You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/partner-f5.md
+39-34Lines changed: 39 additions & 34 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@ ms.service: active-directory
10
10
ms.subservice: B2C
11
11
ms.workload: identity
12
12
ms.topic: how-to
13
-
ms.date: 03/16/2023
13
+
ms.date: 03/20/2023
14
14
---
15
15
16
16
# Tutorial: Enable secure hybrid access for applications with Azure Active Directory B2C and F5 BIG-IP
@@ -361,15 +361,15 @@ To learn more BIG-IP iRules, go to support.f5.com for [K42052145: Configuring au
361
361
362
362
**Optimized login flow**
363
363
364
-
One optional step for improving the user login experience would be to suppress the OAuth logon prompt displayed to users before Azure AD pre-authentication.
364
+
To improving the user sign-in experience, suppress the OAuth user sign-in prompt displayed before Azure AD pre-authentication.
365
365
366
366
1. Navigate to **Access** > **Guided Configuration**.
367
367
2. On the far right of the row, select the **padlock** icon.
368
368
3. The header-based application unlocks the strict configuration.
369
369
370
370
371
371
372
-
Unlocking the strict configuration prevents changes with the wizard UI. BIG-IP objects associated with the published instance of the application and open for direct management.
372
+
Unlocking the strict configuration prevents changes with the wizard UI. BIG-IP objects are associated with the published instance of the application, and are open for direct management.
5. For the application policy opject, in the **Per-Session Policy** column, select **Edit**.
@@ -384,60 +384,65 @@ Unlocking the strict configuration prevents changes with the wizard UI. BIG-IP o
384
384
8. In the top left corner, select **Apply Access Policy**.
385
385
9. Close the visual editor tab.
386
386
387
-
The next attempt at connecting to the application should take you straight to the Azure AD B2C sign-in page.
387
+
When you attempt to connect to the application, the Azure AD B2C sign-in page appears.
388
388
389
389
>[!Note]
390
-
>Re-enabling strict mode and deploying a configuration will overwrite any settings performed outside of the Guided Configuration UI, so implementing this scenario by manually creating all configuration objects is recommended for production services.
390
+
>If you re-enable strict mode and deploy a configuration, settings performed outside the Guided Configuration UI are overwritten. Implement this scenario by manually creating configuration objects for production services.
391
391
392
392
### Troubleshooting
393
393
394
-
Failure to access the protected application could be down to any number of potential factors, including a misconfiguration.
394
+
Use the following troubleshooting guidance if access to the protected application is prevented.
395
395
396
-
BIG-IP logs are a great source of information for isolating all authentication and SSO issues. If troubleshooting you should increase the log verbosity level.
396
+
#### Log verbosity
397
397
398
-
1. Go to **Access Policy** > **Overview** > **Event Logs** > **Settings**.
398
+
BIG-IP logs have information to isolate authentication and SSO issues. Increase the log verbosity level.
399
399
400
+
1. Go to **Access Policy** > **Overview** > **Event Logs** > **Settings**.
400
401
2. Select the row for your published application then **Edit** > **Access System Logs**.
402
+
3. From the SSO list, select **Debug**.
403
+
4. Select **OK**.
404
+
5. Before reviewing logs, reproduce your issue.
405
+
406
+
When complete, revert the previous settings.
407
+
408
+
#### BIG-IP error message
401
409
402
-
3. Select **Debug** from the SSO list then, select **OK**. You can now reproduce your issue before looking at the logs but remember to switch this back when finished.
403
-
404
-
- If you see a BIG-IP branded error immediately after successful Azure AD B2C authentication, it’s possible the issue relates to SSO from Azure AD to the BIG-IP.
410
+
If you see a BIG-IP error message after Azure AD B2C authentication, the issue might relate to SSO from Azure AD to the BIG-IP.
