Forum Discussion

Terry_77423's avatar
Terry_77423
Icon for Altostratus rankAltostratus
Sep 30, 2016

adfs 3.0 and APM O365

We are in the early stages of the design of an adfs 3.0 implementation, and we would like to use APM to provide the functionality of the adfs proxy in our dmz. According to this article https://devcentral.f5.com/articles/big-ip-and-adfs-part-2-ndash-ldquoapmndashan-alternative-to-the-adfs-proxyrdquo It should work. However this document says that ssl termination is not an option: https://blogs.technet.microsoft.com/applicationproxyblog/2014/07/04/ssl-termination-with-web-application-proxy-and-ad-fs-2012-r2/

 

It is still unclear to me regarding the full ecosystem, but from what I gather a sticking point might be activesync, as the authentication for activesync will be proxied from the cloud to our adfs, and a client certificate of o365 might need to be passed to the backend adfs servers.

 

Can anyone speak of replacing the wap/adfs proxy in adfs 3.0 implementation with F5 apm, and any possible sticking points that they have experienced?

 

Terry

 

adfs 3.0
application delivery
BIG-IP Access Policy Manager (APM)
exchange hybrid
LTM
o365
security
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Sep 30, 2016

    Terry,

     

    What Stanislas has posted is correct. May I ask why you are using ADFS 3.0 with Office 365? Are there any specific requirements that drive you towards that? APM can also perform federation of users to Office 365(and a bunch of other popular SaaS applications). I'd suggest you take a look at this guide and see if it makes sense to deploy APM as the IDP:

     

    https://www.f5.com/pdf/deployment-guides/saml-idp-saas-dg.pdf https://f5.com/solutions/deployment-guides/microsoft-office-365-saml-idp-big-ip-v11-apm

     

    • Terrence's avatar
      Terrence
      Icon for Nimbostratus rankNimbostratus
      Oct 03, 2016

      To be truthful, this was a decision made without having F5 in mind, although we have been using F5 very successfully for owa preauthentcation for quite some time, I dont even think it came up as a possible solution. We now have a consultant onsite with the specific mandate to deploy adfs, so we are deploying adfs.

       

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Sep 30, 2016

    Terry,

     

    What Stanislas has posted is correct. May I ask why you are using ADFS 3.0 with Office 365? Are there any specific requirements that drive you towards that? APM can also perform federation of users to Office 365(and a bunch of other popular SaaS applications). I'd suggest you take a look at this guide and see if it makes sense to deploy APM as the IDP:

     

    https://www.f5.com/pdf/deployment-guides/saml-idp-saas-dg.pdf https://f5.com/solutions/deployment-guides/microsoft-office-365-saml-idp-big-ip-v11-apm

     

    • Terrence's avatar
      Terrence
      Icon for Nimbostratus rankNimbostratus
      Oct 03, 2016

      To be truthful, this was a decision made without having F5 in mind, although we have been using F5 very successfully for owa preauthentcation for quite some time, I dont even think it came up as a possible solution. We now have a consultant onsite with the specific mandate to deploy adfs, so we are deploying adfs.