Prepopulate APM Username From O365 Login

emojiF5’s Access Policy Manager (APM) offers many compelling security and optimization features for Microsoft’s Active Directory Federation Services (ADFS) – more info in the APM/ADFS Deployment Guide.  Odds are if you’re deploying ADFS you’re also using or looking at Office 365.  Normally, when you login to O365 you will be redirect to a Home Realm Discovery page,  This page does 2 things:

  1. determines if you’re a federated users (i.e. you use another authentication source like F5, MS ADFS, Okta, …. <insert long list of IDMs on the market today>).
  2. if you’re not a federated user, authenticate you against Azure AD.
Office 365 Empty Login Page

So when you type in your email address Microsoft parses the domain name and automatically redirects you to your local APM/ADFS environment for authentication – pretty nice! However, when you land at the APM login page you notice the username field is empty and you have to enter your username or email address (depending on how APM is configured for authentication) again.

You can fix this by customizing the APM Visual Policy Editor to look for O365 to ADFS logins and prepopulate the username.

Username Prepopulated from O365

So what does the APM configuration look like?

Final VPE

Step 1: Create an object to detect O365 to ADFS Login 

  1. Click the (+) button on the Start fallback branch
  2. In the search box type empty and select the Empty resource then click “Add Item”
  3.  Name the resource O365 Login
  4. Click on the “Branch Rules” tab and click “Add Branch Rule”
  5. Name the branch “Yes” and add the following expression via the advance tab
    • expr {[mcget {session.server.landinguri}] contains “username=”}
  6. Click Save


Detect O365 Login


Step 2: Extract the Username from the O365 Redirect Request

When the user enters their email address into the O365 login this data is included in the GET request back to the APM/ADFS environment.

O365 Login with Federation Redirect
O365 Redirecting to APM/ADFS

To capture this data we’ll need to create perform the following steps:

  1. Click the (+) button on the Yes branch off of O365 Login
  2. In the search box type variable and select the Variable Assign resource then click “Add Item”
  3. Name the resource “set username from O365” and add the following variables

session.logon.last.username = expr {[string range [mcget {session.server.landinguri}] [mcget {session.custom.pos_username}] [mcget {session.custom.pos_at_sign}]] }

session.custom.pos_at_sign = expr {[string first “%40” [mcget {session.server.landinguri}]] – 1}

session.custom.pos_username = expr {[string first “username=” [mcget {session.server.landinguri}]] + 9}

Click “Finished” and then click “Save”

Set Custom Variables

Step 3: Customize the APM Logon Page

Now that we have the username we need to prepopulate it on the APM Logon page and set the form variable to read only.

  1. Click the (+) button on the “set username from O365” fallback branch
  2. Select “Logon Page’ then click “Add Item”
  3. Name the resource “O365 Logon Page”
  4. Change the “Read Only” setting for field 1 to “Yes”
  5. Click  “Save”
APM Logon Page

The remainder of the VPE configurations are basic and are not covered in this article to keep it from being a novel.

That’s it!  Now you’re user’s only have to enter their information once which will definitely make them happier.

10 thoughts on “Prepopulate APM Username From O365 Login

  1. Great article. One item you should correct is 3.1 “Click the (+) button on the “set username to UPN” fallback branch” should be “Click the (+) button on the “set username from O365” fallback branch”.

    For some reason, O365 isn’t sending the username, when doing the GET request on my system, so I’m unable to populate the username field. Any idea what would cause this, or have they changed the functionality removing it?

    1. They functionality hasn’t been removed but I have seen issues where the username is not the first object in the payload with an equal sign.. i.e. there is another something=value before username. Let me know if you can post a sanitized version of your payload and I’ll take a look.

  2. Great article Cody. One question, When I am using the above expression in variable assign, I am not able to save it. Is there any reason behind it. I just copied and pasted there. Please advise me.


      1. Thank you Cody. It is working now and I entered those manually. I have one more question on APM if you can answer that, it will be very helpful to me. I am working on one policy and that policy has to authenticate Local DB users and AD users but I am not able to make it that success. Might be I am missing something. Can you please check below policy.

  3. Hi Cody,

    Thank you for this. I got it working. I would like to understand the significance of the ‘+9’ and ‘-1’ in the session variables. Also, how can i insert the UPN instead of the sAMAccountname.


    1. These TCL string operations are trying to extract the required variable out of landing URL on the F5 APM. So I’m looking for the @ sign in the landing URI (the -1 is so I don’t include it) then I look for username= (which is 9 characters and is why you see the +9). The username is everything between these two points in the string.

  4. Thanks. That’s what I was thinking as well. So by not including the @ sign you are stripping away anything that comes after the @ sign which in effect leaves you with the sAMAccountname. How would I modify this to include the domain name (i.e UPN)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.