Forum Discussion
I have not done this with Azure-365 yet but have done this with adfs and okta. Basically you set up the f5 as a sp to the idp, okta for example if you need to chose between IDP's you can use IDP discovery. Now on the remote IDP set up the MFA how you would like. As far as the flow, I normally do sp initiation so it would start at the f5 apm enabled vip, then it redirects/posts you to the IDP, azure, with a saml request, you auth at azure. Then a post sends you to the f5 apm vip with a saml response. Now from there you can land on a webtop with links to your internal non federated resources or you can do want is called IDP chaining, where f5 is now the IDP, and go to another federated resource that is the sp, say concur, google,etc, using contents of the saml, or not. now too be honest the with this config there is a bit of irules need to seamlessly call the f5 idp to sp in a chain, cause it wants to plop you on a webtop, and handling logouts, SLO's, etc, but that is about it.
I stepped away from this for a while but have now go this working.
My only issue is that Azure has a token lifetime with a minimum of 10 mins so I don't know how to make the client re-auth with MFA every time they connect....
Cheers and apologies for late response.