Azure AD authentication behind F5 Big IP for .net core app

0
votes

I create a .net core app with Azure AD authentication. This means the callback url is /signin-oidc. When I run the app directly, everything is fine, and I can log in using Azure AD, but when I put the app behind a Big-IP, I can not. I get a message saying "The reply url specified in the request does not match the reply urls configured for the application".

The app is running on an internal host, say http://my.internal.private/. It is reachable externally on https://my.external.public/ so https://my.external.public/signin-oidc is also configured as a reply URL. It is also reachable when debugging on https://localhost:12345/ so I have also configured https://localhost:12345/signin-oidc as a reply URL.

When I run the app locally, everything works fine, but when I try to run it behind the big-ip, which forwards https://my.external.public/ to http://my.internal.private/ things do not work and I get the error above.

Error: The reply url specified in the request does not match the reply urls configured for the application

1
.netazure-active-directoryf5big-ip

1 Answers

1
votes

The reply / redirect URL for OpenID Connect is based on your browser's viewpoint. If you have 3 different hostnames for the same site, you should be able to simply add these 3 URLs to the allowed list. Alternatively for more realistic testing you could add a static host record to your local PC so that the external hostname you've registered with Azure matches your dev environment. This ensures that your local development environment matches exactly with the production environment.

You've perhaps read this, but here's MS help on this topic: https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url