For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Anthony's avatar
Anthony
Icon for Nimbostratus rankNimbostratus
Sep 02, 2015

Setting up ADFS using APM

Hi all,

 

I'm needing to set up ADFS. I've been reading through the ADFS and Big-IP links (https://devcentral.f5.com/articles/big-ip-and-adfs-part-3-adfs-apm-and-the-office-365-thick-clients).

 

Our method is to have internal and external access via 2 VIPs and the external using the APM module as the alternative to an ADFS proxy.

 

However,I'm struggling to understand the flow of the requests through the set up outlined in the devcentral articles - specifically: https://devcentral.f5.com/articles/big-ip-and-adfs-part-2-ndash-ldquoapm-ndashan-alternative-to-the-adfs-proxy-rdquo

 

So far the internal route works which is pretty straight forward. I request https://adfs.domain.com/adfs/ls/IdpInitiatedSignon.aspx and it drops me straight onto the ADFS pool member.

 

The part I'm really struggling to get me head around is the APM policy. In the diagram there is a highlighted 'Variable Assign' with an iRule to redirect users - So my question is, how would a user end up on the ADFS pool members if they're being redirected before completing the APM flow?

 

Any help, advice or examples would be greatly recieved!!

 

Many thanks Anthony

 

BIG-IP Access Policy Manager (APM)
deployment
microsoft
security

3 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Sep 07, 2015

    from what i read that redirect is only the case when you are using office 365, are you?

     

  • Anthony's avatar
    Anthony
    Icon for Nimbostratus rankNimbostratus
    Sep 08, 2015

    We will be using Office 365. But I'm still struggling to understand why you would be redirected before you've been sent to the ADFS pool members, or is there some sort of "return trip" taking place after you have authenticated where you will redriect rather than pass through for authentication?

     

    I'm still waiting on more information internally and externally so once I have that I'm hoping that it will make more sense.

     

  • Anthony's avatar
    Anthony
    Icon for Nimbostratus rankNimbostratus
    Sep 29, 2015

    Ok, a little update on this.

     

    The Journey so far stand at:

     

    Enter someone@domain.com (in portal.office365.com) -> Redirects to F5 Logon page for APM policy

     

    Enter AD logon username/password -> Authenticate with AD -> SSO Credential Mapping -> Land on ADFS server presented with a logon page with the original someone@domian.com prepopulated.

     

    So, why would nothing be coming through from the APM policy with the SSO Credential Mapping?

     

    Using the sessiondump on the CLI, I can see a variable for: session.server.landinguri which is where I am landing on the ADFS server/pool member.

     

    Any help around passing SSO Credentials to the pool member would be greatly recieved!

     

    Many thanks,

     

    Ant