Big-IP and ADFS Part 5 – “Working with ADFS 3.0 and SNI”

Can you believe it? It’s true, it’s true! There’s a part 5. What can I say? Times change; people change; software changes. Active Directory Federation Services, (ADFS) is no exception. While the BIG-...
Published May 30, 2014
Version 1.0
adfs
application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
Aussie_Dave's avatar
Aussie_Dave
Icon for Nimbostratus rankNimbostratus
Jul 16, 2018

I had a requirement where we needed to authenticate together with using SNI, I ended up modifying the script to allow input of the username and password into the custom monitor variables. However because this password is stored in plain text I looked at encrypting it using the default RSA key on the F5.

Replace:

curl-apd -k -v --resolve $HOST:$PORT:$NODE https://$HOST$URI 2>&1 >

With:

encrypted_pass= openssl rsautl -inkey /config/httpd/conf/ssl.key/server.key  -decrypt 


curl-apd -k -v -u "${USER}:${encrypted_pass}" --resolve $HOST:$PORT:$NODE https://$HOST$URI 2>&1 > 
You will need to create an encrypted file using the below command from F5 ssh:
echo "password" | openssl rsautl -inkey /config/httpd/conf/ssl.key/server.key -encrypt >/home/sp2016mon.bin
After you have created the file the monitor will then decrypt the password and login using curl. If the default key pair on the F5 device ever expires or changes you will need to rerun this command to re-create the file. If the password changes you will also need to rerun this command to re-create the file.
When creating the monitor use the "USER" variable to add your username.