profile to /Common/connectivity, for example, Contoso_VPN_Profile.

F5’s documentation provides more details on client support.
Access profile configuration
With the VPN objects configured, an access policy is required to enable the service for SAML authentication.
Go to Access > Profiles/Policies > Access Profiles (Per-Session Policies) and select Create
Provide a profile name and for the profile type select All, for example, Contoso_network_access
Scroll down to add at least one language to the Accepted Languages list and select Finished

- Select Edit on the Per-Session Policy field of the new access profile, for the visual policy editor to launch in a separate browser tab.

Select the + sign and in the pop-up select Authentication > SAML Auth > Add Item.
In the SAML authentication SP configuration, select the VPN SAML SP object you created earlier, followed by Save.

Select + for the Successful branch of SAML auth.
From the Assignment tab, select Advanced Resource Assign followed by Add Item

In the pop-up, select New Entry and then Add/Delete.
In the child window, select Network Access and then select the Network Access profile created earlier

- Switch to the Webtop tab and add the Webtop object created earlier.

Select Update followed by Save.
Select the link in the upper Deny box to change the Successful branch to Allow then Save.

- Commit those settings by selecting Apply Access Policy and close the visual policy editor tab.

Publish the VPN service
With all the settings in place, the APM now requires a front-end virtual server to listen for clients connecting to the VPN.
Select Local Traffic > Virtual Servers > Virtual Server List and select Create.
Provide a Name for the VPN virtual server, for example, VPN_Listener.
Provide the virtual server with an unused IP Destination Address that has routing in place to receive client traffic
Set the Service Port to 443 HTTPS and ensure the state shows Enabled

- Set the HTTP Profile to http and add the SSL Profile (Client) for the public SSL certificate you provisioned as part of the pre-requisites.

- Under Access Policy, set the Access Profile and Connectivity Profile to use the VPN objects created.

Select Finished when done.
Your SSL-VPN service is now published and accessible via SHA, either directly via its URL or through Microsoft’s application portals.
Next steps
Open a browser on a remote Windows client and browse to the URL of the BIG-IP VPN service. After authenticating to Azure AD, you'll see the BIG-IP webtop portal and VPN launcher.

Selecting the VPN tile will install the BIG-IP Edge client and establish a VPN connection configured for SHA. The F5 VPN application should also be visible as a target resource in Azure AD Conditional Access. See our guidance for building Conditional Access policies and also enabling users for Azure AD password-less authentication.