405
411
406
412
1. Navigate to **Access** > **Overview** > **Access reports**.
413
+
2. Run the report for the last hour
414
+
3. Review logs for clues.
415
+
4. Select the **View session variables** link.
416
+
5. Determine if the APM receives the expected Azure AD claims.
407
417
408
-
2. Run the report for the last hour to see logs provide any clues. The View session variables link for your session will also help understand if the APM is receiving the expected claims from Azure AD.
418
+
#### No BIG-IP error message
409
419
410
-
-If you don’t see a BIG-IP error page, then the issue is probably more related to the backend request or SSO from the BIG-IP to the application.
420
+
If no BIG-IP error message appears, the issue might be related to the back-end request, or SSO from the BIG-IP to the application.
411
421
412
422
1. Go to **Access Policy** > **Overview** > **Active Sessions**.
413
-
414
423
2. Select the link for your active session.
424
+
3. Select the **View Variables** link.
425
+
4. Review to determine root cause, particularly if the BIG-IP APM obtains inaccurate session attributes.
426
+
5. Use the application logs to help understand if it received the attributes as headers.
415
427
416
-
- The View Variables link in this location may also help determine root cause, particularly if the BIG-IP APM fails to obtain the right session attributes.
417
-
Your application’s logs would then help understand if it received those attributes as headers, or not.
428
+
#### Guided Configuration v8 known issue
418
429
419
-
-If using Guided Configuration v8, be aware of a known issue that generates the following BIG-IP error, after successful Azure AD B2C authentication.
430
+
If using Guided Configuration v8, a known issue generates the following error after successful Azure AD B2C authentication. The issue might be the AGC not enabling the Auto JWT setting during deployment. The APM can't obtain the current token signing keys. F5 engineering is investigating root cause.
420
431
421
-
432
+
422
433
423
-
This is a policy violation due to the BIG-IP’s inability to validate the signature of the token issued by Azure AD B2C. The same access log should be able to provide more detail on the issue.
434
+
The same access log provides detail.
424
435
425
-
436
+
426
437
427
-
Exact root cause is still being investigated by F5 engineering, but issue appears related to the AGC not enabling the Auto JWT setting during deployment, thereby preventing the APM from obtaining the current token signing keys.
438
+
**Manually enable the setting**
428
439
429
-
Until resolved, one way to work around the issue is to manually enable this setting.
430
-
431
-
1. Navigate to **Access** > **Guided Configuration** and select the small padlock icon on the far right of the row for your header-based application.
432
-
433
-
2. With the managed configuration unlocked, navigate to **Access** > **Federation** > **OAuth Client/Resource Server** > **Providers**.
434
-
435
-
3. Select the provider for your Azure AD B2C configuration.
436
-
437
-
4. Check the **Use Auto JWT** box then select **Discover**, followed by **Save**.
438
-
439
-
You should now see the Key (JWT) field populated with the key ID (KID) of the token signing certificate provided through the OpenID URI metadata.
440
-
441
-
5. Finally, select the yellow **Apply Access Policy** option in the top left-hand corner, located next to the F5 logo. Then select **Apply** again to refresh the access profile list.
440
+
1. Navigate to **Access** > **Guided Configuration**.
441
+
2. select the small padlock icon on the far right of the row for your header-based application.
442
+
3. With the managed configuration unlocked, navigate to **Access** > **Federation** > **OAuth Client/Resource Server** > **Providers**.
443
+
4. Select the provider for your Azure AD B2C configuration.
444
+
5. Check the **Use Auto JWT** box then select **Discover**, followed by **Save**.
445
+
6. You should now see the Key (JWT) field populated with the key ID (KID) of the token signing certificate provided through the OpenID URI metadata.
446
+
7. Finally, select the yellow **Apply Access Policy** option in the top left-hand corner, located next to the F5 logo. Then select **Apply** again to refresh the access profile list.
442
447
443
448
See F5’s guidance for more [OAuth client and resource server troubleshooting tips](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/37.html#GUID-774384BC-CF63-469D-A589-1595D0DDFBA2)
0 commit comments