ADFS Proxy Replacement on F5 BIG-IP

Hi graham, I got your point and I understand we can do this using the client SSL profile with the client cert authentication feature enabled. To understand the ADFS proxy in more detailed (the delegated cert authentication part), is it true that when the cert auth takes place on the F5 itself (using LTM client SSL profile) it is not needed to enable this feature on the ADFS server? Or does the F5 pass some authentication details / parameters (besides of the NTLM SSO) via PIP protocol to the ADFS farm (using its trust relationship)?

The reason I ask this is that my client is requiring a password-less solution using only client cert based authentication (pre-authenticate clients on the F5 using certs), so this basically means no logon page, no AD auth (because username and password cannot be gathered externally) and even no RADIUS MFA because of the same reason. Furthermore SSO NTLM wont work because of the missing username and password parameter values.

With this specific (password-less) requirement perhaps the best thing to do is simple use LTM, a virtual server with client SSL profile enabling client cert authentication and send the traffic to the ADFS pool without any APM functionality or ADFS trust enabled on it.

Have you ever heard about this particular setup and what would you suggest in this scenario?

Thanks again.