F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

NuttyF5_120100's avatar
NuttyF5_120100
Icon for Nimbostratus rankNimbostratus
Apr 14, 2015

External access to F5+APM secured ADFS farm

In relation to this article -   https://devcentral.f5.com/articles/big-ip-and-adfs-part-2-ndash-ldquoapm-ndashan-alternative-to-the-adfs-proxy-rdquocomments   I have a question relating to the...
BIG-IP Access Policy Manager (APM)
microsoft
security
NuttyF5_120100's avatar
NuttyF5_120100
Icon for Nimbostratus rankNimbostratus
Apr 27, 2015

Hi Mike, Thanks for your response. I've managed to develop a workaround. Below is some information to help other which may have the problem.

Problem description: Using the F5 LTM+APM to reverse proxy ADFS 3.0, either with the release candidates of the iApp (f5.microsoft_adfs.v.1.0.0rc5) or using the manual configuration steps as per the ADFS deployment Guide, resulted in an additional authentication prompt a UPN format username was entered. In our environment, the UPN is internet accessible, whereas the Active Directory domain is private (i.e. UPN = first.last@company.com and AD = company.internal)

This additional authentication prompt only occurred when credentials on the APM logon page were entered in UPN format.

Logon names entered as DOMAIN\User or USER resulted in the following expected result.

"User redirected for APM logon page --> Credentials entered on APM page --> Credentials passed seemlessly to ADFS --> ADFS issues token --> User redirected to Office 365 and logged in... etc"

The configuration changes required to allow a UPN which differs from the Domain Suffix are as follows;

Note: These changes are hard coded. I would suggest it should be possible to use LDAP queries, or branches to handle multiple domains.

Perform the following steps in the VPE;

1) Set "Split domain from full username" to Yes in the Logon Page block 2) Add a Variable Assign object between the AD Auth and SSO Credential Mapping blocks

This contains two entries. Replace and with your AD Domain and UPN respectively, e.g.

upn = company.com

domain = company (NETBIOS shortname) 
session.logon.last.logonname = if { [string tolower [mcget "session.logon.last.logonname"] ] contains "UPN" } then { return "domain\\[mcget "session.logon.last.username"]" } else { return "[mcget "session.logon.last.logonname"]"}

session.logon.last.domain = if { [string tolower [mcget "session.logon.last.domain"] ] contains "UPN" } then { return "domain" } else { return "[mcget "session.logon.last.domain"]"}

Hope this helps. I've only been working with these over the last few weeks, so the solution may not be optimal.

One other issue that was found is the guidance in the deployment guide (microsoft-adfs-dg.pdf - v1_6) gives "/adfs/fs/federationserverservice.asmx" as a URI value for the External Monitor. This does not work as the "200 OK" response is not given. Use "/FederationMetadata/2007-06/FederationMetadata.xml" instead to allow the "200 OK" response to work.

On a related note, the rc4 and rc5 releases seem to have been removed from devcentral. The following steps still apply to the manual configuration as per the F5 ADFS Deployment Guide.

https://devcentral.f5.com/codeshare/microsoft-active-directory-federation-services-adfs-iapp-template

mikeshimkus_111's avatar
mikeshimkus_111
Historic F5 Account
Apr 28, 2015
Thanks for the information. I'll look into updating the solution. Regarding the monitor, there was an issue with the curl command that prevented it from working correctly, but that should be fixed in RC5. I've tested it successfully with the /adfs/fs/federationserverservice.asmx URI. Also, something has happened with DevCentral to cause many of the latest templates to disappear. I'll try to find out why that happened.