F5 ADFS iApp to replace the ADFS proxy (WAP)

Question

We are having issues using the AD FS iApp for the ADFS proxy with ADFS certificate multi-factor authentication enabled. The iApp created two VIPS, one on port 443 with access policy assigned, and one layer 4 on port 49443. ADFS certificate MFA works fine if we don't specify the ADFS claims rule based on location (inside the network). The iApp created the appropriate iRules to forward the x-headers, and the x-headers are present for the VIP on port 443.&nbsp;
F5 Version 12.1, AD FS 3.0&nbsp;
When we enable the ADFS claims rule for (insidethenetwork) on the ADFS server, certificate MFA does not work, the ADFS server is resetting the connection. It seems like the ADFS server thinks that the request on port 49443 is from inside the network, which does not require MFA, based on the claims rule below.&nbsp;
Anyone else run into this?&nbsp;

corey_12957 · Answer

Hello @WillUsable,&nbsp;
Native ADFS integration using the adfs-pip protocol, including certificate support is included in version TMOS v13.1.&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-third-party-integration-13-1-0/12.htmlguid-1ee8fbb3-1b33-4982-8bb3-05ae6868d9ee&nbsp;
For versions prior to 13.1 please reference the deployment guide/iApp.&nbsp;
https://www.f5.com/pdf/deployment-guides/microsoft-adfs-dg.pdf &nbsp;
Page 20 highlights what needs to be done to support certificate authentication.&nbsp;

Forum Discussion

F5 ADFS iApp to replace the ADFS proxy (WAP)

Recent Discussions

Use of SSL Decryption.

Big IP DNS Failover

Diameter iRules attachment?

Health Monitor unable to connect to OpenShift Router

AS3 Limitations

Related Content

ADFS Proxy Replacement on F5 BIG-IP

Proxy Protocol v2 Initiator

Error deploying ADFS 3.0 WAP replacement with APM

Intelligent Proxy Steering - Office365

Proxy Protocol Initiator

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS