For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

twalters_94841's avatar
twalters_94841
Icon for Nimbostratus rankNimbostratus
Nov 02, 2011

F5 and WIF

Not quite sure if this is the correct area in which to ask this question, but I'm hoping someone here has some experience with configuring WIF on F5.     I'm attempting to configure a custom Sec...
microsoft
partner
Greg_Coward's avatar
Greg_Coward
Icon for Employee rankEmployee
Dec 18, 2011

Hi t,

 

 

Have you been able to analyze the traffic with HTTPWatch, Fiddler, or something of the like to verify that the STS is providing a cookie with the token to the client and the client is including the cookie when it connects to the service? Additionally, I would check:

 

 

* Verify the trust relationship between the IDP and RP;

 

 

* Reconfigure the RP to use SSL as well as the IDP & RP, (I think you mentioned it is listening on port 80). I know the RP and IDPs require SSL, not sure the target service does but worth a try.

 

 

* Check the persistence method on the Big-IP(s). If they are configured to use cookie persistence, try switching to another method, (source based perhaps) and test. The persistence cookie may be causing an conflict.

 

 

I have performed setups of ADFS servers, (both IDP and RP roles), as well as ADFS enabled web apps behind Big-IPs. I've used both SSL tunneling, (SSL pass-through) and SSL bridging, (SSL decryption and re-encrytion at the Big-IP) for both the connectin to the IDP/RP and web servers. However, I have not used SSL offloading, (decrypting SSL traffic and passing in to web servers on http.

 

 

If you are still having issues can you get a copy, (or screenshot) of the Big-IP virtual server configs?

 

 

 

Thanks,

 

 

Greg Coward