Graham_Alderso1's avatar
Graham_Alderso1
Icon for Employee rankEmployee
Feb 20, 2019

For certificate auth, ADFS performs this with the client on either port 49443 (alternate port), or on the same port but using the DNS name certauth.(myadfsfqdn) (alternate name). Alternate port is the more common and is what the iApp deploys. In order to use alternate name your ADFS environment has to be setup for it and you need a special SAN cert that contains that name deployed. You can modify the iApp deployment to do alternate name if needed.

 

It's very similar to the alternate port deployment, just with a client SSL profile doing the magic instead of a separate virtual server. You can deploy the iApp with cert auth set to yes and look at the client ssl profile it deploys for cert auth on port 49443, then you can go back and select "no" for cert auth since you'll add it manually. Make a client ssl profile just like the iApp made but add the name field set to "certauth.(myadfsfqdn)". Then attach that to the 443 virtual server in addition to the existing one. You need to setup your two client ssl profiles for SNI since you're attaching two to the same virtual server, so you'll also need to select the original one (the non-cert auth one) as the SNI default in its client ssl profile settings.

 

Note: This certificate authentication is delegated from the ADFS Server to the ADFS Proxy (your BIG-IP) using MS-ADFSPIP protocol. The communication from BIG-IP as ADFS Proxy to the ADFS server is on port 443 even if the client is doing cert auth to the BIG-IP on 49443.