Stanislas_Piron
Sep 15, 2016Nimbostratus
APM replacing ADFS proxy 3.0 : different behavior based on user agent value
Hi,
I am deploying F5 APM as ADFS proxy using deployment guide v1.4.
I configured AD auth and NTLM SSO.
when authenticating with firefox, SSO does not work and ADFS server request form based authentication (it is my default test browser and I did not try with IE). I searched on devcentral if there is anything else to configure to support ADFS 3.0.
I found this article about configuring form based authentication on ADFS server.
To support ADFS proxy for any browser, I customized the irule provided in the deployment guide like that:
when HTTP_REQUEST {
set keepua 0
For external Lync client access all external requests to the
/trust/mex URL must be routed to /trust/proxymex. Analyze and modify the URI
where appropriate
HTTP::uri [string map {/trust/mex /trust/proxymex} [HTTP::uri]]
Analyze the HTTP request and disable access policy enforcement WS-Trust calls
if {[HTTP::uri] contains "/adfs/services/trust"} {
ACCESS::disable
set keepua 1
}
OPTIONAL ---- To allow publishing of the federation service metadata
if {[HTTP::uri] ends_with "FederationMetadata/2007-06/FederationMetadata.xml"} {
ACCESS::disable
set keepua 1
}
if { !($keepua) } { HTTP::header replace "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko msie7" }
}
it replace the client user agent by one supported by ADFS server for NTLM auth.
Am I the first who get this error? is there a better solution to solve this issue?
Regards,
Stanislas