ADFS 2.0 Proxy Replacement w/APM for Office 365

Hi Brian,

 

I'll definitely try to help. A couple questions;

 

1. Are you configuring APM to pre-authenticate to AD FS, (replace the Proxy) for access to O365 for directory synced users?

 

2. Are you in a hybrid environment, (some users using Exchange on-prem and some in O365)?

 

3. Are you trying to configure SSO for on-premise apps as well as O365.

 

If the intent is to simply replace the ADFS Proxy servers with APM to access O365, it will be fairly straight forward. I can even send you a Big-IP config file, (ucs) that is setup in our lab.

 

Thanks,

 

Greg

 

Brian,

 

 

Also, with the latest version 11.3 that is about to be released, APM can federate SSO with Office 365 and replace ADFS functionality altogether. I'd love to sync up with you offline and discuss your use case and see we can do a quick PoC for you. I've got it down to a science now and am in the process of writing the deployment guide for that similar to what Greg has written for ADFS - so we can get you up and running in no time. :)

Hi Michael,

 

I'm interested in using your solution for when the new BIG-IP version 11.3 comes out. Do you know how soon BIG-IP v11.3 will come out?

 

How can we sync up offline?

 

I am able to help polish up the deployment guide if-need-be as I do a lot of to-the-point "verified" documentation writing.

 

Thanks,

 

Brian

 

Hi Greg,

 

It's great to make your acquaintance and we are still interested in your solution as we're trying to get this feature running ASAP.

 

1. Yes.

 

2. Yes.

 

3. Not now, but I can see that request coming in the future.

 

Thanks,

 

Brian

 

Brian - I've sent you a friend request with my contact info.

Hi Brian, Michael,

 

 

I am also trying to follow the instructions for the Access Policy in that same article: Big-IP and ADFS Part 2 – “APM–An Alternative to the ADFS Proxy” , but as Brian pointed out, once I get to the policy editor trying to put something in the AD Query and Variable Assign doesn't makes sense with the picture in the article.

 

 

Were you able to solve this problem?.

 

 

Apart from the two ADS servers in the LAN, I am also load-balancing a pair of Sharepoint environments, an Exchange 2003 (OWA) and an Exchange 2010, some of the users are being migrated to Office 365 so the idea is to use the BIG-IP as the Proxy for ADFS and get SSO in all those services.

 

 

I am using BIG-IP with LTM+APM 11.2.1 FC2, but the box also has 11.3.0 FC 1, so not sure if I should go for the newer version.

 

 

Any comments would be appreciated.

 

 

Regards

 

 

Max.

I was able to work with Brian to help him implement F5 APM as a SAML IDP for Office365, which allows for complete elimination of ADFS tier. The feature/capabilities for this are in 11.3.0 and above(we just released 11.4.0 yesterday!), and the documentation about how implement it is here:

 

https://devcentral.f5.com/wiki/iApp.BIG-IP-APM-as-SAML-2-0-IdP-for-Microsoft-Office-365.ashx

 

Hi guys,

 

Just wanting to add to the conversation with my pending transition. I've implemented F5 APM federated Office 365 for students in our university, and we're so happy with how it's working that we're keen to investigate the hybridisation of our on premises exchange org (used exclusively for staff) with a new office 365 tenancy, again using F5 for the federation/ saml aspects of the architecture. So far I've been focussing on getting to grips with the ADFS method of implementation (4 ADFS servers? Ridiculous!) and I can see where my F5 is going to be able to take over those roles. I'll read the article above that Michael has linked to, but i think it might be the same one i looked at to set up federation with our student's office 365 tenancy? Anyway, I'll pot again soon with developments as I make them this week shouls be a busy one. Get in touch anyone if you would like to discuss our experiences. Cheers - Gavin Connell-Otten - Victoria University, NZ