Forum Discussion

EastCoast_16835's avatar
EastCoast_16835
Icon for Altostratus rankAltostratus
Aug 15, 2017

APM with ADFS + Extended Protection

Hello, I am trying to implement F5 as a load balancer for an ADFS server farm. It works well if SSL connections from clients to ADFS are tunneled thru F5 without decryption. However if I enable SSL bridging on F5 (i.e. SSL connections are terminated on F5) the ADFS SSO authentication stops working.

 

It looks like ADFS is using a new feature called Extended Protection. This feature is a protection from man-in-the-middle proxies.

 

If I disable the Extended Protection in ADFS as follows, everything works well.

 

Set-ADFSProperties -ExtendedProtectionTokenCheck:None

 

I have not encountered any mention about disabling this Extended Protection feature in any F5 guide for ADFS integration.

 

Question:

 

Is it really necessary to disable Extended Protection? Is there any way to make it work properly with an F5 doing SSL bridge?