Forum Discussion

twalters_94841's avatar
twalters_94841
Icon for Nimbostratus rankNimbostratus
Nov 02, 2011

F5 and WIF

Not quite sure if this is the correct area in which to ask this question, but I'm hoping someone here has some experience with configuring WIF on F5.

 

 

I'm attempting to configure a custom Secure Token Service (STS) web site and relying party (RP) web site, each on its own F5, and I'm running into issues getting it working. The F5s (I have no control over these, and am not very familiar with them) are supposedly configured for SSL, and the IIS 7 servers are configured for port 80. The relying party configurations (passive redirect) are all set for SSL (https) and require secure cookies. The FederationMetadata files are all SSL (https). Redirect to the STS is working, but after authentication, the token seems not be getting passed back to the RP, and the redirections them seem to get stuck in an infinite loop. Any thoughts on what might be going on would be appreciated.

 

 

Thanks.

 

-t

 

  • Hi t,

     

     

    Have you been able to analyze the traffic with HTTPWatch, Fiddler, or something of the like to verify that the STS is providing a cookie with the token to the client and the client is including the cookie when it connects to the service? Additionally, I would check:

     

     

    * Verify the trust relationship between the IDP and RP;

     

     

    * Reconfigure the RP to use SSL as well as the IDP & RP, (I think you mentioned it is listening on port 80). I know the RP and IDPs require SSL, not sure the target service does but worth a try.

     

     

    * Check the persistence method on the Big-IP(s). If they are configured to use cookie persistence, try switching to another method, (source based perhaps) and test. The persistence cookie may be causing an conflict.

     

     

    I have performed setups of ADFS servers, (both IDP and RP roles), as well as ADFS enabled web apps behind Big-IPs. I've used both SSL tunneling, (SSL pass-through) and SSL bridging, (SSL decryption and re-encrytion at the Big-IP) for both the connectin to the IDP/RP and web servers. However, I have not used SSL offloading, (decrypting SSL traffic and passing in to web servers on http.

     

     

    If you are still having issues can you get a copy, (or screenshot) of the Big-IP virtual server configs?

     

     

     

    Thanks,

     

     

    Greg Coward

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

  • Thanks for responding. I was actually able to resolve this. Turns out the web application itself was forcing https. Since we were attempting to run port 80, with encryption/decryption at the F5, it kept getting redirected back out to the F5. We have (temporarily) disabled encryption/decription at the F5 and have configured the web sites for 443.

     

     

    There were other things we needed to do to get WIF working with F5 (moving to RSA, etc.), but this particular issue was not WIF-related.