F5 and WIF

Hi t,

 

 

Have you been able to analyze the traffic with HTTPWatch, Fiddler, or something of the like to verify that the STS is providing a cookie with the token to the client and the client is including the cookie when it connects to the service? Additionally, I would check:

 

 

* Verify the trust relationship between the IDP and RP;

 

 

* Reconfigure the RP to use SSL as well as the IDP & RP, (I think you mentioned it is listening on port 80). I know the RP and IDPs require SSL, not sure the target service does but worth a try.

 

 

* Check the persistence method on the Big-IP(s). If they are configured to use cookie persistence, try switching to another method, (source based perhaps) and test. The persistence cookie may be causing an conflict.

 

 

I have performed setups of ADFS servers, (both IDP and RP roles), as well as ADFS enabled web apps behind Big-IPs. I've used both SSL tunneling, (SSL pass-through) and SSL bridging, (SSL decryption and re-encrytion at the Big-IP) for both the connectin to the IDP/RP and web servers. However, I have not used SSL offloading, (decrypting SSL traffic and passing in to web servers on http.

 

 

If you are still having issues can you get a copy, (or screenshot) of the Big-IP virtual server configs?

 

 

 

Thanks,

 

 

Greg Coward