ADFS Proxy Replacement on F5 BIG-IP
BIG-IP Access Policy Manager can now replace the need for Web Application Proxy servers providing security for your modern AD FS deployment with MS-ADFSPIP support released in BIG-IP v13.1. This arti...
Published Mar 13, 2018
Version 1.0
Graham_Alderso1
Employee
EmployeeGraham_Alderso1Employee
Employee
Graham_Alderso1Employee
EmployeeMarvin,
For certificate auth, you configure this at the ADFS server AND at the F5 proxy, as shown in the video above. The ADFS server must be configured for it because it controls the client's redirection to the certificate auth endpoint. The F5 must be configured for it because it performs the delegated certificate auth. It then passes the relevant details back to the ADFS server using MS-ADFSPIP, which is what makes it possible to delegate the certificate auth. This can be done without password. In the video above at 6:06 you see this happening. If you want it to be only certificate auth and happen automatically, no password option, then you have to change your extranet auth settings at the ADFS server.
For the second question, for other auth types, you just configure them at the ADFS server and select them there for extranet auth, and they should then show up when a user goes through the F5 ADFS Proxy the same as they would if there was a Microsoft WAP as ADFS Proxy. The proxy doesn't perform the auth (except for certificate), it just restricts access to ADFS to only the endpoints configured at ADFS. I haven't used the one you linked, but it should work fine.
Note that if you use an APM access profile, this overrides any authentication decisions made at ADFS. I don't advise this for your use case.