ADFS Proxy Replacement on F5 BIG-IP
BIG-IP Access Policy Manager can now replace the need for Web Application Proxy servers providing security for your modern AD FS deployment with MS-ADFSPIP support released in BIG-IP v13.1. This arti...
Published Mar 13, 2018
Version 1.0
Graham_Alderso1
Employee
EmployeeGraham_Alderso1Employee
Employee
Graham_Alderso1Employee
EmployeeKarthik,
Perhaps look at the domain name setting regarding the forms SSO issues. Also ADFS by default is configured to require domain\username or username@domain.com format, so that is how the forms SSO works in APM works by default. Many environments modify the ADFS logon page to not require the domain, so you may need to adjust the forms SSO accordingly.
Regarding the Azure MFA, you would need to change your Azure MFA policy to implement the way you're requesting. If you have APM enforce the MFA requirement, then you do not need Azure to enforce it. ADFS (and thus Azure) is unaware that APM has already completed the MFA and that is why you are getting prompted twice.
If you want Azure MFA implemented the same way it would be when using WAP, do not select to deploy Azure MFA in the APM profile (or do not deploy an APM profile at all depending on your needs), and it will be implemented by ADFS and Azure in the same manner you are used to, but with APM replacing the WAP functionality.