Big-IP and ADFS (SCRATCH THAT! Big-IP and SAML) with Office 365 – Part 5
With the release of ver. 11.3, BIG-IP with APM, (Access Policy Manager) now includes full SAML support on the box. What does that mean? Well, rather than relying upon an external resource such as ADFS to issue or security tokens, (used to present/consume claims with a federation partner), the BIG-IP becomes the federation endpoint for the organization. Check out here for more information on federation. When it comes to Office 365, not only has the infrastructure required to federate your organization been dramatically reduced, the configuration required has been simplified. Available in our community codeshare forum is an iApp as well as guidance specifically designed for deploying the BIG-IP as a federation IdP, (identity provider) for Office 365. Now federating with Office 365 is as simple as answering a few questions and entering a few PowerShell commands to configure the Office 365 side. To gain a better understanding of how we arrived here, (replacing ADFS), as well as illustrating the benefit let’s take a look at the “Evolution of Solution”…development. | |
Saying Goodbye to ADFSEnsuring a Highly Available ArchitectureThroughout this series, (links below), we’ve taken a look at how the F5 BIG-IP can add value and enhance to and ADFS, (Active Directory Federation Services). To get the ball rolling we looked at how the BIG-IP was able to provide for a highly-available and scalable ADFS infrastructure, (refer to Figure 1). This included ensuring the ADFS proxy farm, located in the perimeter network, as well as the internal ADFS farm was available and the traffic is optimized. BIG-IP enhancements to the ADFS federation process: • Intelligent traffic management • Advanced L7 health monitoring – (Ensures the ADFS service is responding) • Cookie-based persistence | |
Enhancing Security and Streamlining ADFSBuilding upon the previous solution, (load balancing the ADFS and ADFS Proxy layers), we implemented APM, (Access Policy Manager), (refer to Figure 2). By implementing APM on the F5 appliance(s) we not only eliminated the need for these additional servers but, by implementing pre-authentication at the perimeter and advanced features such as client-side checks, (antivirus validation, firewall verification, etc.), arguably provided for a more secure deployment. Additional BIG-IP enhancements to the ADFS federation process: •Enhanced Security •Variety of authentication methods •Client endpoint inspection •Multi-factor authentication •Improved User Experience •SSO across on-premise and cloud-based applications •Single-URL access for hybrid deployments •Simplified Architecture •Removes the ADFS proxy farm layer as well as the need to load balance the proxy farm | |
Eliminating the ADFS Infrastructure
Available with version 11.3, APM includes full SAML support. This allows the BIG-IP to not only authenticate the client connections with Active Directory, but act as the IdP or SP in the federation process. No longer will an organization be required to deploy an ADFS infrastructure for federation. Rather, the BIG-IP’s role as an application delivery controller is expanded out to include cloud-based resources, (including Office 365), as well as on-premise applications. Additional BIG-IP enhancements to the ADFS federation process: •Ability to act as IDP, (Identity Provider) for access to external claims-based resources including Office 365 •Act as service provider, (SP) to facilitate federated access to on-premise applications •Streamlined architecture, (no need for the ADFS architecture) •Simplified iApp deployment
Figure 3 shows a typical Office 365 client access process utilizing APM and SAML. |
Additional Links:
Big-IP APM as SAML 2.0 IdP from Microsoft Office 365
SAML Federation with the BIG-IP
Big-IP and ADFS Part 1 – “Load balancing the ADFS Farm”
Big-IP and ADFS Part 2 – “APM–An Alternative to the ADFS Proxy”
Big-IP and ADFS Part 3 – “ADFS, APM, and the Office 365 Thick Clients”
Big-IP and ADFS Part 4 – “What about Single Sign-Out?”
BIG-IP Access Policy Manager (APM) Wiki Home - DevCentral Wiki
Latest F5 Information
- scottm_82531NimbostratusJust a note that (at least as of Oct 2014) Lync, Excel, Word, etc cannot authenticate using SAML, so you still need ADFS.
- yamashin55Cirrus
Just of Nov 2016. Can not Lync, Excel, Word, authenticate using SAML?
I think, It does not seem to be supported yet.
https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/ https://docs.microsoft.com/en-US/azure/active-directory/active-directory-aadconnect-federation-compatibility
- Alois_102001Nimbostratus
Just switch to a native SAML-SP scenario.
- Architecture 1 also supported with SAML ? (ADFS Proxy is a SAML-IDP Proxy, ADFS Farm is a SAML-IDP Farm)
- Architecture 2 also supported with SAML ? (F5 APM is a SAML-IDP Proxy, ADFS Farm is a SAML-IDP Farm)
Any comments or references on that ?
Anybody used / implemented such Architectures ?